By Matthew C. Bertke, CPA, MBA, Product Development Manager at Coverys
Data breaches in the healthcare industry continue to increase – not only in frequency, but in size, cost, and impact on the reputations of affected organizations. According to the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data conducted by the Ponemon Institute, nearly 90 percent of the surveyed healthcare organizations experienced a data breach in the past two years, with 45 percent reporting more than five data breaches in that period.
Electronic Healthcare Data Creates New Risks
New technologies have increased vulnerability to cybercrimes. With increased use of open wireless networks, as well as mobile and cloud environments, data has become more liquid and less controlled – particularly as it is migrated to an electronic health record or other digitized format. The problem is exacerbated as this data is processed, transferred, and shared between providers, clinics, hospitals, labs, treatment facilities, care homes, and billing entities.
Recent trends reported in Experian’s Data Breach Response Guide forecast that healthcare organizations will be the most targeted sector in 2017 as new, increasingly sophisticated cyberattacks emerge. In response to that report, Ann Patterson, senior vice president of the Medical Identity Fraud Alliance, commented:
“The consequences of a medical data breach are wide-ranging, with devastating effects across the board – from the breached entity to consumers who may experience medical ID fraud to the healthcare industry as a whole. There is no silver bullet for cybersecurity; however, making good use of trends and analysis to keep evolving our cyber protections along with forecasted threats is vital.”
No healthcare organization is immune from cyberattack. Despite the growing epidemic, the Healthcare Information and Management Systems Society reported that the majority of providers will continue to rely on a limited portfolio of basic security tools focused on antivirus, malware, and firewall vulnerabilities, as well as prevention, encryption, detection, authentication, and protection strategies.
Key Drivers Behind Cyber Attacks
The healthcare cybersecurity market is segmented by type of threat: malware, advanced persistent threats, spyware, lost and stolen devices, etc. Currently, the global healthcare cybersecurity spend is forecast to reach nearly $10.84 billion by 2022, largely driven by increased incidences in cyberattacks involving:
- The use of cloud services
- Unsecure networks
- Employee negligence
- Lack of internal identification and security systems
- Stolen devices with unencrypted files
- The misuse of electronic patient medical records
Types of Cyber Attacks
In the healthcare industry, criminal and malicious cyberattacks have been the leading cause of data breaches over the past two years. Fifty percent of respondents to the Ponemon Institute survey reported criminal attack as the most frequent type of breach experienced. Following is a list of various types of breaches and the percentage of survey respondents whose organization experienced each type:
- Third-party error – 39 percent
- Stolen electronic device – 39 percent
- Unintentional employee action – 36 percent
- Technical systems glitch – 29 percent
- Malicious insider – 13 percent
- Intentional, non-malicious employee action – 8 percent
As hackers become more sophisticated, so do their schemes to extort personal health information for a profit. In 2016, the three cyberthreats that healthcare organizations feared the most were:
- Denial of Service (DoS) – 48 percent. DoS attacks differ from typical cyberattacks in that they don’t breach the security perimeter. Instead, they render an organization’s server unavailable to authorized users and, in some cases, operate as a diversion or smokescreen for other malicious activities, such as removing firewalls and security applications. Simply stated, the attack overloads the server’s resources and causes systems to crash.
- Ransomware – 44 percent. There are two types of ransomware: locker and crypto. Locker attacks prevent user access to data, whereas crypto attacks encrypt data to render it unreadable. In either case, ransomware holds an organization’s critical data hostage until money is paid to get it back. (Of course, there’s no guarantee that hackers will unlock systems even after the ransom is paid.)
According to Experian, ransomware is an easy and safe way for hackers to cash out because most organizations would rather pay the ransom than face a disruption. It’s particularly dangerous in healthcare due to the dangers of lack of access to critical patient information. In 2016, ransomware attacks quadrupled, with nearly half occurring in the healthcare sector. A recent report predicts attacks to double in 2017.
- Malware – 41 percent. Malware (short for malicious software) causes damage to a standalone or networked computer. It’s a program designed to damage a system by way of a virus, worm, or Trojan horse. The Healthcare Information and Management Systems Society’s 2016 cybersecurity survey found that 15 percent of acute-care healthcare providers (almost 900 hospitals in the United States alone) have yet to install any type of antivirus or malware protection tools.
Electronic Medical Devices Create New Emerging Risks
By the year 2020, 25 billion connected smart devices will be in use, including a significant number of medical devices such as pacemakers, drug pumps, mobile medical workstations, in-home monitors, and personal fitness devices. Medjacking – hacking a medical device with the intent to harm or threaten a patient – is an emerging, systemic risk that will continue to grow with the increased linking of operations and infrastructures.
