Healthcare Security and Risk – 2023 Health IT Predictions

As we head into 2023, we wanted to kick off the new year with a series of 2023 Health IT predictions.  We asked the Healthcare IT Today community to submit their predictions and we received a wide ranging set of responses that we grouped into a number of themes.  Check out our communities predictions below and be sure to add your own thoughts and/or places you disagree with these predictions in the comments and on social media.

All of this year’s 2023 health IT predictions:

And now, check out our community’s healthcare Security and Risk predictions.

Jamie Blackport, Head of Privacy Hub by Datavant at Datavant
We are going to see an increased demand for privacy-preserving technology in 2023, and therefore more investment in the space. This is because health data continues to move away from the barriers of manual approach and towards online platforms. As this happens, there’s great potential to advance innovation and research that will improve patient outcomes. But increased patient privacy risk is the other side of the coin. To answer for that, I think we will see huge investments and advancements in privacy-preserving tech.

George Waller, Co-Founder and Executive Vice President at Zerify
2023 will see hacks against health care institutions increase through their video conferencing platforms. The most valuable commodity today is data. With data, you have identities, corporate information, and proprietary healthcare details, and 2023 will only lead to an explosion of more data as more companies rely on video conferencing. Healthcare is the number one type of data hackers set their sites on, and healthcare identity fraud is prevalent.

Daniel dos Santos, Head of Security Research at Forescout Technologies
Directly Targeting Connected Medical Devices for Healthcare Disruption: The insecure-by-design features in many connected medical devices are increasingly tempting targets for threat actors who want to disrupt operations at healthcare facilities.

In 2023, we expect healthcare cyberattacks to not only spill over to medical devices – as was the case for several ransomware incidents in the past few years – but even start to target them directly, though this would require attacker motivation to purposefully target devices that could directly harm people.

We highly recommend medical device manufacturers strengthen their internal development and testing lifecycles to make sure that vulnerabilities are discovered and addressed early on, before they are found by other parties.

Gerry Blass, CEO at ComplyAssistant
Investments in cybersecurity will remain a top priority for healthcare executives. There are three specific gaps for provider organizations to watch in the year ahead: vendor risk management, internal audits, and disaster recovery plans.

From a third party vendor perspective, keep an eye on NIST. They are NIST updating their Cybersecurity Framework from version 1.0 to version 2.0 during 2023. Compliance with the new framework should be another evaluation factor for an organization’s third-party vendors. A complete risk register provides vital information in the case of an audit, details risks that could impact business, and gives departments an autonomous roadmap for the year ahead. Finally, DRBC plans should be updated to address extended breaks in system access—even beyond three full business days.

Chandra Kalle, VP of Security & Compliance at LeanTaaS
The healthcare industry is extremely attractive to cybercriminals, primarily because it is plagued with outdated technology, and IT departments typically are not able to improve this based on budget and resource constraints. Unfortunately, this is only going to worsen, and we can see this in reports detailing the increase in cyberattacks over the past couple of years. For example, a report from Sophos found that 66% of healthcare organizations reported ransomware attacks last year, jumping from 34% in 2020.

In 2023, health systems must make cybersecurity a top priority, otherwise, they will be putting patient data at risk. Leadership teams must invest in in-depth security programs and update deprecating legacy infrastructure and insecure systems. Other crucial steps include staying up-to-date on current security policies, making adjustments as needed to organizational strategies, and conducting regular trainings and security breach simulations to teach employees how to best handle a threat when it arises. As you do this, keep in mind that your success will be limited without employees who are willing to embrace change.

Developing a healthcare community that embraces new technology should be a key goal for organizations if they are not already emphasizing it. Change and innovation are crucial not only to establishing strong cybersecurity measures within an organization but also to its long-term success overall.

Will LaSala, Field CTO at OneSpan
During the pandemic, we know healthcare organizations were forced to quickly digitize, ramping up technological capabilities to meet the needs of patients — namely through virtual appointments and other telehealth offerings. However, in most cases, security was severely neglected – not for convenience, but to continue essential services as the world shut down.

