We tend not to notice or are unwilling to notice, threats that rise gradually which result in an inability to react until it's too late. The healthcare frog has been boiling since the HITECH Act was promulgated in 2009. There have been hundreds of high profile breaches and thousands more that don't make frontpage news. Yet it is clear that the industry has failed to take any significant action en masse
. The prevailing feeling appears to be "breaches are things that happen somewhere else." Privacy and security are simply not top of mind for clinicians. Nursing schools and medical schools barely teach students enough to allow them to spell HIPAA (mostly) but not much more. The water keeps getting hotter, but the frog remains mostly oblivious. As we all know, this story does not end well for the frog. One day something really bad, but otherwise utterly preventable, happens. This fails to move the needle for the practice next door. In that practice, another frog is starting to boil.
Although 2017 had more than its fair share of breaches, it would nonetheless be somewhat hyperbolic to declare 2017 "the year of the breach." We suspect that 2018 may well indeed live up to the hype, for the reasons discussed in this article. 2017: The Year that Was
This article by Protenus, Inc. entitled: 2017 on Track to Exceed 2016 Trend of One Health Data Breach Per Day
fairly summarizes what the first half of 2017 looked like for those tracking the breach epidemic. We could have piled on with "the numbers" of what happened in the second half of 2017 but this article is not really about the numbers, it is about the trends.
We believe that the anecdotal evidence predicting an explosion of breaches (i.e. especially in the healthcare industry) in 2018 is compelling. However, it is most compelling because of macroeconomic "signals" that something ominous is likely to happen in the global economy in 2018, despite "dancing in the streets" by Wall Street as the stock market hit high after high in 2017.
We are not economists or Wall Street analysts so you would do well to treat our predictions as somewhat suspect. In fact, that is how we ourselves treat them. However, Nassim Taleb in the Black Swan (and others: think the Undoing Project) eviscerated any misplaced confidence that we (the "royal we") have in econometric models as well.
Therefore, we remain confident that our anecdotal predictions are as good as most and better than many. We trust our "gut instincts" due to many years of watching this space, and from being lay observers of political economy, to make these predictions.The Enemy is Out There and In Here as Well
Despite all the money printing and coordination of central banks worldwide, the global economy (other than China) appears to be growing at an anemic 2% (we are being generous). We also have our doubts that the Chinese story is what it purports to be; witness all the stories of late of how overleveraged the Chinese economy appears to be.
However, one thing is absolutely clear in the western world: middle-class income has flatlined over the last thirty years and shows no signs of recovering anytime soon. Most of the wealth generated over this time period has gone to the upper 1%. These are the facts. Make of them what you will. We are not making a political argument here, but rather only laying the factual predicate as to why 2018 will be a blowout year for data breaches in general, and for healthcare data breaches in particular.
It is widely known that the U.S. economy is 70% dependent on consumer spending. If U.S. consumers start to lose confidence then "look out below," we are likely to see a global recession or worse. Which likely means a deflationary feedback loop of prices falling, more layoffs...which leads to even less demand, and so forth. OK, so what does all of this have to do with data breaches? Well, perhaps everything and nothing. However, it is not hard to imagine that many highly educated, but unemployed, professionals worldwide may engage in nefarious activities they would otherwise not imagine doing, but are nonetheless willing to participate in to feed their families.
This is the kind of "white collar crime" that, more often than not, goes undetected and, as we all have come to understand, is highly lucrative. Anecdotally, I do not recall reading stories of the FBI collaborating with Interpol (or other such agencies) to shut down either U.S. based or international rings of hackers going after data. Sure, we have all heard how the FBI shut down "The Silk Road
" site (i.e. the Dark Web's most infamous site) but other than these high profile cases, the lack of headlines in this space is deafening. The Silk Road was involved in illegal conduct far more pernicious than data breaches (e.g. sex, drugs, and rock n' roll to put it euphemistically). The Healthcare Industry Still Asleep at the Wheel
Anyone that fishes in the healthcare industry's privacy and security ("P&S") pond for business can tell more than their share of war stories regarding how unreceptive and unresponsive the industry has been to the clarion call of improving the industry's posture as to privacy and security. The unreceptive and unresponsive masses of Covered Entities and Business Associates apparently have become jaded to the daily breaches and the massive fines imposed by OCR. Further, the threat of class action lawsuits and loss of reputation is also not enough to move them. These masses still view P&S as some necessary evil that must be dealt with in whatever minimalist manner they can get away with. Changing the Healthcare Industry's Compliance DNA
Unfortunately, as long as the industry continues to view P&S as some necessary evil "bolt on" activity, instead of something required in its day-to-day operations in order to enhance the patient experience and improve its value proposition, then we are unlikely to see significant progress. That's the bad news. The good news is that 2017 did appear to be a watershed year in the sense that the industry seemed to be slowly awakening from its P&S slumber and noticing that we all now live in a 24/7/365 always online universe, that has come to define the 21st century.Conclusion
For us, the glass is definitely "half full." The healthcare industry's current P&S posture is unsustainable and only time will tell if 2018 is the year that real change happens. It would obviously be much better for all concerned if this change was not predicated upon a worldwide recession and a significant increase in white-collar crime. However, as Winston Churchill allegedly stated: "America always finds a way to do the right thing, after exhausting every other possibility." Our firm belief is, like every other industry on the planet, the American healthcare industry is not impervious to change, no matter how resistant it has been heretofore. Events outside of its control are likely to force change upon it!