According to the INFOSEC Institute, the dangers associated with the hijacking of medical devices are very real, and the FBI has issued a warning statement that criminals can use these opportunities to facilitate attacks on other systems remotely by sending malicious/spam emails, stealing personal information, and interfering with physical safety. Having compromised these defenseless medical devices, hackers can lurk inside and use them as springboards for further penetration.
HIPAA and the Cost of Noncompliance
This year, cyber attacks are expected to cost the healthcare industry an estimated $6.2 billion, but it doesn’t stop there. In addition to expenses associated with a breach, organizations are subject to the consequences of negative media attention, possible fines from the U.S. Department of Health and Human Services Office for Civil Rights (OCR), and the loss of patient trust. According to OCR, an average of six data breaches impacting 500 or more individuals are reported every week, with over $19 million in penalties levied for the top six breaches alone.
The regulations surrounding the protection of private health information are clear, and each organization must understand the privacy rule language and OCR stipulations. Today, the U.S. Department of Health and Human Services has adopted a zero-tolerance policy for organizations cited for noncompliance, no longer accepting excuses for simply “not knowing.”
OCR has the power to issue financial (as well as criminal) penalties to HIPAA-covered entities that fail to comply with HIPAA rules. Institutions that fail to safeguard the privacy of patients and the confidentiality of healthcare data will face steep fines and penalties:
- A violation attributed to ignorance results in a fine of $100 to $50,000;
- A violation that occurred despite having taken proactive safeguards results in a fine of $1,000 to $50,000;
- A violation due to willful neglect that is corrected within 30 days results in a fine of $10,000 to $50,000; and
- A violation due to willful neglect that is not corrected within 30 days results in a maximum fine of $50,000.
Fines can be imposed for each violation category and can consider not only the number of records compromised but also the potential risks created by the exposure of data. Depending on the breach, this could result in penalties of up to $1.5 million per year, per category.
A Multilayered Approach
Despite the presence of HIPAA standards and the application of measures to protect electronic health information, organizations can still have gaps in their cybersecurity plans that leave them vulnerable to hackers and can be used to illicitly transmit private healthcare information.
The Federal Communications Commission (FCC) recommends implementing a type of layering approach for cybersecurity measures. The FCC’s Cyber Security Planning Guide states: “Protecting data, like any other security challenge, is about creating layers of protection. The idea of layering security is simple: You cannot and should not rely on just one security mechanism – such as a password – to protect something sensitive. If that security mechanism fails, you have nothing left to protect you.”
By applying more than two or three approaches, organizations have a better chance at preventing, identifying, and controlling threats. Solutions can include various proactive measures:
- Identity and access management
- Risk and compliance management
- Security information and event management
- An intrusion detection and prevention system
- Data encryption software
- Antivirus software
- Anti-malware software
Despite proper safeguards, cyberattacks can still occur. Thus, many organizations have secured the financial protection of cyber liability insurance. A recent report by the Brookings Institution’s Center for Technology Innovation predicts that over the next five years, cyber insurance will be as important as medical professional liability insurance.
Cyber insurance carriers, which include many medical professional liability carriers, typically offer coverage toward the following types of events:
- Theft, loss, or unauthorized disclosure of information inclusive of disclosure due to security breaches, social media activities, etc.
- Cyber extortion events (e.g. ransomware)
- Privacy related federal, state, and local regulatory proceedings
- PCI DSS Assessments
- Security breaches causing asset restoration costs and lost income
In addition to providing coverages, many of the more sophisticated cyber insurance carriers go as far as to help their policyholders prevent a privacy attack or data breach. They do this by allotting policyholders data security consulting services, risk management tools, and educational resources. Speak with your agent to determine if you are adequately protected and if you and your staff have access to mitigation tools and resources.
The development and use of data technology continues to evolve quickly. As such, patient healthcare information is more widely used and disseminated. This use can outpace the healthcare facility’s ability to secure the environments used to store and travel the data.
Although vulnerabilities can never be completely eliminated, healthcare organizations can effectively mitigate their cyber liability exposures by identifying and minimizing the risk and being prepared.
Article used with permission from Coverys—a nationally recognized medical professional liability insurer and leader in helping the medical community address the challenges of healthcare delivery in a rapidly changing landscape. Please visit coverys.com for more information.
No legal or medical advice intended. This article includes general risk management guidelines. Such materials are for informational purposes only and may not reflect the most current legal or medical developments. These informational materials are not intended, and must not be taken, as legal or medical advice on any particular set of facts or circumstances.