In 2022, convenience is now a patient demand, hackers understand how to take advantage of such virtual practices, and the industry has yet to widely implement the security measures needed to combat these growing threats. As a result, we’ve seen massive increases in data breaches coming from all areas of healthcare on a global scale— most notably, Australia’s largest health insurance provider, Medibank, suffered a data breach that compromised almost all of its four million customers. There has also been an increase in phishing, social engineering, and ransomware attacks that we expect will continue into the new year.

Looking ahead, there is a balance that must be struck between patient demands, privacy and lack of human interaction. Security should be considered a must have and should be interwoven into all the choices application providers are making. Data breaches from a variety of application providers mean threat actors can gain access to a wealth of knowledge and valuable personal identifiable information (PPI).

Furthermore, threat actors can now see things like patient trends, patterns and the way patients interact in social settings — not just the obvious PII, like names and birthdates – meaning threat actors can now create almost impossible to identify synthetic identities. Without the correct technology to detect these fakes, these synthetic identities will severely disrupt people’s lives and the way we do business. The response to all of this is the increased level of security that must be adopted into the fabric of all our transactions and agreements.

Rick McElroy, Principal Cyber Security Strategist at VMware
Healthcare will continue to be top targets for cybercriminals in 2023. With telemedicine becoming the norm, ransomware and deepfake attacks on the healthcare industry will continue in 2023. As increased amounts of people turn to telehealth to connect with healthcare professionals, have prescriptions filled and file their healthcare records, the door for fraud is left wide open for attackers to strike.

As healthcare becomes increasingly politicized, dark web activity and ransom demands will continue to rise as data becomes a goldmine for attackers. Attackers will aim to use this data in a way that is harmful to both the organization and the patients at hand. Adversaries know that if they want to inflict pain on an organization, targeting a hospital is the best route for destruction as a patient’s life is on the line.

Brian Selfridge, Healthcare Cybersecurity & Risk Leader at CORL Technologies
Given the growing risk burden on healthcare, I offer ten predictions for the top vendor risk exposure trends for 2023. Observing trends should serve as a guide to develop TPRM strategies for the coming year:

  1. The number of healthcare vendor breaches will increase. Third-party breaches will be more frequent, severe, and costly as cybercriminals target healthcare organizations and solution providers.
  2. More healthcare delivery will move out of the hospital. Technology makes it easier to manage patient recovery remotely, and you will see more third parties managing care at home.
  3. Ransomware attacks will continue to increase. Seventy percent of malware attacks last year were from ransomware, according to Verizon’s 2022 Data Breach Investigations Report. Ransomware will have a more profound impact on patient safety and operational and financial performance in 2023.
  4. Cloud-hosted platforms will become the primary repositories for patient data. As healthcare organizations store more electronic information on hosted services, cloud misconfigurations will remain the top source of healthcare data breaches.
  5. External hackers will focus more on the supply chain rather than stolen external devices, as in the past. Both federal and state governments will focus on alleviating supply chain risks, enacting new laws, and ramping up enforcement.
  6. Third-party assurance models like HITRUST, SOC 2 audits, PCI reports, and penetration tests will move away from a questionnaire-driven approach toward a more scalable system, adopting new technologies to validate third-party vendor security.
  7. Healthcare organizations will increase their investment in cyber resilience capabilities, such as incident response and disaster recovery. You can expect dedicated TPRM teams to become standard practice for healthcare organizations.
  8. Fourth-party risks and vulnerabilities will increase as cybercriminals target vendors’ suppliers. As a result, vendors will escalate tracking using Software Bill of Materials (SBOM) and other tools.
  9. Data and analytics will become more sophisticated, elevating the conversation about TPRM. New analytics tools will make the conversation more relevant to clinicians and business leaders, removing much of the technical obfuscation.
  10. Technical automation and managed services will converge to scale coverage, reduce turnaround time, and reduce the cost of TPRM, replacing manual processes. Mid- to large-sized healthcare entities will add one or more TPRM technologies or services.

Be sure to check out all of Healthcare IT Today’s healthcare security and risk content and all of our other 2023 healthcare IT predictions.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

   

Categories