You are a security risk.
It might sound harsh, yet the sentiment is true for almost every practice, hospital, insurer, healthcare company, or business associate in the world. Size doesn’t really matter … small is often easier to attack and large offers a bigger payday. Sophisticated systems help, but you are only as secure as your weakest link.
In fact, most security and risk experts echo the same sentiment when it comes to data breaches – it’s not a matter of ‘if’ but ‘when.’ Adding fuel to the fire, a number of experts have dubbed 2015 the “Year of the Healthcare Hack.” On that happy note, what can be done to minimize risk and damage?
Be Aware & Prepared
There are no simple solutions, but there are certainly safeguards and best practices that can be adopted.
Mark Fulford, CISA, CISSP, ABCP, a partner in LBMC Security & Risk Services, said there are many resources and tools available from the Office of the National Coordinator (ONC), Office of Civil Rights (OCR), HealthIT.gov, Healthcare Information & Management Systems Society (HIMSS) and others. In addition, private consulting companies and many technology vendors are also available to help assess and address risks.
One of the first steps, Fulford said, “Is just knowing where all your protected health information (PHI) is. It sounds easy, but it’s not. It could be on your smart phone text messages, emails, voice mails, in files sent to your business partners. If you don’t know where it is, you can’t protect it.”
Fulford continued, “Next, you need to understand what the threats are to the confidentiality or availability or integrity of those assets.” Those vulnerabilities range from a data breach to a virus attacking information to data loss because of poor backup systems.
“Once you understand the threats to your data, then you can begin to evaluate to determine if the safeguards in place are adequate,” Fulford said. Finally, he noted, weaknesses must be addressed. “Threats paired with vulnerabilities helps us get to risk,” he explained.
Fulford said vulnerability management has to be approached with almost a religious fervor. “It’s got to be a top priority,” he stressed. Fulford added it is mission critical to routinely scan systems looking for known threats and then working aggressively to find the fixes.
Even very large companies with big IT departments can have critical risks … just ask Anthem. For large companies, Fulford noted, “Just the sheer volume of systems makes it hard to scan and patch quickly to close vulnerabilities.”
He pointed out, “It’s an overused cliché – but it is overused and a cliché because it’s true – that security is not a project, it’s a process … and you’re never really done with a process.”
Limit Data Sets
A certain amount of risk is inherent if data is to be useful. “There’s a trade-off there,” said Amy Leopard, a partner at Bradley Arant Boult Cummings and a member of the firm’s Health Care Practice Group. “You can lock data down tight as a drum, but you need to share that data for quality. There is sometimes tension between the ease of use and availability and the need for security.”
She continued, “Everybody is using big data for analytics and population health.” But does everyone need all the data all the time? “To manage the risk of using and sharing health data, you first need to manage the scope and the volume of the data you are using,” she said.
Leopard added there is a tendency to overshare. If an analysis is being conducted on how many people are referred to a specific HIV clinic by a specific physician or practice, is it actually necessary to have those patients’ names, contact information and Social Security numbers … or do you just need an aggregate number of referrals? “De-identify data when you can,” Leopard said.
The Weakest Link
“As a business associate under HITECH, you become part of the regulated community as soon as you start handling my PHI,” Leopard said. “If you are going to handle my data, I’m going to ask a lot of questions. I’m going to do a lot more due diligence on your company.”
That caution is well warranted. “You can’t outsource accountability,” Fulford noted of business associates. “If at the end of the day, it is their breach, it’s still your problem.”
While outside the healthcare realm, Leopard said the same concept applied to the Target breach in late 2013. “There was a little, independent contractor, and it was through that little contractor that cyber thieves got into the credit card information of millions of Americans,” she noted.
Very few people know the name of that subcontractor, but everyone knows Target had a major breach. It was Target that had to pay for credit monitoring, Target that got sued, Target’s CEO who resigned, and Target whose reputation and sales suffered.
