Along with all its holiday cheer, this time of year always seems to bring a bounty of predictions as to what the industry will experience over the course of our next lap around the sun. Often, that flurry of articles and blog posts seems more motivated by click-bait than thoughtful industry analysis and predictions are seldom ever held to account against the test of time.
At CyberMDX, we try to be more serious. Sure, our predictions can be colored by our subjective perspective and can on occasion strike a more cautionary than anticipatory tone; but at their core, they are guided by research, data, a deep understanding of the industry, and extended market observation. With that in mind, we want to buck the trend and make a point of holding our past predictions up to the mirror.
What a Difference a Year Makes
Last year we made 5 specific predictions about healthcare cybersecurity developments that would come to pass in 2019. Now, we will review those predictions and grade them for their accuracy.
There will be more successful cyber-attacks targeting healthcare in 2019 than ever before
This prediction came to fruition in record time — with the first half of 2019 alone seeing 10 million more breached patient records than in all of 2018. In total, over 1,000 separate attacks were carried out against healthcare organizations in 2019. Of those, more than 400 resulted in data breaches that affected more than 40 million people. And those are just the attacks we know about. Surely there are more that never made their way into the realm of public information.
With the industry spending an estimated $4 billion as a result of data breaches, 2019 also turned out to be the most expensive year in healthcare history with regards to cyber attacks.
Depending on how you parse the wording of our original prediction, it can mean two different things: either that in 2019 healthcare would see more attacks than in any year prior, or that 2019's attack footprint would eclipse the cumulative impact of all other years on record.
Amazingly, per Department of Health and Human Services records, this prediction turned out to be essentially true by both measures. While the US healthcare system suffered 2,389 separate cyber breaches between 2009 and 2018, affecting some 27,693,031 individuals, 40,469,814 people fell victim to healthcare breaches in 2019 alone!
In other words, this prediction was spot on, and with the situation is only expected to get worse over the next 5 years, it will likely be true again next year.
At least one major medical device manufacturer will make a splash in 2019, spending big dollars to acquire a cybersecurity firm
This one didn't quite come true. In general it was a relatively quiet year in terms of mergers and acquisitions for medical devices manufacturers. That said, some other healthcare technology companies did take the opportunity to shore up their cybersecurity. For example, EMR giant Cerner acquired IT security solution provider AbleVets and healthcare iPaaS provider Dapasoft merged with iSecurity.
Despite the retrospective inaccuracy of the prediction, its logic still holds up. Perhaps our powers of premonition are simply too sharp and we looked a bit too far into the future. Don't be surprised if this turns out to be true in 2020.
Someone will die from healthcare technology tampering in 2019
We are grateful that this prediction didn't quite come true. Unfortunately, it wasn't too far off the mark either. While we managed to avoid a direct case of deadly hospital hacking, we did see some pretty convincing evidence of how cyberattacks have indirectly exacted a very heavy human cost.
2019 saw one Wyoming and three Alabama hospitals forced to temporarily close as a result of cyber attacks. There were also the "long delays in care" that patients of France's Rouen University Hospital Centre had to contend with. In cases such as these, it can be difficult to assess the direct effect on health outcomes — though it would strain credulity to claim that there's no impact at all.
When researchers put themselves to the task of precisely measuring any adverse affects of cyber attacks on patient safety they found an operational ripple effect that added — on average — 2.7 minutes to medical response times. In a health emergency like a heart attack, minutes are often the difference between life and death. To wit, the same report noted a 3.6% increase in cardiac event fatalities at hospitals that had recently suffered cyberattacks (compared to those that hadn't). In other words, all other things being equal, for every 30 cardiac event patients admitted, statistically, one would die in a pwned hospital that would have survived elsewhere.
So, while 2019 didn't produce a smoking gun to undeniably affirm our prediction, sadly, it would still appear that we were more right than wrong.
The costs of civil lawsuits will eclipse those of government/regulator imposed penalties for breached healthcare organizations
This is steadily happening across multiple industries. From Equifax’s billion-dollar settlement (that is being rightfully challenged for not providing enough protections to the consumers who were damaged by it) to innumerable smaller lawsuits, data breaches are expensive for businesses. Healthcare organizations are proving no exception.
In 2019, the OCR doled out just over $15 million in fines to healthcare organizations that failed to prevent HIPAA-violating breaches. In civil suits, Premera Blue Cross, Banner Health, and Allscripts alone coughed up $84.7 million.
To be fair though, those settlements pertained to breaches from years prior. Still, in 2019 new civil suits were brought against Solara Medical, University of Missouri Health Care, American Medical Collection Agency, and Quest Diagnostics, among others. And while we'll likely need to wait into 2020 and beyond to see the results of those class actions, given the extraordinary number of injured parties represented in the litigation, it is assured that it will handily surpass $15 million.
In other words, this is another prediction with which we were spot on.
The average salary for cybersecurity staff in major hospitals will increase by at least 20 percent
We predicted that the national average for hospital cybersecurity professionals would increase at least 20% in 2019. For security engineers, that would mean an increase in median salaries from some $95K to $114K per year. For CISOs, it would mean going from $180k to $216k.
Though there's still not a lot of precise and properly aggregated salary data available from 2019 for these healthcare positions, a review of glassdoor, the 2020 Cybersecurity Salary Survey, and LinkedIn would seem to affirm that we were pretty on the nose with this prediction.