See Also: Threat Intelligence - Hype or Hope?
I had the opportunity to attend a variety of sessions at this year's event and conduct interviews with many of the healthcare sector's leading security and privacy experts. Here are some of the top themes that emerged:
Medical Device Cybersecurity Heating Up
Medical devices could very well be the next bullseye for cyberattacks.
Sure, we've been hearing this for a while, with ethical hackers for years spotlighting vulnerabilities they find in medical devices.
But the current surge of hackers trying to make a quick buck with ransomware attacks will soon morph into more targeted malware attacks on medical devices used in healthcare organizations, some experts predict. Those cyberattacks could involve medical devices as an entry into other critical hospital systems for extortion - or as a direct threat for intentional or collateral patient harm.
"It's only a matter of time before we see a major event affecting patients involving medical device cybersecurity," said Marty Edwards, director of the Industrial Control Systems Cyber Emergency Response Team at the Department of Homeland Security during a medical device cybersecurity forum at HIMSS17.
Government regulators and medical device industry stakeholders, in the meantime, are attempting to raise awareness of emerging threats and kicking off new efforts to prevent nightmarish breach scenarios.
The recently released Food and Drug Administration post-market medical device cybersecurity guidance was widely touted during HIMSS17, as well as efforts to bolster the sharing of information about newly discovered vulnerabilities in medical devices so that they can be patched or mitigated before malicious hackers exploit the flaws.
"There is no other public health problem of this scale that there is so little information about," says Dale Nordenberg, M.D., executive director of the Medical Device Information Safety and Security consortium. MDISS is collaborating with the National Health Information Sharing and Analysis Center on a new way to report medical device vulnerabilities before they cause patient harm.
Blockchain on the Healthcare Horizon?
Another hot topic at HIMSS17 was finding new uses for blockchain, the open source distributed ledger technology that supports cryptocurrency. It's being explored as a way to support the secure exchange of patient data for clinical purposes as well as payment of claims.
The Department of Health and Human Services' Office of the National Coordinator for Health IT is closely examining the technology through collaborative efforts with industry - such as contests to solicit ideas for implementing blockchain in healthcare.
But other HHS agencies, including the FDA and the Centers for Medicare and Medicaid Services, are also in the early stages of examining how blockchain might be applied.
Steven Posnack, director of ONC's Office of Standards and Technology, told me that "diversity in how blockchain can be implemented is one of the attractive features" of the technology.
But it's not only the federal government that's eyeing blockchain. The technology is also being explored for healthcare uses by companies participating at HIMSS17, including Aetna, Cerner Corp., Kaiser Permanente, and IBM.
While many large breaches in healthcare continue to be the result of insiders, external threats are multiplying.
Dan Berger, a vice president at security consultancy CynergisTek, predicts "an explosion" of attacks involving non-technical hackers using ransomware-as-a-service kit offerings. That's especially bad news for many smaller healthcare entities that will now find themselves on hackers' radar screens.
"What's occurring is that there's been sort of a rush to flood the black market [with stolen health data], which in turn has caused a decrease in the value of a health record in the black market," Berger says. That's what has led to a rise in ransomware attacks on organizations of all sizes, he adds.
Many of the ransomware attacks of 2016 also spotlighted another troubling trend - the lack of proper contingency plans, including data back-up and recovery strategies, at many healthcare entities, says Deven McGraw, deputy director of health information privacy at HHS' Office for Civil Rights.
In its settlements and civil monetary penalty cases involving HIPAA violations found during breach investigations, OCR has a fondness for "high impact cases" that highlight common bad behavior, McGraw told a HIMSS17 audience.
My bet is that the continued surge in ransomware attacks will lead OCR to highlight in upcoming enforcement actions and settlements cases involving insufficient backups and contingency plans.
Hopefully by the time HIMSS18 swings around next March in Las Vegas, more organizations will be better prepared to prevent - and respond to - a variety of data breaches.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.