Prediction: Disruption from regulatory changes is likely
Rebecca Herold, author of 19 books on information security and CEO of The Privacy Professor consultancy, begins the list of predictions by examining the potential for agency updates to HIPAA. “Based on continued pressure from local, state and federal government agencies, law enforcement, researchers and others to ease the sharing of patient and mental health data by removing the need to obtain patient consent, I expect to see OCR issue proposed HIPAA updates,” she notes.
The push to ratchet up regulation compliance across the board is only likely to increase. Herold predicts, “Security incidents will result in huge - possibly business-ending - penalties, not only for HIPAA violations but also for violations of other laws, regulations, standards and contractual requirements.” Public pressure is mounting, and each new breach only fuels further outrage. Some will look to regulatory change as one tool to address the issue.
Takeaway: In a time of big changes, flexibility is key
Geopolitical swings and regulatory shifts are increasing in both frequency and magnitude. Brexit uncertainty and the shutdown of the federal government are the latest examples of how turbulent the current business environment is. With polarized, fragmented agencies driving inconsistent and patchwork reforms, trying to determine exactly which regulatory shoe will drop next could be an exercise in futility.
The more prudent path is to build a technological infrastructure that is flexible enough to handle whatever changes ultimately emerge. If you can’t predict exactly which changes will be enacted, or when, then be ready for all of them. Software as a Service (SaaS) solutions are critical components to this approach, as they do not require IT departments to update software in response to each new regulatory requirement.
The Forbes Technology Council writes in Five Reasons Why Switching To SaaS Will Be The Best Investment You Make This Year, “Seamless upgrades are done by your cloud service provider, which ensures you're using the most up-to-date version of the software without needing to reimplement or re-customize any of your preset features. With a true cloud system, your customizations are always portable to future versions.” SaaS-based solutions minimize the effort required to adapt to frequent changes, and reduce the disruption posed by major system updates.
Another tactic is to rely on technology similar to Origami Compliance, an API solution that integrates with claims management platforms and is supported by a team of specialists who continuously monitor changes to workers’ compensation regulation and rates to future proof your organization’s workers’ compensation submissions. Having an organization dedicated to ferreting out these changes frees up your own resources to work on higher value activities.
Prediction: The Internet of Things (IoT) will bring with it substantial data security risks
Herold points out that “IoT devices, which generally lack security, often attach to Wi-Fi access points throughout healthcare facilities, creating pathways to internal networks and sensitive data. They also can become repositories for malware and potential homes for bots used to launch a coordinated botnet attack.”
This new vector for attack will only widen as more organizations look for ways to capitalize on the type of valuable, real-time data these devices offer. “As the IoT ecosystem expands,” Herold says, “so does the attack surface for cybercriminals to exploit. In other words, the more we rely on connected technology in our day-to-day lives, the more vulnerable we are to the cyberthreats that are increasingly tailored to exploit vulnerabilities and design flaws in IoT devices.”
Takeaway: New IoT threats require new risk strategies
While the potential for IoT, Artificial Intelligence (AI), and wearables to transform the ways in which organizations and insurers look at various risks is quite dramatic, it may require a new management approach as well. In the article Flashpoint IoT: How to Overcome the Risk of Having More Data and Opportunity, Shelly Dutton recommends a triage approach. “Assess the risk of an attack and its impact on the IoT ecosystem to determine how tight security should be. For example, a system that monitors, regulates, and automates machines on a plant floor requires stricter protocols than a sensor that turns lights on and off a conference room,” she notes.
The assessment step needs to be applied to your vendors as well. Identifying whether the vendors supplying this technology are themselves current with all data security standards and regulations is the first step to mitigating some of this risk. Ensuring an ongoing state of compliance, instead of a one-time check, requires effective vendor management technology, and a strategy that is more continuous than cyclical.
Prediction: Data threats from legacy systems will become more acute risks
The cat-and-mouse battle between technology providers and cybercriminals is a never-ending cycle. Attackers find new vulnerabilities to exploit while developers add layers of security and fortify systems. One area where this process may break down, however, is with legacy systems that no longer receive the same resources and attention they once garnered. Herold warns that these lower priority systems “often left unpatched and vulnerable, increasingly will be the targets of hacker attacks. Longstanding systems vulnerabilities will be exploited.”
Given the dramatic changes in the RMIS market, more systems are being relegated to legacy status. This means that data security resources and priorities may naturally move away from older and inherited systems to the flagship solution. Companies that still rely on these systems expose themselves to potential vulnerabilities not only within the legacy system itself, but also within every other system it touches.
Takeaway: Take control of your migration
As discussed in Nothing Something will change when your RMIS provider is acquired, “It’s easy to feel as if your hands are tied as you seek answers to questions about what a new, combined company means for you and the users of your current RMIS. Asking questions and voicing any concerns regarding the answers you receive is the surest way to proceed prior to extending your contract.”
The schedule for patching, security updates, and vulnerability assessments must be as robust as current solutions or these systems will present attractive targets for hackers looking for the easiest penetration vectors. Have that conversation with your vendor, and get a solid understanding of what the resource allocation is for that system. Generally, the longer your organization stays on legacy technology, the harder it becomes to hold off evolutions in cyberattack capabilities. In this case, the status quo could be very risky.
Herold’s predictions for 2019 include some ominous concerns. With a flexible technology infrastructure, however, you’ll be far better prepared for whatever adjustments regulatory changes and IoT may require. And by taking control of your migration path, you can identify the risks posed by legacy systems and choose a smarter process.
Get in touch with our experts today so we can help assess how well positioned your RMIS is for these threats.