What do Boston Children’s Hospital, Community Health Systems, Hollywood Presbyterian Medical Center, and the Los Angeles County Health Department have in common?
Each has been the victim of a recent cyberattack. As providers convert paper files to electronic health records, establish patient portals, store data in the Cloud, and communicate with patients and colleagues via text message and teleconference, opportunities for breach are everywhere. What is the prescription for providers to protect themselves from a virtual attack?
Recognize the Danger
Cyber-attackers target small, independent practice groups, multi-state health systems—and everyone in between. Indeed, the size of the healthcare provider does not always dictate the size of the breach, as larger providers may have more sophisticated protection for their electronic information. Hackers have gained access to providers’ systems through phishing emails, medical devices (such as infusion pumps) which connect to the hospital’s network, and ransomware—a program that “kidnaps” and encrypts all of a provider’s electronic data, prohibiting access until the target pays the hacker a “ransom” to obtain a decryption key. In the recently reported case of Hollywood Presbyterian Medical Center, hospital officials ultimately paid a substantial bitcoin ransom in order to re-gain access to their own data and systems.
An Attractive Target
Hackers target healthcare providers because of the wealth of information available on their networks. In addition to stealing the personal identifiers and financial data of individual patients, hackers mine hospital systems for provider data used to create fraudulent Medicaid/Medicare billing numbers and seek proprietary information about new drugs and devices. This valuable information often is maintained on aging networks which lack sufficient firewalls and up-to-date security patches, making them easier to infiltrate. In many cases, employees inadvertently allow malware infect the system. Patient portals, free hospital wi-fi, physicians’ tablets and cell phones, and outsourced Cloud-based data storage systems also provide opportunity for hackers to penetrate a provider’s network.
The threat of a breach event is ever present—so what can providers do to minimize the danger? To start, providers must include cyber-security in their risk management programs and conduct regular risk assessments. Give attention to the simpler fixes first: encrypting mobile devices, maintaining regular offline data backups, and separating confidential from non-confidential electronic information. Additionally, providers should:
- Utilize cybersecurity experts and consider adding a Chief Information Security Officer to your executive team for larger operations. An enterprise approach is critical to a successful cybersecurity program.
- Train employees to recognize phishing schemes and accept data privacy security procedures—they are an important first line of defense!
- Develop an Incident Response Plan to address an attack and conduct tabletop exercises to test it.
- Advise medical device vendors of your cybersecurity efforts. Make sure vendors encrypt stored information and provide regular security updates.
- Use techniques in your vendor contracts to spread the risk of a privacy breach in your agreements.
- Purchase cyber insurance—traditional insurance policies may not cover your actual damages or your efforts to remediate. Work with your broker and coverage attorney to procure the best insurance.
Checklist for Purchasing Data Privacy Insurance
This last point cannot be stressed enough as insurance is usually the backstop for policyholders who have a breach incident. The market for data privacy insurance continues to evolve as insurers use vastly different forms to write the coverage. Because of the disparity in the policies, where the devil is truly in the details, it is imperative for the healthcare industry to be more proactive in purchasing cyber insurance. Here are some important tips for placing data privacy coverage:
- Use a team approach in purchasing cyber insurance - insured, broker, coverage counsel.
- Understand your risk profile.
- Review existing coverages to know what is already available in your current program.
- Put into place other data privacy coverage as needed.
- Understand that data coverage is broader than just “cyber.”
- Ensure there is coverage for using Cloud services.
- Negotiate for a retroactive date of at least one year.
- Know what legal counsel and vendors will be supplied by insurers.
- Carefully review the insurance application.
Cybersecurity plans must be flexible and adaptable in order to address new risks. A vertically integrated, multipronged approach is the best defense against cyber threats. Regardless, healthcare organizations of all sizes must be aware of the duties, be proactive in protecting data, and involve all employees in the process.
Luis F. Ruiz