Fulford added the weak link might be found even closer to home. “As users of the technology, we’re often the weakest link. It’s very important that we educate all members of the workforce on how to spot attempts at unauthorized access to PHI.”
Similarly, he said really good technology exists to monitor traffic and look for anomalies. However, if no one is actively monitoring the system, threats might be detected but still not caught.
Breach Notification
“The reality is you’re going to be breached. It’s just a matter of when so you have to be prepared,” Leopard stated. “HIPAA requires there be an incident response policy to detail what to do when a breach is discerned and how to determine if notification is required and then remediation.”
Following a breach of unsecured PHI, covered entities must provide notification to affected individuals, the OCR, and in some cases, the media. “You’re going to have a lot of scrutiny from multiple stakeholders – your patients, government enforcers, the media, and other concerned parties,” Leopard said. “When there is a reportable incident, the most immediate issue is going to be to get out in front of it,” she continued. “It feels random that it’s your turn at bat, but how you get through that process is going to be determined in large part by how thoughtful you have been in preparing for the eventuality of a breach.”
When more than 500 individuals in a state are impacted by a data breach, you not only have to inform those individuals, but the size also triggers a requirement to alert the media. Even with smaller breaches, the media might have to be notified if the covered entity has insufficient or out-of-date contact information for 10 or more affected individuals per OCR requirements.
When assessing the cost of a breach, Leopard said the first thoughts are often tied to the immediate, tangible cash outlay attached to notification. However, for those who have gone through the process, she noted, “It’s the reputational harm that occurs among your customers that is often cited as one of the primary costs.”
Get Covered
Parker Rains, a vice president in the Nashville office of Fisher Brown Bottrell Insurance, said it’s time to consider cyber insurance.
“Everyone in healthcare is at high risk of breach because of the kind of information they have,” he noted. “Your first reaction is, ‘Oh my gosh, we’ve been breached.’ Your second thought is, ‘How are we going to pay for this?’ That’s the crux of insurance … to protect against catastrophic claims.”
And, he continued, the cost truly could be catastrophic. Rains said covered entities should look for a policy that will help offset the long list of out-of-pocket expenses that come with a reportable event. “The insurance would cover the cost of notification. It would also pay for crisis management. It would also cover regulatory proceedings, legal fees, fines and penalties. And then, the big thing, credit monitoring expense for those affected and lawsuits,” he listed.
Rains added there could also be additional expenses a practice or business might not even think about at first. One example, he said, would be enlisting the help of a third party call center simply to handle the volume of calls if a large number of individuals had identifying data compromised.
Although cyber or data insurance is relatively new, Rains said brokers should already be talking to clients about coverage options, which are continuing to evolve to keep up with regulatory requirements and emerging technology. He added that good data breach policies should include not only electronic breaches but also physical breaches such as a stolen file folder or laptop and verbal breaches where information is inadvertently given out in phishing scheme. Rains noted there has been a tremendous spike in both interest and availability over the past five years for this type of protection.
“I wouldn’t go another renewal period … and maybe not even another day … without talking to my insurance broker about a cyber option,” Rains said. After all, he concluded, it doesn’t cost anything to get a quote to see what options exist for financial protection.
Common Sense Steps to Greater Security
Move to a more than two-factor authentication. While the current standard is a username and password, it’s becoming more common to require a third step such as a pin number or biometric identifier.
A range of open source technologies is available at low or no cost to encrypt data and add another level of protection.
Use and regularly update anti-virus and anti-spyware software on all computers and automate patch deployments across the organization.
Don’t forget to change administrative passwords on peripheral equipment like wireless printers or security cameras.
Plug into a good cyber security threat briefing. There are a number of options for monthly briefings including one by the American Hospital Association and HITRUST, which has partnered with the U.S. Department of Health and Human Services.
RELATED LINKS:
LBMC Security & Risk Services: www.lbmcsecurityservices.com
Bradley Arant Boult Cummings: www.babc.com
Fisher Brown Bottrell Insurance: www.fbbins.com
HealthIT.Gov: www.healthit.gov
