Cybersecurity threats and malicious actors have wreaked havoc across the spectrum of healthcare organizations during 2016. An increase in the number of successful cyber-attacks on providers — along with a heightened focus on compliance from OCR — has left many healthcare leaders struggling to safeguard sensitive patient data.
In the coming year, many entities will evolve to meet this challenge while others will continue to deprioritize cybersecurity. This is a mistake given what is on the horizon for healthcare cybersecurity. We predict healthcare organizations can expect the following five cybersecurity trends in 2017:
1. There Will Be a Double-Digit Increase in Breaches
Malicious actors have turned their focus away from the historically lucrative arenas like the financial industry and have been aggressively targeting healthcare data. As hackers become more advanced and better equipped, healthcare organizations will experience a 10-15% increase in the number of cybersecurity breaches in 2017. Ransomware attacks will increase.
2. Boards Will Ignore the Risk Until They Can’t Anymore
Some healthcare organization boards have already begun managing cybersecurity risk in the same manner as other business risks. Unfortunately, they often become engaged in cybersecurity risk management after a significant event. With that said, we predict that many boards will be content to retain a reactive posture in dealing with cybersecurity concerns. The results will be costly.
3. Civil Litigation Will Increase
We will see significant pressure from civil litigation, due to the breach of ePHI, using federal regulations, HIPAA/HITECH, as a standard of due care. Healthcare and cybersecurity are massive economic growth sectors, drawing the attention of both consumers and attorneys as litigation targets. As consumers have become more regulation-savvy and the legal lay of the land is better understood by attorneys, opportunities to file complaints will exponentially increase.
4. Budgets Won’t Be Big Enough
Given the threat landscape, we believe that most healthcare organizations will outspend their 2017 cybersecurity budgets by over 50%. Most organizations budget too little on cybersecurity and then experience overruns in an attempt to respond to emerging threats.
5. OCR Will Move Toward a National Framework for Healthcare
The Office for Civil Rights will take steps to develop a national framework specific to the healthcare industry that is prescriptive in its requirements in order to guide Covered Entitles and Business Associates to the desired end result with regards to protecting sensitive data and ePHI. We feel that the OCR will finally adopt the HITRUST Alliance’s Common Security Framework (CSF) as the national standard or work directly with the National Institute of Standards and Technology (NIST) in developing a new framework that meets the unique needs of the healthcare industry.
The bottom line is that bad actors are more focused on exploiting sensitive healthcare data than ever before. It is time for healthcare to work to outpace cybersecurity threats. A proactive posture is a critical strategic investment. It is imperative that healthcare leaders realize that solving these problems will take the focus and strength of their entire organization. Much like long-term business goals and objectives, healthcare leaders need to develop strategic security roadmaps that will improve their posture over time.
This year, organizations need to take a depth and breadth approach to managing their cybersecurity posture. Here are a few ways you can increase your cybersecurity profile starting now.
First, educate the board. Security begins and ends with executive buy-in. Invest time in making sure boards are informed and involved in order to ensure that the appropriate resources are allocated to cybersecurity. Use internal metrics and industry benchmark data to drive these discussions.
Next, engage the whole organization. Security is NOT just an IT problem; it takes a village. Risk decreases as more people throughout the organization are empowered to identify and respond to threats. Strengthen your employee educational programs to include specifics about phishing and ransomware.
Don’t think of cyber insurance as a safety blanket; active compliance with contractual requirements is key to a strong cybersecurity program. Make sure you start planning for corrective action before a crisis happens. Develop and execute corrective action planning in order to remove vulnerabilities and improve overall cybersecurity posture.
Finally, seek objective outside perspectives. While a strong cybersecurity posture takes a village, consider input from experts outside your organization in order to contribute new perspectives to your efforts.
With no simple fix to this complex problem, it will take collaboration, investment and a comprehensive, ongoing approach to managing cybersecurity risk organization-wide in order to meet the rising challenge. Managing cyber risk is complicated, but it is most effective when led from the top, well-planned, and supported by data. Be the champion within your own organization and push to elevate the discussion of managing cybersecurity risk.
Dan L. Dodson is President of Fortified Health Security where he brings over 10 years’ experience in the healthcare and insurance industries — serving as both an operational leader and sales leader. Dan’s specific focus has been in aligning organizational strengths with client needs through the execution of relevant go-to-market strategies and solution development. Dan also serves as an Executive Vice President for Santa Rosa Consulting. Prior to joining Fortified, Dan was Senior Vice President at Hooper Holmes, Inc. (AMEX: HH), a company serving the health and wellness and life insurance industry. Prior to joining HH, Dan served as Global Healthcare Strategy Lead for Dell Services (formally Perot Systems) and has held numerous positions within various healthcare organizations including Covenant Health System and The Parker Group. Dan holds an M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University.