Cybersecurity Predictions for 2019

GPM has staff experts in a wide array of areas. Now these experts are here to share their insights on what issues are likely to trend in 2019, as well as what challenges are ahead and how you can prepare. In this column, Sean E. Smith, CISM, CISSP, Consulting Security & Compliance Engineer, and Jeff Sluder, Security Analyst, share their predictions about HIT and cybersecurity in 2019 and some valuable tips about how to prepare.

HIT/Cybersecurity Predictions for 2019:

• Cybercriminals are getting increasingly sophisticated, and you can expect a blizzard of phishing activity. Attackers have learned from past mistakes and will be more inventive than ever regarding their scams. Your people are your most valuable assets, but—however unintentionally—they can cause security-related problems, some of them serious. Statistics suggest that 4% of employees will at some point click on a “phishing” email, no matter how and how often you train them not to. Most every breach or invasion of privacy information your organization is likely to experience starts with an email; and most of these successful phishing expeditions involve a message regarding money or represented as being from some authoritative source. You need to assume that your people will get attacked and put processes in place to protect them—and your company.
• There will be more publicly identified ransomware attacks in 2019. It is also important to note that in 2019, two main targets for cyber attacks will be cloud and user devices. More organizations will shift to a ‘zero trust’ device structure and to prioritizing cloud-delivered security solutions.
• Viruses are being created faster than technology can keep up, but it’s important to have the latest and best virus protection. For instance, there is a newer class of anti-malware/anti-virus software out there. Essentially, this software learns what is ‘normal’ and tries prevent or block anything outside of that parameter. We will see more of this technology in the coming year. You need to have a paid product on your system, and it is well worth spending a few extra dollars to cover your mobile devices as well. It’s no longer enough to protect your onsite hardware.
• There will be accelerated movement toward interoperability. The government is pushing for it and considering some changes to HIPAA to facilitate information-sharing and improve care coordination. One proposed change is to have opt-out privacy notices instead of the current opt-in model for systems, sites, and databases regarding their private health information, so that practitioners and facilities can share information as needed without seeking the patient’s permission every time. As the government expects/mandates information-sharing, you will need to build your system to allow this to happen. This will be challenging when you’re balancing privacy with the need to share information. This is where innovative platforms such as CareTeam are key (see more below).

How to Prepare for 2019!

• Make a HIPAA risk analysis a priority. You will be required to submit proof of this to the Centers for Medicare & Medicaid Services (CMS). The purpose of this assessment is to identify where you are vulnerable and fix those issues. This is a long-time requirement that isn’t going away. You will need to do this even if HIPAA changes as part of the government’s recently announced plans to revise the rule to enhance value-based healthcare and improve data sharing. We offer some expert help for you. Check out our series of Risk Academy for LTAPC Health Professionals videos on our website.

  

• You need to have an incident management plan in place so that if something happens, everyone knows how to address it. Know what the laws/regulations are in your state. In some states you have 10 calendar days to report a breach. You can get heavily fined by state attorney generals’ office if you don’t respond appropriately. We will address this in more detail in an upcoming video series.
• Utilize the latest and most secure tools to improve communication and interoperability. For example, CareTeam, a senior care collaboration platform, was developed to help the senior care community to enhance communication, prevent rehospitalizations, manage condition changes, boost 5-Star ratings, and optimize reimbursement.
• Make use of available resources from experts. Visit our website for videos and blogs on cybersecurity and other information. Elsewhere, the U.S. Department of Health and Human Services (HHS) recently released “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a four-volume publication that provides guidance on voluntary cybersecurity practices. Visit our website for more information on this topic coming soon.
• Make sure you have expert help with your cybersecurity. Cyber security/risk management has become a very specialized field. It is important to contract with someone who has experience, credentials, and—preferably—certification. The gold standards are the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications. At the least, you need someone with a current understanding of vulnerabilities from the Internet; knowledge of contemporary standards, practices and procedures; understanding of operating systems architecture, administration, and management; understanding of how different types of firewalls and network load balancers work, and a detailed knowledge of how network routers and switches work.
• Train your people. We use a training program on phishing, for example, and we test our team on it. When they find and report valid phishing emails, we reward them with gift cards.
• Create a culture of awareness and action. If something happens, respond in a way that is productive, not punitive. Help the person understand what he or she did wrong and how to avoid similar problems in the future; give them more training. When you do this, you create a culture where people are likely to report issues and not hide or ignore them.

• 

  Set a good example for employees. Have an ‘open door’ policy where they are comfortable coming to you with concerns or questions. A little bit of time and money investment in training and products can go a long way toward ensuring cybersecurity and protecting your information. Jeff Sluder, Security Analyst, GPM, welcomes his colleagues to discuss security issues with an open door and a smile.