Ms. Vibbert says 2019 and beyond will bring more attention to connected medical devices—part of the internet of things—because they are a significant vulnerability for hospitals and their patients. Hackers can attack connected medical devices or use them as a way into the hospital’s computer system or can use their processing power for a "brute force attack" on other systems, which may affect their functioning, she says. The risk of disruption is growing as more routine items, such as stethoscopes, are connected to the internet.
Ms. Johnson said, "In terms of HIPAA enforcement, hospitals and other organizations don't just have the Office for Civil Rights to worry about. Expect more action from state attorneys general (AGs). Exhibit one: 12 AGs have joined forces for the “first multistate AG lawsuit citing HIPAA," Johnson says. The lawsuit was filed Dec. 4, against electronic medical record vendor Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard LLC, and it alleges they violated HIPAA by failing to adequately protect electronic protected health information (ePHI) belonging to more than 3.9 million people. Led by Indiana AG Curtis Hill, the lawsuit also alleges violations of state consumer protection, data breach and personal information protection laws. "I predict more enforcement actions to be brought by attorneys general," Johnson says.