Today we cover the things we are keeping an eye on for 2019.  Yes, it is 2019, I can not believe how quickly we have gone through almost 2 decades of the 21st century. Our top 7 predictions for 2019 may not surprise you.  But, that shouldn’t stop us from throwing them out there.

HIPAA For MSPs by David Sims 7 Predictions for 2019
00:00:00 00:00:00

Granted, we came out of 2018 feeling really confident.  Our educated guesses turned out to be pretty spot on so we should give it another shot and see how we do, eh.

1. More Federal Data Privacy & Security Legislation coming.

We talked about the potential changes in the last episode.  HIPAA may have some changes but the biggest legislative changes will come from federal and state privacy and security legislation.  We don’t know how it will look or when it will show up but there will definitely be legislative movement on this issue.

There are countless articles and legal briefs out right now about the proposed Consumer Data Protection Act (“CDPA”).  Of course, there are plenty of folks looking at the EU GDPR as an example of what works and what doesn’t work here.

There is too much pressure from all sides for this to be kicked to the curb.  The next big data breach will come and it will come through the state or federal levels.  What will happen when new legislation conflicts with old legislation?  The chaos we usually see, of course.

No matter how you look at it all businesses need to be getting their privacy and security plans in place or they will be made an example of next.

2. More civil suits from patients / the public will be coming

The CT case we have been watching for years coming to a close just this month.  This case started back in 2007.  The CT Supreme court ruled that time that patients do have a right to sue medical offices for disclosing their medical information without the patient’s permission.  See this article for more details:  Doctor’s office ordered to pay a woman $853,000 for releasing her records.

This case was clear cut from a HIPAA perspective.  The practice involved sent medical records when they were specifically told not to do so.  Yes, there was a subpoena involved but the patient has the right to challenge that subpoena in court.  The practice is supposed to protect the patient first and foremost.  They never notified the patient about it at all.

This case was so successful that the jury only took a couple of hours to rule and included interested in their award of $853,000.

3. States are becoming very active in prosecuting and adding new laws to give them more enforcement tools.

Let’s start with the new law in South Carolina, South Carolina will have new breach notification requirements for insurance companies.  This is a law based specifically on the Insurance Data Security Model Law from NAIC.

Next, we look at the latest one where a State AG has won against a hospital, Hospital Pays $75,000 Penalty in Case Involving Lost Unencrypted Devices.  The Massachusetts State AG filed and won the cash penalty.

Finally, the first big case we have seen from multiple states joining together about one specific breach. 12 different states filed against Medical Informatics Engineering Inc. and NoMoreClipboard LLC.  (Beth Krudop sent us this as soon as it came out.  HBC alumni!)

Between May 7, 2015, and May 26, 2015, hackers infiltrated WebChart, a web application run by MIE. The hackers stole the electronic Protected Health Information (“ePHI”) of more than 3.9 million individuals.

4. Supply Chain becomes a priority

This one has been brewing for some time and it is Donna’s top pick for certainty.  We have discussed it many times, Ready for extreme vendor vetting? – Ep 150 for example.  There are vendors are careless and some don’t even know what they are supposed to be doing.  Other vendors claim they are doing things they aren’t and as we have seen some aren’t even really vendors.

A recent article, Why Contingency Planning for Vendor Data Disputes Is Critical, brings up how important it is to really understand what your supply chain plans to do to with your data in the event you want to separate.  We all need to plan for the potential that a vendor to make it hard for you to get to your data or at the minimum very expensive.  I know some groups are going through that right now trying to leave EHR vendors and not getting any reasonable options for bringing their data with them.

Another false contractor story comes out just after we discussed this in a recent settlement. Contra Costa Health Plan found out a contractor was using a false identity.  They were reviewing charts for utilization management and were not vetted properly.  Just how much of this is happening where folks aren’t vetting these vendors but giving them access to the data we all hold private no one knows.  However, you can bet there will be more requirements pushed down to vendors this year than ever before.

The NIST Framework was updated in 2018 to include Supply Chain Management as a specific category.  Those who use the framework will be including the requirements in their policies and procedures.  All of those vendors who think this is no big deal need to get their eyes open and try to understand something outside their own little world.  OCR enforcement will be pushing BA cases too.  Especially, watch what happens with Medical Informatics Engineering Inc. discussed above.  That one is very likely going to set the standard for vendors responsibility in these breach cases.

5. Crypto-mining will become a bigger threat than ransomware

This is David’s SWAG topic for 2019.  The fact that Crypto Mining Malware Grew 4,000% This Year does make it clear it is a growing problem.  Many people don’t seem to understand exactly what that means.  Basically, criminals are using your processing power to make money for them.  Do you have no idea why our computer is running so slow?  It could be you are being used for crypto mining.

Cryptomining was just becoming a big thing at the end of 2017.  The explosion in 2018 means it is likely here to stay.  Since it has new conditions where it is the power that is being stolen and not the data some think it isn’t a big deal.  Don’t forget that Availability and Integrity matter and overworked resources can impact both when it comes to PHI.  Watch for things to start blowing up quietly like the case just announced where investors are upset with Nvidia over how much crypto-mining is impacting their business:  Nvidia Faces Class Action Lawsuit Over Its Statements on Crypto Mining Influence Its Business

6. A huge rise in healthcare IoT

We started talking about IoT way back at the beginning of this podcast:  Episode 28: The Internet of Things: Rise of the Machines?.  Others are writing about it being a big deal in 2019:  5 Challenges Facing Health Care IoT in 2019.

We know there are a huge number of devices and solutions being developed and tested today for the healthcare market.  As we have discussed before, most of these devices are developed with security as the last element of concern.

Hopefully, the information published by the FDA in 2018 will improve the security controls and the ability to roll out patches.  No matter what, your SRAs better be ready for more devices coming at your network than ever before.

Predictions7. Organizations will begin to discover security is a people issue, not a tech issue.

Yet another point we have been pushing here since the beginning:  HIPAA Security Awareness: It’s The People,

People are the ones that are making security and privacy mistakes that create the breaches we all hear about.  There is no amount of technology that can always outwit a determined individual.  As part of the process, most folks have been doing the annual training that checks the box for HIPAA.  We can’t function like that anymore.  All organizations need to have privacy and security on the table in every single discussion.

No matter what may be discussed, at least confirm there are no privacy or security issues surrounding the matter or the project or the plans.  Until people take responsibility and participate fully we will not be able to overcome the obstacles and threats coming at us and our data every second.  That includes those at the top of the organization as well as those not even on the org chart.

So there you have it.  Our 2019 things to watch (or predictions).  We will see how much of that comes to fruition.  Who knows what this year will bring but we plan to be here with you!