Here we go starting another year! It is amazing that this is the third new year we have covered on HMWH. There are so many things that have happened over that time and as we head into 2018, so many things to look into our crystal ball and make 7 educated guesses about 2018. We may not be predicting the future but we both have some opinions about what we see happening out there in the world of HIPAA, privacy, and cybersecurity in the coming months.
So we can’t make tell the future kinds of predictions but we can certainly make educated guesses. Here are out educated guesses about what 2018 holds for us in the world of privacy and security.
- OCR will start making some announcements about settlements dealing with breaches from 2015 and later – up until now they have mostly announced resolutions for 2014 cases and earlier.
- The “big, juicy case” comment Director Severino made at the NIST OCR Security Conference this fall still hasn’t come through yet. They want to make an example of someone concerning the importance of compliance with HIPAA privacy and security rules. That should happen sometime this year. Probably in first 6 months of 2018.
- Anthem and many more big news cases from 2015 are due to be resolved still. Guidance will come out of those cases if nothing more.
- Ransomware (digital extortion) will continue to wreak havoc [spp-timestamp time=”11:00″]
- New methods of holding your data for ransom. The criminals continue to become more creative in the ways they make their money. If we protect one thing they find a new way around it or a whole new method for attacking.
- New tools being created by the criminals and some of that come from the NSA and CIA tool leaks that came out this year. There may be more to come but even without that, there will be more tools developed and designed specifically to attack hard and fast.
- More targeted attacks than spray and pray approaches that we have seen in the past. Healthcare has a huge problem due to the open knowledge of their lack of security posture. Everyone knows now that the healthcare industry may have had rules in place to build these security programs for years but that means nothing. Very few organizations took them seriously until recently. They may have thought they were doing the right thing but it is clear there are “technological gaping wounds” out there everywhere in the healthcare sector.
- GDPR will ripple across the pond
- General Data Protection Regulation (GDPR) of the EU becomes effective in May 2018.
- Possible impacts on the US and in particular healthcare isn’t fully known yet but there will be effects in some way. There are some pretty specific requirements that many lawyers are looking into these days. We don’t know the details right now but it should be on your radar for this summer.
- States will also begin to step in since federal rules have no reasonable chance of being worked out in our completely dysfunctional system in Washington, DC. There are plenty of laws being passed in states as we discussed in episode 98: State privacy laws vs HIPAA who wins?
- IoT attacks and breaches will make news bringing medical device security to the forefront [spp-timestamp time=”19:50″]
- The FDA and ONC are both involved in developing guidance for securing medical devices.
- Many developers don’t build security in at the beginning of design but instead, make it an afterthought. That is how we often end up with these problems. Eventually, security will become an issue with these devices one way or another. Until security becomes part of the required design process we won’t see major changes in the field. Innovation is the driving force with little concern so far about security the devices.
- Insiders will make the difference.
- There are so many issues to consider when managing insider threats it isn’t something to take lightly. As we start to lock things down and take privacy and security more seriously than we have in the past, there will be some obvious cases discovered that have been overlooked for years. We talked about some of this in Insiders may be your biggest threat to privacy and security – EP 97 and earlier in Insider Threats: Do you know your employees? – Ep 70
- End-user education and training will be a priority to address insider threats. That is if organizations hope to combat security issues effectively.
- New password technologies and options will begin to catch on. [spp-timestamp time=”29:50″]
- Multi-Factor Authentication (MFA) will become even more important. Today, most of our accounts use some type of MFA or 2FA
- NIST guidance on what is an effective password just came out in June. It will take time for the new options to be rolled out in all the different apps. The good news it the ideas we have all suffered through with complex passwords being things that are full of numbers, upper and lower case, and special characters are officially wrong. There is new guidance that allows us to get away from that and just work with longer phrases that are easier to remember.
- Communications tools will be under more scrutiny after phishing attacks and unsecured messaging breaches become overwhelming.
We certainly aren’t making bold predictions here but there is a certain amount of confidence we have in these things. Over the year we will come back and reference our thoughts for certain. Hopefully, we will be closer to right than wrong because we can be prepared for handling these to some extent. If we are way off in our guesses we all have a much more interesting year ahead of us. Welcome to 2018! We are looking forward to the ride and seeing just how our educated guesses turn out.