Larger Cybersecurity Budgets
2016 was the year of the Ransomware attack – with several major healthcare organizations having their business operations disrupted. Unlike a data breach, ransomware interrupts the ability of the organization to do business, and so can have a significantly greater financial impact than a data breach, even in the event of a multi-million dollar fine. Even when the immediate ransomware incident is resolved, the healthcare organization may still have to deal with data integrity and billing claims issues for months to come. The Boardroom chatter these events are already generating will start percolating down the management chain and so we will start to see more funding being given to healthcare CISOs to protect against this critical threat.
RegTech, Not GRC
2016 saw a 50% increase in the number of healthcare entities reporting breaches caused by hacking, a trend we have seen since 2012.
External threats will continue to be a major source of breaches in 2017, and so organizations need to increase vigilance against third party attacks. Increased perimeter security, encryption, training, and phishing simulations will all continue to be at the forefront of the CISOs to do list. But RegTech, rather than GRC, is going to be the term they will need to become familiar with. Rather than expensive implementation enterprise tools to manage security compliance, we will see an increase in more nimble, cloud based services designed to help simplify and track this. Think SalesForce for Risk Management.
The Rise of HITRUST
In 2015 the HITRUST Alliance announced that HITRUST was becoming the compliance standard for a number of major healthcare organizations such as Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group. As a result, HITRUST has now trained over 1,000 assessors to help companies become compliant with the framework. 2017 will continue to see adoption for the framework by vendors in the Healthcare Insurance space, but it will also continue to be dismissed by most providers as a step too far given their current limited Vendor Risk Management capabilities.
A Change at the Top
With a new administration coming into the White House, particularly given some of the campaign rhetoric around repealing the Affordable Care Act (ACA), expect there to be a lot of turmoil around the delivery of care. While it is not clear how, or even if this will impact security and privacy regulations, it is certainly going to lead to a higher level of uncertainty. As a result, you may see some regulated organization continue to be slow in adopting a greater security posture as they wait to see how things will turn out. However, the reality is that whatever may happen to the ACA, the continued digitization of healthcare records will continue to make them attractive to cyber criminals. This will more than offset any potential scale back in regulations.
OCR Continues to Levy More Fines
In January 2015 I wrote an article explaining why I thought 2016 was going to be the year when HIPAA would finally be taken seriously by digital health providers. Since then OCR has conducted their first Business Associate audits this year and are expected to provide more frequent and thorough reviews in 2017. So, while 2016 may not have turned out to be the tipping point I predicted, for this reason and the others listed above, 2017 could well be.
What do you think – what are your predictions for 2017?