Reaching Cybersecurity Maturity in the Healthcare Industry
Cyber threats are here to stay -- and they continue to be one of the topics keeping senior management up at night. With breaches and ransomware attacks still occurring at high rates, the healthcare industry continues to be significantly impacted.
For the 11th year in a row, The Ponemon Institute 2021 Cost of a Data Breach Study commissioned by IBM Security listed the healthcare industry with the highest total cost per breach and the largest increase (29.5 percent from 2020 to 2021) of the 18 industries covered. Approximately 70 percent of records compromised included personally identifiable information (PII).
A company's most important asset is its reputation. That said, management must determine their risk tolerance - or the level of risk the organization is willing to accept. Once risk tolerance is decided, there are several ways to mitigate risk.
There are three key approaches an organization can implement to limit risk:
- Manage risk within the organization,
- Transfer risk outside the organization, and
- Avoid risk as an integral part of decision making.
Common Types of Healthcare Breaches
As with many other industries, there are several common types of data breaches occurring within the healthcare industry. Those include:
- Social Engineering - coming in the form of both logical and physical means. A logical social engineering attack could be either a phishing email which includes a link to ransomware, business email compromises for which a third-party has taken over an executive's system, or credential loggers to capture passwords and other key user data. With a physical social engineering attack, individuals often compromise security and gain access to equipment or data in hardcopy or on other media;
- Third-party Software Vulnerabilities - which are often caused by vulnerabilities in programming of the software and require the organization or their network support provider to install timely software updates to resolve the vulnerability;
- Accidental or Intentional Compromise or Loss of Data - this could be caused by a lost device, a malicious insider, system errors, or even system misconfigurations.
Ransomware attacks continue to be on the top of the list for healthcare and most other industries as well.
Why is Healthcare Data So Vulnerable?
Medical records are a hacker's dream! Each record is worth at least 10 times the value of a stolen credit card. This is because a medical record contains so much more personally identifiable information. In one record, a hacker can obtain credit card data, Social Security numbers, email addresses, demographic information, employment information, insurance information, and medical history. Any of this information can be used for social engineering or other breach tactics such as using obtaining credit cards, setting up bank accounts, etc. Many types of fraud can easily be committed with just a few pieces of information in one record alone. And hackers often obtain many thousands of records at one time. They can hold companies and individuals at ransom, sell the data on the black market, or steal identities.
Managing Cyber Risk Within the Organization - A Dynamic Process
Healthcare entities have a responsibility to comply with the privacy and security laws outlined in the Health Insurance Portability and Accountability Act (HIPAA). Risk assessment is the first step to ensure compliance. Once the assessment is complete and the organization has identified key controls and filled any gaps in those control, the risk management process should be a continuous, dynamic process. The same basic tenets of a HIPAA risk assessment can be applied to the process of performing a cybersecurity risk assessment.
Risk is generally assessed by identifying threats and vulnerabilities, then determining the likelihood of occurrence as well as the potential impact of an occurrence in a specific organization. Identifying and implementing controls necessary to mitigate those risks and reduce the likelihood of occurrence and impact is critical. For this process to be successful, it requires leadership within the organization as well as input and commitment throughout the organization to ensure all business components and information assets are identified, and that is an ever-changing inventory.
In order to assess cyber risk, as well as determine its impact and potential cost to manage the risk, the suggested steps of the process should include, but may not be limited to:
- Identify and Classify Information Assets
It is important to identify and classify sensitive, critical information assets that need to be managed. Information assets include various categories of data (both automated and non-automated), including, but not limited to, data contained in records, files, and databases. Healthcare entities are responsible for protecting the privacy, confidentiality, integrity, and availability of their patient's protected health information (PHI) and personally identifiable information (PII) as well as other information assets.
Generally speaking, information assets are critical systems, third-party interfaces (such as those used for payer processing), automated tools and source code, proprietary systems, and confidential records. Classification is a designation given to the information asset based on sensitivity and criticality to the organization.
