2014 – The Year in Review
As we begin this new year, we decided to take a look back at 2014 from a security perspective, see what we can learn from it, and what the new year might hold. In doing so, five things really stood out:
- The broadening reach of HIPAA
- Government monitoring
- Growth of Direct Secure Messaging
- Customer interactions
2014 was the year of the megabreach, with prominent commercial, retail and healthcare organizations in the cross hairs. Some of the more notable ones involved:
- Sony – Cyberattack resulting in disclosure of sensitive employee and business data, $100 million+ in expenses to the company, and significant loss of revenue and brand value
- Home Depot – Malicious software breached credit card information of 56 million customers resulting in $2-3 billion in total fraud and $43 million in company expenses in just the 3rd quarter
- JP Morgan Chase – Cyberattack breached account information for 76 million consumer and 7 million business customers, with the company pledging to spend $250 million and hire an additional 1,000 employees to secure its systems
- Community Health System – Cyberattack breached medical and personal information of 4.5 million patients
- Montana Department of Public Health and Human Services – Cyberattack breached details of 1.3 million patients
The Broadening Reach of HIPAA
HIPAA has provided a framework for protecting sensitive healthcare information since 1996. But only recently, through additional legislation, enforcement of violations and an increase in penalties, has it really hit its stride. As a result, the long chain of organizations that service protected health information (PHI), such as a hospital or doctor’s contractors, subcontractors of those contractors, etc., now must have Business Associates Agreements (BAAs) between them. This serves to define and limit the liability of each party should a breach occur. As a result, vendors that never before considered themselves part of the healthcare industry, such as Waste Management, are required to sign BAAs with their hospital customers.
Healthcare has raised the bar for linking security, risk and liability to a community of business partners. This “long tail of compliance” is rapidly being emulated in other industries such as banking and insurance. Subcontractors and suppliers are being forced by their business partners to adopt and certify to certain security practices in order to continue doing business together.
While Edward Snowden exposed the vast reach of the US government’s surveillance programs almost two years ago, a number of other governments were engaged in similar activities. 2014 saw a range of European and Asian governments linked to incidents of active spying. In addition, several malicious applications, known broadly as malware, had their origins traced back to foreign governments. Some of these incidents were directed toward other governments, a modern version of spy vs spy, while others were targeted toward large corporatons, either for financial gain or to stop unwanted actions.
Growth of Direct Secure Messaging
For decades, medical records were recorded on paper and stored in filing cabinets. Among other things, this resulted in duplication of patient tests, clerical errors and higher costs. The past few years have seen widespread adoption of EHR (electronic health records) systems that replace these manual methods with electronic medical records. Now that this data is digitized, a significant uptick in the exchange of these records occurred in 2014 between hospitals, doctors and the broader care community. Direct Messaging is at the core of this transformation, providing simple, secure exchange of medical information between identity-vetted care providers in a way that’s very similar to sending an email message. Adoption of Direct Messaging is spreading throughout the healthcare world, with those in the dental, insurance, and other sectors such as behavioral health, long term care and others, getting on board. The result is more efficient, secure and cost effective care, and better patient outcomes.
Successful organizations continue to look for ways to streamline their operations and provide better services to their customers. So instead of having a customer navigate among different web portals to get different types of data, 2014 saw several major organizations kick off initiatives centered around system consolidation and integration. In these scenarios, the goal was to eliminate standalone systems for encrypted email, secure file transfer and statement delivery, and instead, integrate these capabilities into the organization’s existing customer and member portals. As a result, employees can exchange a variety of data securely with customers right from their desktop email client, and customers have a simple, unified method to securely do business and collaborate with the organization.
Each of these topics highlight the critical role that information security will have in 2015. Organizations will continue to invest heavily in the security defenses of their systems, and implement systems that secure data-exchanges with their customers, partners and vendors. Implementing and modernizing legacy systems, will present opportunities to streamline and modernize antiquated business processes, and gain the efficiencies, customer loyalty and brand enrichment that modern, secure systems can provide. Most importantly, 2015 will be the year where security is not just a perimeter to keep intruders out, but an integral, integrated part of how you do business.