Let’s begin with the current state of cybersecurity in the healthcare industry: Patient data for nearly 5 million individuals was exposed or stolen as a result of roughly 300 data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). And a recent public release of Meltdown & Spectre
Events of this magnitude, coupled with the frequency of large public breaches, will likely accelerate much-needed change in the healthcare information security space. With that in mind, let’s look at 6 trends in healthcare information security that we’re sure to see in 2018.
1. OCR is Turning Up the Heat
Healthcare companies are being breached at alarming rates, so the Office for Civil Rights – the organization responsible for auditing healthcare entities – is cracking down on requiring a true Healthcare Security Risk Analysis. Many businesses have had a network risk assessment or a partial risk analysis in the hopes that it would appease the HIPAA requirement. Unfortunately for them, an OCR audit bringing fines in the thousands proves this to be a costly mistake.
IN 2018: More healthcare businesses will remove the guesswork from HIPAA compliance by performing a true, holistic Security Risk Analysis. Some will be motivated by a desire to protect patient data against today’s ever-evolving threats and some will want to avoid steep OCR fines, brand reputation damage, etc.
2. Ransomware is Here to Stay
Ransomware such as Samas/SamSam
IN 2018: To maintain control of patient data, we can expect to see healthcare organizations invest in increased protections around primary infection vectors such as email phishing and the patching of critical vulnerabilities.
3. A Little Less Talk, a Lot More Action
Similar to organizations in other industries, healthcare companies have invested heavily in solutions that aim to prevent unauthorized access and threats to the network perimeter. With the number of breaches constantly on the rise, we can expect to see healthcare organizations placing increased focus and attention on detection and response in 2018. While perimeter protections are certainly required, they are no longer sufficient by themselves.
IN 2018: The reality is, there’s only so much you can do to protect your perimeter. Healthcare organizations will likely begin to leverage advanced endpoint detection and response solutions on workstations, servers
4. Policies Alone Just Don’t Cut It
While policies are a critical part of any robust information security program, healthcare organizations should not rely solely on a policy document when it comes to protecting patient data. Rather, they should complement administrative controls (i.e. policies) with reasonable technical controls. For example, many healthcare organizations have a policy that outlines their patch management practices; however, these same organizations often lack the ability to validate or measure the effectiveness of many of their policies - like patch management. There were many significant breaches in 2017 that can be traced back to missing patches and lack of a vulnerability management program.
IN 2018: We suspect healthcare organizations will ultimately realize that even the best policies can only protect patient data up to a certain point. They will begin to complement policies with appropriate technical controls such as firewalls, antivirus software, email filtering, or anti-malware software.
5. Visibility in Vendor-land
In an effort to offload certain compliance burdens associated with the protection of patient data, many healthcare businesses have opted to move their EHR systems to the cloud. In and of itself, this is not a bad practice. Vendor solutions can often simplify compliance objectives and afford certain protections to patient data that are otherwise more difficult to obtain using in-house infrastructure and resources. While held to the same legal standards, it’s often difficult for healthcare organizations to ascertain if a vendor is protecting patient data in accordance all applicable HIPAA/HITECH laws. As the healthcare industry continues to embrace the benefits of outsourcing, vendors have become an increasingly valuable target for attackers.
IN 2018: We predict that attackers will shift focus away from the healthcare organizations themselves and, instead, place increased focus on the vendors who have been entrusted to protect large amounts of patient data for many organizations.
6. Email: The Gateway for Most Viruses
Employee email accounts are one of the most vulnerable areas of a
IN 2018: As the cost of multifactor authentication continues to drop, we predict (and pray) that multifactor authentication will see a significant adoption by the healthcare industry in 2018.
Up Next: 6 Steps to be More Secure
Click here to learn six practical steps that help your organization be more secure in 2018.