The ability to protect and secure digital information is under constant threat. Attackers of all sorts force their way into systems, trick individuals into providing access, and otherwise access data that is not their own. In a state of continual threats, the issue of cybersecurity is typically at the forefront for many. Questions about cybersecurity include: can data actually be secure?; will defense measures every be better than the offensive measure?; and is it necessary to accept that all data will be hacked or inappropriately accessed at some point in time?
Given the uncertainty and focus, an analysis from the Center for Long-Term Cybersecurity at the University of California, Berkeley is particularly interesting. The analysis, Cybersecurity Futures 2020, contemplates five different scenarios for what cybersecurity and really data will look like in the near future. Each scenario offers a glimpse into a possible future. The scenarios are all quite plausible and to some degree even represent current realities.
The scenarios, in brief summary, are:
The New Normal – In this scenario, it is accepted that data cannot be kept private and that personal information will be both stolen and broadcast. In response, individuals or institutions may respond by (i) shutting off connections to the internet, (ii) proactively making information public before it can be inappropriately accessed, or (iii) fight back with any tool that may become available.
Omega – This scenario is named after the “omega” or last algorithm concept. The omega algorithm would be the last step before control is turned over to technology. With the omega algorithm in place, individualized predictive analytics would create new strata of security risks. Additionally, issues would become focused on individuals as opposed to infrastructure, which in turn could cause irreparable damage in a number of ways.
Bubble 2.0 – In this scenario, a second bubble bursts when it comes to web-based companies. Decades after the dot-com bubble of the 1990s, the new web companies suffer a similar fate. However, the primary asset of each of these companies is a tremendous trove of personal data. The data do not disappear with the companies. Instead, the data will be sold. With data sets the main target of cybercriminals and increasing numbers of data scientists unemployed, cybersecurity and market security become entangled.
Intentional Internet of Things – In this scenario, the internet of things becomes seamlessly integrated into everyday life. In fact, certain core functions are turned over to technology. Such functions could include healthcare to a degree, environmental functions and other social of economic functions. As such, attackers may subtly infiltrate systems to manipulate the vast array of connected devices or have the opportunity to cause widespread harm. Cybersecurity becomes just security and must be a part of everyday life.
Sensorium (Internet of Emotion) – In this scenario, devices move beyond physical functions and into an individual’s emotional state. Devices will track fundamental emotional aspects of an individual’s psychology. In turn, an individual’s mental or emotional state can be manipulated for any number of purposes. Cybersecurity evolves from data protection to managing and protecting an emotional public image.
The goal of the scenarios is not to identify what is occurring today, but developing concepts of how the future may actually unfold. Once the potential futures are detailed, then it is possible to study those futures and engage in strategic planning or set forth research priorities. Starting from such a framework, it is easy to see why each scenario reflects some current realities. In fact, the currently existing world is likely a reflection of some components from each of the scenarios.
With these possible futures laid out, what does it mean for cybersecurity today? It means that cybersecurity should be considered as more than just a quick challenge or one that will remain the same. Changes in what cybersecurity means can already be seen on a daily basis. Threats are constantly evolving, changing or springing up completely new. What is known a week or month before has become obsolete to some degree not very far down the road.
A few overarching issues can also be teased out from the current state of cybersecurity and where the future may go. The human element will be both a primary concern and benefit. Individuals are currently the cause of many data breaches. Those causes include falling victim to a phishing attack, purposefully accessing data for malicious purposes or an unintentional action that exposes information, among other issues. At the same time, individuals are actively trying to increase security measures and make it more difficult for a data security incident to occur. The opposing forces of human intervention will also be at the center of cybersecurity because so much of what happens in this world is about what humans are doing.
Another overarching issue is the role of data in the economy and as a resource. Much of the world economy centers around creation, curation, and analysis of data. Product development and sales center on data because data help identify what product should be developed, how it should go to market and where it should be sold. From this perspective, data have become a commodity because it informs so many potential decisions. It may not be possible to fully separate the different functions of data as being a driver of and a good in the economy are so intertwined. The central importance of data to the economy means that it will be a constant target. If individuals and companies cannot secure data, then someone else will exploit the data. Accordingly, there is a fundamental monetary consideration driving the need to ensure security is in place and actually works.
The central role of data in so many aspects of life and the inability to ensure constantly appropriate individual behavior means that there will never be a single solution for ensuring cybersecurity. Risks will always exist because, as the old saying goes, a system is only as strong as its weakest link. Since the weakest link is ever changing, all links can never be fully strengthened. If such a reality can be accepted, it means that vigilance will be maintained. A corollary to the lack of a cybersecurity silver bullet is that the attackers will also always be multiple steps ahead. Such is the nature of attack because those trying to gain access to a system are incentivized to come up with novel approaches. While security and defense can also identify a novel concept, it is just more likely for the other side to have already thought of and blown past an idea.
What impact do all of the predictions and pondering have for healthcare? What is true generally for cybersecurity will likely be equally if not more important for healthcare. The quantity of healthcare data are growing at exponential rates and such data is among the most private and sensitive that can relate to an individual. Additionally, healthcare is already not only under almost constant threat but is likely to fall victim to a successful attack. Any number of negative consequences can be imagined if the situation does not improve. Such negative outcomes could include individuals not trusting the system and withholding information, increasing amounts of fraud funneling money out of the system to illegitimate hands, or manipulation of data to influence or create outcomes. These concerns echo those of the scenarios because, as said before, all are likely. Given the possibilities, healthcare is very much at a crossroads when it comes to security.
The future does not need to look grim. Alongside all of the potential nightmares are an equal, if not greater, number of improved benefits and outcomes. The issue is whether all will take up the challenge and work collaboratively for the good of everyone.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog.