BLOG

Blog Post by Brian Selfridge, Partner at CORL Technologies

---

The vision for 2020 healthcare security and privacy is clouded with emerging security threats, compliance and enforcement activity, and rapidly evolving business models and regulatory landscapes. However, we can also see many opportunities on the horizon this year and beyond to improve the industry’s privacy and security protections of healthcare organizations and patient information.

TOP 10 TRENDS FOR 2020 HEALTHCARE PRIVACY & SECURITY

[#1] From IT to Enterprise-Level Focus | In the boardroom, cybersecurity has evolved from an IT-focused technical topic into a mission-critical function required to enable the delivery of safe and effective healthcare. Healthcare entities are beginning to view cybersecurity as a critical component of effective enterprise risk management as security breaches continue to have greater impacts on financials, patient safety, and public trust.

[#2] Ransomware attacks evolve and increase | Ransomware attacks are ramping up into 2020 as attackers are increasingly getting paid for their efforts and a sustainable fraudulent business model is emerging. The attacks have become increasingly aggressive as ransomware peddlers have locked up EHRs and also threatened to release PHI if victim organizations do not pay up.

[#3] Federal and State Regulatory Enforcement Continues | OCR has been active in issuing civil monetary penalties for organizations of all shapes and sizes. December’s fines for 2019 included $2.2 million for Sentara Hospitals and $65k for the West Georgia Ambulance company illustrate that no organization is exempt from HIPAA Security and Breach Notification Rule requirements. GDPR compliance remains a heavy lift and focus area for in-scope organizations. State regulations including the California Consumer Privacy Act and New York’s 23 NYCRR 500 regulation are also requiring attention and introducing new stringent requirements for healthcare entities.

[#4] Third Party Vendor Security Risk Management is Front and Center | Data proliferation continues to mount as healthcare entities share large data sets with a wide variety of third parties to support clinical, business, and innovation business cases. Security teams are struggling to keep up with the volume of audits, assessments, and remediation tracking activities and have turned to managed services, as well as cybersecurity scoring and GRC tools like RiskRecon, BitSight, Archer, ServiceNow, and others to automate and scale vendor security risk processes. Security certifications such as SOC 2 and HITRUST continue to be required for third parties to contract with leading healthcare entities.

[#5] Asset Management, IoT, and Medical Device Security Get More Investment | The industry is shifting from general “awareness” mode of the risks associated with unmanaged endpoints and starting to make concrete investments in tools and processes for IoT, IoMT, and medical device assets. Expect to see most organizations investing in initiatives in 2020 to acquire or explore inventory tools to gain better visibility into unmanaged endpoints and begin to develop more robust programs for securing these platforms this year. Related projects for patch management, network segmentation, and asset management are also trending upward.

[#6] Hacking Attacks Increase and Get More Targeted | Hackers are doing more homework and launching attacks that are targeted to specific individuals in order to gain a foothold for data exfiltration, malware, ransomware, and other malicious purposes. Spear phishing remains a preferred and successful attack method and we can expect to see healthcare entities making more investments in education, training, and awareness programs for the workforce this year.

[#7 & 8] Cybersecurity Talent Shortages and Budgets Constrain Teams | Cybersecurity talent shortages and a hot market for experience means more challenges are expected for recruiting and retaining talent. Budgets are flexing up a bit for capital spend (e.g. tools, products, discrete projects), but are not increasing as rapidly for operating spend for headcount and salary for many organizations. Companies that are looking to hire and invest in people are struggling to locate and retain talent. Organizations will have to build resilient security processes in 2020 that are independent of specific personnel. Companies are also investing more in hiring third party staff augmentation and contracting resources to keep programs moving forward.

[#9] Data Proliferation and Big Data Privacy Concerns Loom | Data is going out in large quantities for a variety of business purposes and is not coming back. Big technology players like Google and Amazon are making large investments in healthcare including amassing huge data sets for purposes that are not all that clear. Privacy concerns loom based on the relatively poor track record of big technology firms to protect patient privacy amidst financial incentives to sell and repurpose healthcare data.

[#10] Mergers, Acquisitions, and Affiliations Drive Complexity | The industry is in a high churn cycle with consolidation in the provider space, payers expanding to the provider sector, and many healthcare entities becoming Business Associates by offering products and services to the market. Expect to see more mergers and affiliations in 2020 that create complexities for merging security and compliance programs, teams, and business models.