Let’s begin with the current state of cybersecurity in the healthcare industry: Patient data for nearly 5 million individuals was exposed or stolen as a result of roughly 300 data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). And a recent public release of Meltdown & Spectre has rendered virtually every computer system on the planet vulnerable to some extent.

Events of this magnitude, coupled with the frequency of large public breaches, will likely accelerate much-needed change in the healthcare information security space. With that in mind, let’s look at 6 trends in healthcare information security that we’re sure to see in 2018.

1. OCR is Turning Up the Heat

Healthcare companies are being breached at alarming rates, so the Office for Civil Rights – the organization responsible for auditing healthcare entities – is cracking down on requiring a true Healthcare Security Risk Analysis. Many businesses have had a network risk assessment or a partial risk analysis in the hopes that it would appease the HIPAA requirement. Unfortunately for them, an OCR audit bringing fines in the thousands proves this to be a costly mistake. 

IN 2018: More healthcare businesses will remove the guesswork from HIPAA compliance by performing a true, holistic Security Risk Analysis. Some will be motivated by a desire to protect patient data against today’s ever-evolving threats and some will want to avoid steep OCR fines, brand reputation damage, etc.

2. Ransomware is Here to Stay

Ransomware such as Samas/SamSam have continued to target and wreak havoc on many healthcare organizations over the past year. Unfortunately, we don’t expect the madness to slow down anytime soon. Ransomware attacks have proved to be a very profitable endeavor for ill-intentioned cyber criminals everywhere, approaching upwards of $5 billion in estimated damages for 2017 - which is up from $1 billion in 2016.

IN 2018: To maintain control of patient data, we can expect to see healthcare organizations invest in increased protections around primary infection vectors such as email phishing and the patching of critical vulnerabilities.

3. A Little Less Talk, a Lot More Action

Similar to organizations in other industries, healthcare companies have invested heavily in solutions that aim to prevent unauthorized access and threats to the network perimeter. With the number of breaches constantly on the rise, we can expect to see healthcare organizations placing increased focus and attention on detection and response in 2018. While perimeter protections are certainly required, they are no longer sufficient by themselves.

IN 2018: The reality is, there’s only so much you can do to protect your perimeter. Healthcare organizations will likely begin to leverage advanced endpoint detection and response solutions on workstations, servers and other endpoints as they work towards bolstering their breach and incident response programs.

4. Policies Alone Just Don’t Cut It

While policies are a critical part of any robust information security program, healthcare organizations should not rely solely on a policy document when it comes to protecting patient data. Rather, they should complement administrative controls (i.e. policies) with reasonable technical controls. For example, many healthcare organizations have a policy that outlines their patch management practices; however, these same organizations often lack the ability to validate or measure the effectiveness of many of their policies - like patch management. There were many significant breaches in 2017 that can be traced back to missing patches and lack of a vulnerability management program.

IN 2018: We suspect healthcare organizations will ultimately realize that even the best policies can only protect patient data up to a certain point. They will begin to complement policies with appropriate technical controls such as firewalls, antivirus software, email filtering, or anti-malware software.

5. Visibility in Vendor-land

In an effort to offload certain compliance burdens associated with the protection of patient data, many healthcare businesses have opted to move their EHR systems to the cloud. In and of itself, this is not a bad practice. Vendor solutions can often simplify compliance objectives and afford certain protections to patient data that are otherwise more difficult to obtain using in-house infrastructure and resources. While held to the same legal standards, it’s often difficult for healthcare organizations to ascertain if a vendor is protecting patient data in accordance all applicable HIPAA/HITECH laws. As the healthcare industry continues to embrace the benefits of outsourcing, vendors have become an increasingly valuable target for attackers.

IN 2018: We predict that attackers will shift focus away from the healthcare organizations themselves and, instead, place increased focus on the vendors who have been entrusted to protect large amounts of patient data for many organizations.

6. Email: The Gateway for Most Viruses

Employee email accounts are one of the most vulnerable areas of a health care practice. Once compromised, large repositories of patient data are often discovered within employees’ “sent items” folders. When an individual sends a secure email, a copy of the secure email (which often contains patient data) is usually retained within the email account in an unencrypted fashion. Attackers understand the value a single mailbox can hold and, as a result, go to great lengths to gain access to employee mailboxes – which often goes undetected. Any system that stores or provides access to patient data should be protected with a second form of authentication such being required to enter a six-digit code that has been texted to your cell phone.

IN 2018: As the cost of multifactor authentication continues to drop, we predict (and pray) that multifactor authentication will see a significant adoption by the healthcare industry in 2018.

Up Next: 6 Steps to be More Secure

Click here to learn six practical steps that help your organization be more secure in 2018.

Nick VanGilder and Will Enochs lead C Spire Business' Cybersecurity Testing & Consulting services. Learn more about the team here. Robbie Morris is VP of Health Care and Security Solution Services.