In November, some of my friends contacted me, saying they thought I did a pretty good job with my 2015 predictions, and wanted to know what I am predicting for 2016. So here are some good possibilities for the year to come, along with a rewind to see how close I hit the 2015 predictions.
1.The HHS (Department of Health and Human Services) and many State Attorneys General will apply HIPAA fines
The Omnibus Rule gave all State Attorneys General the power to enforce HIPAA. Some states were proactive and took legal actions against organizations prior to the Omnibus Rule going into effect. Here are a few of their many enforcement actions to date:
- November 6, 2015: The Connecticut attorney general applied a $90,000 fine and required a corrective action plan on both a hospital system and one of its business associates.
- February 2014: The California attorney general fined a health insurer $150,000.
- January 7, 2013: The Massachusetts attorney general applied a $140,000 fine against a medical billing practice and four pathology groups.
- May 24, 2012: The Massachusetts attorney general applied a $750,000 fine against a hospital and required them to implement a corrective action plan.
- July 31, 2012: The Minnesota attorney general applied a $2.5 million fine against a business associate to many healthcare providers and required them to leave the state.
- At least five HIPAA sanctions will be applied by State Attorneys General in 2016.
- More sanctions will also be applied by the Office of Civil Rights (OCR ), which is the HHS agency that has responsibility for HIPAA oversight and enforcement, in 2016 than were applied in 2015.
2. Efforts to weaken encryption will fail
The current reasons being given by lawmakers and law enforcement to weaken encryption to be able to access data are noble; to prevent terrorist attacks. However, the reasoning to weaken encryption is hugely flawed. The lawmakers and law enforcement agencies asking for these backdoors do not appear to have a good understanding of technology, or how encryption works, based upon their many statements. And too many politicians are calling encryption “a problem” even though they have not looked at all the other data and technologies that they could be using but, to date, have not.
This year there have been more calls by law enforcement and lawmakers to weaken encryption than I’ve seen over the past 22 years when Clipper Chip was being pushed so hard, but ultimately failed because it simply was a very bad idea, and weakened security of data, and infringed upon privacy, so significantly.
The push to weaken encryption by a vocal subset of lawmakers and law enforcement will continue to build during the first half of 2016. Technology experts will coalesce midyear to mount a concerted effort to get lawmakers and politicians to FINALLY better understand encryption technology. They will also better understand how it is available from many locations around the world (where terrorists will get it if they can use encryption from the U.S.), and all the other data sources that are available to use without weakening encryption. Those of us in the tech industry trying in every way possible to get lawmakers and law enforcement to understand how encryption technologies work will ultimately be successful in keeping encryption strong, but it will take great effort. This effort must be successful. The alternative it would be disastrous and would lead to not only more breaches because of the weakened encryption, but also would result in consumers going to overseas organizations to obtain strong encryption, potentially putting many tech organizations out of business.
3. Explosion of more health data will create significant new privacy risks and breaches
It seems everyone is jumping on the smart gadget bandwagon. And a huge number of those smart devices are collecting one or more types of health data. Since most of those devices were purchased by those consumers who are actually using them, and not at the direction of healthcare providers as a prescription to support healthcare treatment, they are generally not bound by HIPAA requirements for security and privacy. So, it is pretty much a free-for-all with regard to these devices collecting all types of health data, and doing with it whatever the vendors want. And most consumers allow vendors to collect their data because they just assume that the vendor is appropriately securing it; why wouldn’t they given all the ongoing reported breaches, right? However, people care about the security of their patient data. So every type of smart device vendor that collects any type of health data will need to actively and visibly take actions to secure their devices and data to remain a viable business, not only to meet the expectations of their consumers, but also to keep from being forced to as a result of new laws and regulations that will come if they continue to leave these new gadgets unsecured and without privacy protections.
New types of breaches of health data collected by smart gadgets will occur. But, because that data is currently not regulated or covered by existing state breach notice laws, those impacted will not find out until long after the fact, and likely after crooks, insurance companies, or others have used it in a way that negatively impacts the associated individuals. But when the news breaks, consumers will call for the data collected by these devices to be strongly secured, and the data be used appropriately.
Reflecting on my past predictions
Now that we finished looking ahead to 2016, let’s do a quick review to see how close I came with my predictions for 2015.
- The Internet of Things (IoT) will get some parental oversight
Last year I predicted that rules of some form would be created to guide those creating IoT devices. I nailed it. Here are two examples out of several initiatives currently underway:
- The FTC released their IoT privacy and security recommendations in January.
- In June the IEEE established the Par 1912 Privacy and Security Architecture for Consumer Wireless Devices Working Group. Full disclosure: I’m an officer of this group.
I also predicted an IoT privacy breach would occur. It did. In November a huge breach of smart, connected children’s toys exposed the personal data of 12 million individuals, 6.4 million of whom were children. Data included gigabytes worth of headshot photos and chat logs for millions of kids and parents.
- Wearable smart devices in particular will get some privacy requirements
Last year I predicted some specific privacy standards and/or guidelines would be created for smart wearables. I nailed it. The Online Trust Alliance, a group representing some of the largest technology and retail firms in the U.S., proposed security and privacy standards for smart wearable devices.
- (Mis)use of Big Data analytics will result in a privacy breach
Last year I predicted that by the end of 2015 there would be at least one significant privacy revelation that occurs that will highlight with a jolt the need to build privacy controls within Big Data Analytics (BDA), using yet-to-be-written BDA privacy standards. I nailed it. And it didn’t take until the end of the year; such a hack occurred in July. The hack of the partner-cheating social media site involved obtaining 9.7 gigabytes of big data analytics that could recognize faces, reveal intimate preferences, and so on. The account details and log-ins for 32 million users of the social networking site were also obtained. This data was then posted online to shame those who had used the site.
- Explosion of more health data will create significant new privacy risks and breaches
Last year I predicted a significant breach would occur within a health data vault, app or other type of organization collecting vast amounts of health information directly from individuals. I nailed it. In December a security researcher discovered sensitive user health data, including HIV-positive data, of 5,000 individuals was leaking from two health apps for an unknown period of time. So it is not known how many people obtained all this sensitive health data.
Hey; pretty good…five for five! Time will tell how well I did with my 2016 predictions.
Happy New Year!
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.