So, what can we expect next year? Here are the 11 most significant healthcare information security and privacy events that I predict will occur throughout 2018.
1. Increased occurrences of ransomware and associated ransom costs: Too many organizations pay the ransoms because they lack up-to-date backups, and then the crooks target them again. Every type of business, even the sole-proprietor business, is a target. All organizations need to implement prevention protections and be prepared to respond to ransomware.
2. Increased distributed denial-of-service attacks: DDoS attacks will be more prevalent and more harmful. They will increasingly use "smart" medical devices and other types of internet of things devices. The Mirai and Reaper DDoS botnets demonstrated how the IOT devices are used to support large, extended DDoS attacks by exploiting vulnerabilities in wireless routers, IOT devices with insufficient security controls, default credentials or no credentials. The next DDoS attack will impact larger numbers of devices, exploiting more vulnerabilities, within far more locations, including legacy systems.
3. More unsecured, vulnerable medical devices in use: Increased use of smart medical devices increases risks to patient safety, data security and privacy. There will be more incidents and patient harm that occurs as risks increase without improved security. Medical device engineers need to build security and privacy controls into these devices from the earliest engineering plans.
4. General internet of things devices: Other types of IOT devices beyond medical devices are widely used - estimated at 20 percent of networks - within healthcare settings. They are typically not secured, but they all provide pathways into the healthcare facilities and could result in significant harms to patients, in addition to security incidents within the healthcare providers and their business associates.
5. Increased incidents of insiders selling patient data: More insiders will take advantage of their access to valuable data because they know there are few logs of their access to catch them, or they see no one is reviewing the logs that do exist. All organizations need to establish access monitoring policies and procedures, and consistently enforce noncompliance.
6. More breaches from lack of training and awareness: Organizations are providing less training and practically no awareness reminders, which will result in more breaches. Without training workers will make mistakes and do actions without realizing they are putting PHI at risk. Insiders will exploit this lack of awareness to get away with fraud and other crimes through the misuse of PHI to which they have access. All organizations need to provide more training and awareness reminders.
7. More and larger breaches from business associates: Most BAs I've spoken to, from the largest of cloud services to the smallest of niche services, simply do not think they need to comply with HIPAA and expect their clients to implement all security controls. Most BAs do not have comprehensive information security or privacy programs in place, so larger breaches than ever before will occur within BAs. Covered entities must ensure that their BAs have comprehensive and effective information security and privacy controls in place and that they meet all HIPAA and other applicable legal requirements.
8. Exploitation of old bugs and vulnerabilities: Longstanding systems vulnerabilities will be exploited. Just look at the Heartbleed vulnerability. A large portion of organizations have never patched for it. And it has been exploited in healthcare organizations. Organizations need to get old systems patched or retired.
9. Improper disposal of data and device: Huge breaches will occur through improper disposal. Too many organizations have shifted all their attention and budget to protecting data as it is collected, with a loss of budget and resources to securely dispose of all types of computing and storage devices, as well as all forms of information media, especially print information. Organizations must ensure secure disposal practices are in place.
10. Increased privacy breaches due to lack of knowledge of restricted uses of personal information: Some large healthcare organizations will be caught inappropriately selling or using patient data without obtaining the legally required patient consents and approvals. The push to use patient data for more purposes is strong from executives and marketers. Organizations need to ensure they are complying with all privacy legal requirements.
11. Non-compliance penalties will increase: Incidents described above, and a wide range of other situations, will result in huge, possibly business-ending noncompliance fines and penalties - not only for HIPAA violations from the Department of Health and Human Services' Office for Civil Rights and all the U.S. state attorneys general, but also from the Federal Trade Commission and as a result of other laws, regulations, standards and contractual requirements, particularly when the EU's General Data Protection Regulation is enforced beginning on May 25, 2018. Many organizations in the U.S. that have EU customers, patients and contracted workers will need to comply with GDPR, but almost all I've spoken with do not understand that they have those legal obligations.