Like most business units at this time of year, biomedical and clinical teams will be reflecting on the last 12 months and trying, as best they can, to figure out what the new year will bring. Given the downward pressure on costs, increased intervention from state and federal regulators, and the explosion of new medical technologies, it’s safe to say that the pace of change won’t let up. Good planning, the right skills, knowledge and experience, and a large budget will all help respond to the opportunities and inevitable challenges as they unfold.
5 Cyber Predictions for Healthcare
Of course, no one can see the future. Nevertheless, we can be sure that cybersecurity will stay uncompromisingly high on the agenda, as ever-changing threats make for sleepless nights and nerve-wracked days. Drawing on events from the year that was and market changes already afoot, these are our top five predictions for 2019.
There will be more successful cyber-attacks targeting healthcare in 2019 than ever before
A glance at a list of the attacks that targeted healthcare in 2018 offers a sharp reminder that HDOs are at risk, regardless of type, size and location. The threat is ubiquitous, as evidenced by attacks such as ransomware downing the systems in two Ohio hospitals, phishing attacks that breached 21,000 patient records in Minnesota, and the enormous SingHealth breach that resulted in the theft of data from 1.5 million patients.
While many attacks are launched by lone wolf or small time criminal affiliates, bigger attacks are usually performed by well-organized groups, often acting, covertly or otherwise, on behalf of rogue states. Given the global political situation, it’s likely these types of attack will become bigger, bolder and more frequent.
The stand-off with Iran and its allies; increasingly open confrontation with Russia and its sphere of influence; a multi-front trade war with China; heightened volatility on the Korean peninsula; and a seemingly unending cycle of tumult in the Arab world all contribute to conditions that promote cross-border cyber terrorism. Healthcare is a natural target because it plays on fear (if you’re not safe in hospital, where are you safe?) and therefore undermines confidence in state and federal government — exactly the outcome bad actors look for.
No organization is immune from attack, but the best way of preventing a breach is through layered cybersecurity measures: an up-to-date MedTech inventory, regular network and endpoint threat assessments, an effective training program along with continuous monitoring, detection, and response.
At least one major medical device manufacturer will make a splash in 2019, spending big dollars to acquire a cybersecurity firm
Regulations governing the use of medical devices are being tightened in response to healthcare’s generally under-secured and increasingly digitized data management and patient treatment environment. The Medical Device Cybersecurity Act, if passed, will require manufacturers to produce an annual cyber report card, grading devices for their adherence to security standards, and affirming that a proper assessment of the device’s risk to patient safety and clinical operations has been completed. The new EU Medical Device Regulations, set to take effect in 2020, cover much of the same ground.
Medical device manufacturers have a spotty record when it comes to security, which is another reason for regulations being strengthened. To survive, vendors will need to up their security game considerably. But security is easier said than done, and as it stands now, the knowledge and technology gaps dividing device manufacturers and leading medical cybersecurity firms is enormous.
Which brings me to my second cybersecurity prediction for healthcare in 2019. Rather than accepting the prospect of years spent sinking big money into what will most likely translate to past-gen solutions, some device manufacturers will look to level up and accelerate their cybersecurity by acquiring (or partnering with) a company way ahead of them on the same race track.
There is an increasing number of companies with products that would ostensibly make brilliant vertical integration plays for manufacturers.
Whether we’re talking about network mapping, traffic controlling, data aggregating and visualizing, risk managing, or communication encrypting solutions, a team-up makes a lot of sense. For the device manufacturer, not only would it help address the growing regulatory landscape but will also provide a forward-facing differentiator for its product offering. At the same time, the cybersecurity outfit would suddenly find itself equipped with abundant resources and a well-established distribution network; helping the acquired firm to cover a lot more ground a lot more quickly and put some distance between itself and its competitors.
Someone will die from healthcare technology tampering in 2019
There are 50 billion device-based patient exposures annually, and the FDA receives several hundred thousand reports of suspected device-associated deaths, serious injuries, and malfunctions every year. But, aside from device failures, another major source of risk is from tampering.
Bad actors can switch devices off (or on), change drug delivery doses, or falsify data — leading clinicians to take the wrong action or none at all.
As long ago as 2007, US VP Dick Cheney had his pacemaker’s wireless capabilities disabled to prevent assassination attempts. More recently, the FDA forced Abbot Labs to take actions to correct design problems in some of their cardiac devices that could allow hackers to drain the batteries. Joining in on the fun, security researchers from McAfee, as part of a white hat exercise, showed they could hack into a medical network and falsify a patient’s vital signs.
Far from aberrations, these sorts of dramatic discoveries are becoming common occurrences. Not long ago, the team at CyberMDX disclosed a vulnerability that, in the hands of a duly motivated hacker, could theoretically be exploited to result in a fatality.
Thankfully, none of these scary scenarios have yet come to fruition. But they could have. And with the increasingly high stakes of covert international warfare, targeted assassinations are already a reality. Factor in the role of financially motivated criminal groups, terrorist organizations, hacktivists, and ego-maniacal hackers simply looking to test the power of their skills. It’s not at all unrealistic to think/fear that cybercrime will see its first healthcare fatality in 2019.
