In 2015, Target Online Security or Be a Target

A roundup of healthcare IT security predictions and priorities for next year—and which one matters the most.

This year the online security breaches facing healthcare rose to new levels of fear, loathing, and shame. Healthcare wasn't always the "target" in 2014 (pun intended) but for customers of Target, Home Depot, and others, it was a year of great dread. And then, just before the year ended, a massive breach of security at Sony Pictures saw public dissemination of, among other things, conversations between Sony employees and Sony HR personnel—discussing health insurance matters and highly confidential details of the medical conditions of employees' children.

While the industry debates whether Sony and all other employers are covered entities under HIPAA, the damage to those kids is done, whose permanent medical conditions will be public information for the rest of their lives.

With that somber backdrop, I was somehow amused when, within the space of a day, three security experts called to offer their predictions for the 2015 security landscape for healthcare. I decided to triangulate the three—see where they agreed and where they differed.
Experian Data Breach Resolution Group's predictions:

1. Rise—and fall—of payment breaches
2. Safeguard your password: more hackers will target cloud data
3. Persistent and growing threat of healthcare breaches
4. Shifting accountability: business leaders under increased scrutiny
5. Missing the mark: employees' mistakes will be companies' biggest threat
6. Rise in third-party breaches via the Internet of Things

Coalfire's predictions:

1. Motivated threat actors
2. Redefining the defense—understanding risk exposure
3. Three heads vs. one—balancing responsibility between CIOs, CTOs, and CISOs
4. Investments will increase
5. New fronts—mobility, cloud, BYOD policies, Internet of Things
6. Universal monitoring
7. Business leadership on policy development
8. New threat detection and response technologies
9. Improved security
10. Back to offense

ESET's predictions:

1. XP embedded support ends in 2016; hospitals need to get of it in 2015
2. HHS' Office of Civil Rights has begun Phase 2 audits; hospitals need to do risk assessments immediately

To be honest, the biggest common theme I find running through all three sets of predictions is to generate heightened fear to drive the revenue of these consulting and technology companies. I proceeded to grill them about whether these are really the security priorities that will matter in 2015.

Here are my takeaways on the lists above and the real risks to healthcare security.

1. Predictions in tech are infamously, consistently wrong or inconsistently right. "Expect the unexpected," a tech company's motto, is my motto. Case in point: Experian, in its first annual set of predictions in 2014, predicted that the cost of security breaches would fall. "It actually went up," says Michael Bruemmer, Experian's vice president of consumer protection. Preventive measures and cyberinsurance policies were supposed to lower breach costs in 2014. They didn't. Bruemmer says the largest cost of data breaches is loss of revenue and brand reputation when a prominent corporation gets breached. Company revenues and stock prices of the affected enterprises also took a beating.

2. As patients take control of their data, they will become the source of more breaches.With thousands of healthcare apps in the app stores, patients loading their own healthcare data in such apps means a shift of responsibility from insurers and providers to app developers and patients themselves. "That's a whole area that could be in addition to what I've already described in some of the predictions," Bruemmer says.

3. Bringing business leaders up to speed doesn't mean a security turnaround in 2015. "They're going to be brought in, but they can't keep up fast enough," Bruemmer says. He says a Ponemon Institute study found that 46 percent of all companies aren't doing security and private training. Too many employees still open phishing emails, lose unencrypted laptops, and put unpatched servers in production use. Until top management makes change a priority, expect increasing numbers and severity of breaches on into 2016 and beyond. But at least more boards of directors are requesting briefings by security consultants, notes Rick Dakin, CEO of security audit and compliance firm Coalfire.

4. Security consultants cannot agree on whether the cloud is now a safer place for data than the typical small health system's data center. Experian's Bruemmer says moving all health data into a big cloud provider's data center makes that data a bigger target for the bad guys. Meanwhile, Coalfire, which counts cloud provider Box as a client, sees those cloud companies investing millions in security. They will know exactly who is accessing data at a very granular level, according to Dakin. I also spoke with a small-hospital CIO last week who threw cold water on the "big target" theory. "That's not how it works," says Dick Escue, CIO of Valley View Hospital in Glenwood Springs, CO. The bad guys "are not out there going, 'We're going to target this place.' They're pinging the Internet and just looking for an opening. It's just an IP address.'"

5. Going on the offense means different things to different people. To Coalfire's Dakin, going on the offense means anything beyond deploy-and-forget security controls. To Dakin, patching vulnerabilities is going on the offense. I disagree. To me, that's just due diligence. To me, going on the offense is, at the very least, setting up "honeypots" and places where CISOs can catch bad guys by dangling dummy patient data, without putting any actual sensitive at risk.

6. The XP Embedded problem is a clear and present danger to healthcare. No one really knows how many hospital-based devices are out there still running Windows XP Embedded, the last vestige of the 2001 Microsoft operating system no longer patched in its desktop incarnation. Conventional wisdom is that these devices are not connected to the Internet. But that's not true. Too many of them even run Internet Explorer 6, also unpatched for years at this point, says Lysa Myers, security researcher at ESET, an anti-malware software company. Some of these devices are found in neo-natal units, Myers says. Upgrading is tough since these devices are usually much more expensive than the typical Windows PC.

"I would be very surprised if the market share of XP Embedded went down to zero by the end of January 2016, but my hope is we can get really close," Myers says. "I think there's a lot of people out there who are not aware of end of life coming for XP Embedded. My hope is by telling people about it, they can get motivated."

If healthcare IT makes any security progress in 2015, let it be on Myers' call to action. I predict trouble if we ignore it.