A hectic 2013 has certainly set the stage for a busy 2014 packed with healthcare organizational policy changes and technology advancements. Based on healthcare expert feedback and interviews in 2013, HealthITSecurity.com has come up with five predictions for 2014. From managed security services to whether perceptions have truly changed regarding cloud security, there’s a lot to consider for healthcare security professionals next year.
1. The rise of managed security services
Managed security services can mean different things to different organizations, but managed security service providers (MSSPs) offerings may range from on-site consulting to remote network management to penetration and vulnerability testing. Based on size and need, MSSPs can help healthcare organizations fill various security gaps, such as helping out with email phishing attacks. From vendors offering them from the inside or independent organizations, there are plenty of MSSPs available for healthcare organizations.
For example, Jennings Aske, Partners Healthcare CISO said “[We'll be] establishing a managed security services relationship with Symantec,” he said. Essentially, these services would go through all user emails and distill them down into 10 events that may not be problems, but may be events that Partners wants to look at. The defense industry often says “the bad guys are going to get in – the question is how do you prevent them from getting out,” added Jim Noga, Partners CIO. “You use detecting and monitoring [referencing Aske's managed security plans].”
2. BYOD less of a worry for hospitals and mid-sized healthcare organizations
We keep hearing it’s less about the device and more about controlling the data that touches the device. 2014 will mark the beginning of strong adoption of that theory across most hospitals and mid-sized healthcare organizations. Being device-agnostic as part of a virtual desktop infrastructure (VDI) environment cures a lot of problems, but BYOD would be chief among them. If the data doesn’t touch devices anyway, clinical users bringing in their own devices would no longer be a major concern. This isn’t to say that mobile security will be a non-issue in 2014, but technology upgrades can certainly make life easier for those in charge of user-owned device security.
3. Big data security will become a more pressing issue
Healthcare organizations are starting to remove their data siloes and aggregate patient data to maximize its value and have a strong base for predictive analytics. With the benefit of these big data sets will come the new, different responsibilities to secure the patient data. There are some that believe HIPAA inhibits big data usage because healthcare organizations aren’t as free to share data as is needed to truly use the data. The Bipartisan Policy Center maintains that HIPAA is stifling organizations from moving data around in a meaningful way because the federal regulation is “misunderstood, misapplied, and over-applied”.
But as Deven McGraw, Director, Health Privacy Project at the Center for Democracy & Technology (CDT) told HealthITSecurity.com back in September that there needs to be a reasonable balance between privacy and innovation. “Patients are harmed when data aren’t used in beneficial ways in the same way they would be harmed if the data were used inappropriately,” she said. “So we’re trying to use data for good purposes but make sure that good doesn’t damage public trust.”
4. Software as a Service (SaaS) won’t be as popular as it should be
In spite of the lingering cloud security concerns, perception often outweighs reality and there’s still a divide in healthcare regarding security risks when using cloud storage. There’s plenty of evidence that proves the benefits of SaaS, such as flexibility and less up-front money, but what should happen doesn’t always end up being what does happen with it comes to healthcare IT.
Some organizations may be more involved with cloud than they realize, as Bruce Forman, Chief Information Security Officer (CISO) of UMass Memorial Medical Center, explained to HealthITSecurity.com in the fall. But once there’s trust in the vendor, cloud computing becomes an appealing option for some organizations.
We do have some confidential information out there [in the cloud], but we try [first] to get comfortable with the cloud vendor’s tools, whether it be Amazon or Microsoft, as well ensuring as the third party that’s providing the application within the cloud has the right controls in place to protect the information.
5. OCR audits will ding many organizations for lack of true risk analyses
This isn’t so much of a prediction as it is a reality for healthcare organizations. OCR Director Leon Rodriguez told us at the 2013 HIMSS Privacy and Security Forum that wants to use audit funds in a more widely-distributed way for the 2014 audits. “This way, we can see change year-by-year, depending on where we’re seeing vulnerabilities, and one focus in the audits will be on risk analysis,” he said. The exact criteria for risk analysis requirements remains to be seen. But organizations would be smart to augment whatever processes they have in place to ensure the analyses, whether they’re internal or external, are up to par for OCR.
Let us know in the comment section what we missed!