- Identify Threats
A threat can be a person, organization, or even an act of nature that could compromise information security or privacy of PHI or PII. Threats can be malicious, intentional, unintentional, natural disasters, hardware failures, or viruses, among other things. The nature of threats, their capabilities, and resources must be considered to determine the likelihood of their occurrence. For this purpose, assess risk and threats in terms of the probability of an attack or breach. Threat intelligence, such as that provided by The Ponemon Study, plays a key role in developing and maintaining a cybersecurity risk management program.
- Identify Vulnerabilities
Vulnerabilities could be weaknesses in a network, a particular system, lack of segregation of duties within an application, inadequate physical security, etc. Weaknesses can potentially be exploited to gain access and impact system and/or data privacy and integrity. Vulnerabilities should be assessed based on the type of weakness and the information asset(s) that would be impacted.
- Analyze Risk (Likelihood and Impact)
There are inherent risks for any process. Information security and data privacy have more inherent risks and, therefore, requires more controls. Information that healthcare organizations manage is highly sought after by threat actors, hackers, and even unethical employees. There is also the potential for unintentional and accidental breaches to information. Analyzing the risk to information assets based on the impact or criticality to the organization is key.
Risk for a given asset can generally be determined using the following equation:
Likelihood of a threat occurring against the asset x Value of the asset = Risk
Based on this equation, the higher the likelihood of occurrence and the higher the value of the asset to the organization, so is the higher the risk level - and the cost of a successful breach.
Integrating a Dynamic Cybersecurity Program
Cybersecurity touches almost all aspects of the organization. Once the organization has prepared the cybersecurity risk assessment, you must implement a cybersecurity program with this risk assessment process being continually performed and the program being further refined. Cyber risk management requires organizations to address those threats identified in the risk assessment as well as new threats identified or caused by ongoing changes in hardware, software, third parties, etc. Redefining the controls, tools, and other mitigating factors affecting the processes and programs within the organization should become second nature. Other critical areas a cybersecurity program ties to and may require periodic changes include the organization's:
- Privacy Policy and Program,
- Information Security Program,
- Business Continuity and Disaster Recovery Plans,
- Incident Response and Crisis Management Plans, and
- Third-party Vendor Management Program.
A cybersecurity program should be weaved throughout these and other key areas of the organization. Specifically, it is important to ensure that the following are addressed:
- Protecting Patient Data
- A documented data protection program such as logging and monitoring probable attacks, quarantining systems, encrypting data in-transit and at rest, as well as managing third parties who impact the organization's systems and data.
- Backups and Recovery
- Minimize loss and downtime through recovery time objectives (RTOs) for backups and testing backups for fast and efficient recovery. In addition, tests for cybersecurity incident response scenarios as part of regular business continuity and disaster recovery testing. Backups are key to recovering from ransomware attacks.
- Upgrades and Patches
- A consistent process to maintain systems with the most current upgrades and patches in a timely and consistent manner.
- Anti-virus and Malware Detection
- Ensure the most current anti-virus and malware detection software are on both servers and employee workstations.
- Threat Intelligence
- Gather and manage threat intelligence, identifying specific threats your organization is facing.
- Detection and Incident Response
- How your organization identifies and responds to breach attempts, ransomware, social engineering tactics, and other threats (i.e., noting various threats and potential responses, who will be involved, what steps will be taken and in what order, etc.).
- Continuous Monitoring
- Identifying and alerting key personnel when a possible attack or breach is indicated and providing a means for monitoring logs and reports in a timely, consistent manner.
- Periodic Network Assessments and Social Engineering
- Independent third-party network vulnerability assessment, social engineering, and internal and external network penetration tests. These can also be done on your behalf if you use a network support provider. (Note that scanning is helpful, but a full penetration test should be performed at least every 12 months.)