The impact on a healthcare provider of a fatality that could have been prevented with security measures would doubtless be hard to bear. Understanding the medical technology landscape is the first step to implementing comprehensive protection, and a quick review might lead to the sobering realization that there's no shortage of vulnerabilities opening your organization up to the possibility of medical sabotage.
Fortunately, there are products that can quickly fill the gaps.
The costs of civil lawsuits will eclipse those of government/regulator imposed penalties for breached healthcare organizations
The coworkers who had their personal details stolen, 8,000 PayPal accounts opened, and a combined debt of $3.5 million racked up in their names. The mother of three who lost $10,000. The couple presented with a £130k bill by German authorities after having their passport stolen. All these stories underscore the fact that identify theft hits fast and hard and leaves its victims picking up the pieces for years.
Aside from the immediate financial loss, there are other factors that compound the pain. A rock-bottom credit rating means trying to recover from loss is a thoroughly uphill battle. Organizations that have been indirectly defrauded may pursue THE VICTIMS of identity theft for compensation. For synthetic ID fraud — where the criminal creates a 'new person' by combining bits of information from different identities — it can take years just to untangle the web of digital deceptions. What’s more, when it comes to personal health information, there’s the added potential for privacy violations, public embarrassment, emotional damages, etcetera.
While most people now take basic measures to protect their own information, breaches still occur when third-party stewards of that information – such as Yahoo! or Equifax or Target or Facebook or Community Health Systems – fail to sufficiently protect their data stores. It’s this type of successful attack to third-party information troves that should have healthcare delivery organizations concerned. It’s not a question of if another medical center will get hacked, but of who, when, and how badly.
With the inevitability of personal and financial loss comes the promise of hardy litigation. A class action lawsuit has already been filed against a hospital in response to a phishing attack that resulted in the theft of PHI data from 63,000 patients. UnityPoint Health is facing a class-action lawsuit over a recent data breach that affected 1.4 million patients. Thanks to aggressive litigation, over 1,200 patients of Flowers Hospital are set to be reimbursed for wages lost because of time spent handling the breach, and a refund of any bank or tax charges.
And, although it stemmed from human error rather than a cybersecurity attack, Aetna is expected to pay $17 million to individuals who filed a class action lawsuit against the insurer for allowing private health information to be viewed through transparent envelope windows.
These developments reflect the fact that the healthcare industry is on the verge of a critical inflection point. Going forward, for HDOs that compromise their patients’ personal information, regulators and their penalties will be of only secondary concern. Increasingly, victims will take back control and personally hold their data controllers directly accountable in the courts.
Heading into 2019, the fear of devastating civil litigation and public backlash will weigh more prominently into the considerations of hospital executives than the fear of government scrutiny.
The average salary for cybersecurity staff in major hospitals will increase by at least 20 percent
Coping with pressure is part of the job for most healthcare workers, but the struggles of a hospital CISO and his or her team still somehow stands apart. The envy of none, this group is harangued by —
- Users who want to know why they can’t use their own devices and why they can't install their favorite apps on hospital devices
- Endless questions from compliance managers
- Constant demands to troubleshoot and repair problematic systems
- The expectations of a wary CEO who is asking for a detailed report on the organization’s cyber preparedness today and is sure to ask for something equally as pressing tomorrow...
All while juggling the responsibilities of an ever more complex and interdependent vulnerability auditing and patching scheme.
Everyone could do with a pay increase, but the cybersecurity team arguably has a better case than most. In a way, all of the predictions I've made so far lead up to this one. It's a natural consequence of the others and the underlying market dynamics that gave rise to them. The average yearly salary for a network security engineer is around $80k, while an average CISOs will make around $155k. Obviously, salaries will vary by industry. A review of available data on indeed.com and glassdoor shows that in healthcare specifically, a typical cybersecurity engineer will earn around $95k and a CISO around $180k.
Of course, salaries fluctuate wildly by organization and, while some recognize the value of security, others don’t. But that’s set to change with the increase in cyberattacks and the shortage of skills to help respond.
It's estimated there are 350,000 cybersecurity vacancies in the US, and a predicted global shortfall of 3.5 million by 2021. Anyone just leaving high school and wondering what to do next can stop wondering.
Qualified candidates may prefer to freelance or opt for high-paying consultancy gigs, which will contribute to a run on cybersecurity talent that will leave some HDOs high and dry. Those organizations unwilling to see their teams hollowed out will need to spend money to retain and build up their cyber talent, which is why my final prediction is that salaries for hospital cybersecurity staff will rise by at least 20%.
Most healthcare providers will find that increase hard to stomach, but if they are smart and strategically forward-looking, they will follow the example of the CIO at UoC Health and relate to proactive cybersecurity as an investment, rather than a cost.
Whether or not you think these 2019 cybersecurity predictions for the world of healthcare are on point, we can probably all agree that going forward, the threat landscape will be tougher than anything experienced so far.
At the same time, there’s a danger that continuous news reports of cyber attacks and data breaches could make some healthcare providers numb to the threat and potential impact. If that happens, it will fall on senior IT leaders to predict and plan for the road ahead, prodding the board to remain alert and not to fall asleep at the wheel.
If there's one lesson you can take with you to guide you into 2019 and beyond, let it be this: the stakes for healthcare cybersecurity are rising, you can't allow yourself to become a cautionary tale!