- Training and Education
- Annual employee security training is a requirement of HIPAA, but training should be customized with various scenarios to address specific threats to your organization. Training employees about their responsibilities for privacy, security, and confidentiality of data, the ways the organization will hold them accountable, potential HIPAA fines, and then having the employee sign an annual acknowledgement for their personnel file will help to improve overall awareness and involvement of employees in the process.
By no means is this an exhaustive list, but it is a set of crucial items to be considered and documented. In addition, identifying and communicating with all the players and documenting their responsibilities is key.
Transfer Risk - Cyber Liability and Insurance
Traditionally, we think of insurance as a means to transfer risk to a third party. Cybersecurity risk is somewhat different. We must portion and partition off pieces of risk. Cyber insurance is one element of transferring risk. Other elements may include utilizing third party vendors (as long as the organization performs adequate due diligence in selecting vendors, clearly outlines expectations and responsibilities of the vendor, and has a consistent and thorough vendor management program) and obtaining other insurance policies related to physical structures, equipment, and so on.
As for cyber liability insurance coverage, there are approximately 50 major insurance providers that provide some level of liability policy. But these policies vary widely from provider to provider. Policies tend to need to be custom designed, and companies are not sure what their policy should cover. There will often still be coverage gaps, so coordination of coverage is important. In some cases where the cyber liability policy does not cover an area, professional liability insurance, which should include directors and officers (D&O) and errors and omissions (E&O), may address the risk. Finally, a fidelity bond, which protects the company against acts of individual employees, whether intentional or negligent, may cover certain aspects of a cyber incident.
Four main types of cyber liability coverage include:
- Data breach and privacy management coverage,
- Multimedia liability coverage,
- Extortion liability coverage, and
- Network security liability.
Regardless of type, the better your organization has implemented risk management processes and procedures, the lower the premiums should be. Insurance companies will need to see these processes and procedures in action, including the identified mitigation plans and third-party vendor management documentation.
Policies will include clauses that limit or waive coverage if certain controls and procedures are not in place and limit liability for breaches or losses caused by third parties. There will also be a large deductible. Consider the Target breach from several years ago. Although Target had approximately $100 million in cyber liability coverage with a $10 million deductible, the estimated cost of the breach was $1 billion. Several of the largest healthcare breaches have been estimated at a cost well over half a billion dollars. In 2021, the average cost of a healthcare breach was $9.23 million, per The Ponemon Study.
Integrating Risk Avoidance into Your Day-to-Day Decision Making
Some of us are natural risk takers; others avoid risk at all cost. Avoiding risk in business is important, but there must be balance. The discernment required for risk management is developed over time, which is why most organizations limit critical decision making to experienced management personnel. Even then, the most critical and potentially costly decisions are made by multiple parties. Regardless of how decision making is handled in your organization, risk management should become an integral part of making business decisions.
In the cyber world we live in, continuous vigilance, monitoring, and training are critical. Leading by example at the senior management level and sharing how employees can help the organization avoid and limit risk will ingrain these concepts (for instance, maybe it is the basis of a reward system or part of organizational bonus criteria). Finally, employee training, education, and knowledge sharing, especially addressing patient data and information assets, is a must. Getting employee buy-in and involvement as well as encouraging them to identify risks will help make them an extension of your risk avoidance model.
In the end, we cannot completely manage risk out of the business or the business will be stifled. But developing a continuous cybersecurity risk assessment process and cybersecurity program that includes a risk avoidance model which is maturing each year will significantly help manage and mitigate the risk of cyber-related incidents.
For more results of The Ponemon Institute 2021 Cost of a Data Breach Study, go to ponemon.org.
Gina Pruitt, CPA, CITP, CGMA, CRISC, CHFP, CCSFP, CISA, is the member-in-charge of the risk assurance & advisory service at KraftCPAs and a member of the firm's healthcare industry team. Contact her at (615) 782-4207 or gpruitt@kraftcpas.com. To learn more, visit kraftcpas.com.