Are you rolling the data breach dice?

Gambling with cyber security is increasingly costly

Every healthcare organization with a network, database, and online presence faces an increasingly complex and growing amount of risk. Yet, some healthcare leaders are still rolling the data breach dice by taking a wait and see approach to covering these risks.

With ample evidence that cyber criminals are targeting healthcare more than any other industry, preventing a breach is no longer an IT task; it is now a major business issue. And, with the staggering costs associated with a breach, it has become equally important to protect your organization in the increasingly likely event one does occur.

The odds are stacked against you (Hackers love health data)
In a notice sent to healthcare providers in early April 2014, the FBI said, "the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors; therefore, the possibility of increased cyber intrusions is likely."

The FBI got it right. The number of healthcare data breaches continues to climb year-to-year. The U.S. Department of Health and Human Services Office for Civil Rights database of breaches affecting 500 or more individuals – the so-called "Wall of Shame" – listed 269 breaches in 2015 and 328 in 2016, an increase of 22 percent. Judging from what has already happened in 2017, it appears safe to say this trend is continuing; there have already been 82 breaches in the first quarter. Comparing this to 64 breaches for the same period in 2016 reveals an increase of 28 percent.

In its Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, the Ponemon Institute estimates breaches cost the healthcare industry as much $6.2 billion in 2015. The average cost of data breaches for covered entities surveyed is now more than $2.2 million. The study also reports that while the average global cost of data breach per every lost or stolen record is $158, healthcare organizations shelled out $355 per record.

What's even more staggering is that almost 90 percent of healthcare organizations represented in this study had a data breach in the past two years, and 45 percent had more than five data breaches in the same time period.

Hackers love health data
Reuters news agency, in its coverage of the 2014 FBI notice, stated: "Health data is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances."

My logic may not be unassailable, but I can't help but think there is a relationship between the value hackers place on health records and the $355 (and growing) per record cost paid by healthcare organizations.

Wait and see can be costly
A recent case highlights the issues facing healthcare organizations that are taking a wait and see approach. We conducted a cyber risk assessment for a hospital we felt could benefit greatly from an appropriate amount of cyber coverage. Despite the logical results the assessment produced, the decision makers declined on the basis that their organization had never had a claim of this nature.

In the ensuing 12 months a costly data breach occurred. After the dust settled, we were asked to help with the acquisition of an appropriate amount of coverage. The coverage obtained costs approximately 35% more than it would have a year ago (not to mention the reluctance of some carriers to offer coverage at all).

As things change, our logic must change with it. These days, not having appropriate cyber coverage is a like saying, "I will not buy home insurance until I have a fire... and depending on how bad it is, I will then decide if and how much insurance I will buy."

Complacency, complexity... or both?
Despite all the evidence, something is holding healthcare leaders back. Based on the work we've done helping dozens of community hospitals assess and address their cyber security needs, I believe the most common barriers are complacency and complexity. Despite all of the press coverage of high profile breaches, some community hospital leaders still believe they are too small to be targeted by cyber criminals. And, those who decide to take action are finding the highly dynamic and continuously evolving complexity and scope of the threat daunting.

This is not the case. Taking a closer look at the "Wall of Shame" reveals there were 37 breaches reported by hospitals in 2016 – that's over 10 percent of the 328 total breaches. Hospitals, big and small, are not immune to this growing danger.

Cyber security has become a business issue
According to a September 2016 report published by the Pell Center for International Relations and Public Policy, "25 percent of C-level executives and board members . . . treat cyber security as an isolated 'IT problem.'" This is obviously no longer the case. Healthcare organizations must not only prevent breaches and ward off attacks; they must also be prepared to manage the business impact of these events.

This means having a modern mindset for managing the entire life cycle of a cyber breach that includes effective, speedy incident resolution and minimization of the incident's impact on the organization.

Three pillars of prevention
Meeting a challenge as complex as cyber risk may seem to defy simplification, yet with the right attitude and approach, and the support of a team of knowledgeable experts, you can lead without having to be mired in the details.

In our work with leaders of healthcare organizations we see the most successful sticking to three fundamentals of cyber risk management: people, processes and technology.

• The people you must influence, trust, and rely on include cyber allies, leaders and citizens.
o Cyber Allies: These are your peers who are fighting the same battles as you. Staying abreast of their initiatives, mistakes, and responses can help you avoid and mitigate the impact of cyber risk.
o Cyber Leaders: These are the people – usually an internal leader managing advisors and technicians – who have the skills, knowledge, and experience to provide strategic cyber security leadership.
o Cyber Citizens: Everyone in the organization must be made aware (and kept aware) of the role they play in the prevention and reduction of cyber risk. We've gone way beyond not falling for the clumsy ruses used to steal passwords or inject viruses into computer networks. From handling sensitive data, understanding how to spot phishing emails to the use of BYOD, cyber security is no longer a technical issue; it's a business issue in which everyone has a role to play.

Processes are vital to the implementation of any effective strategy. To be effective, your cyber security strategies require processes that define, monitor and manage the roles, activities and documentation you use to protect your organization's information. (Processes are worthless if people do not use them... that's why your number one focus must be people.)
A note about compliance: Being in compliance with legislative and regulatory requirements protect your organization from financial and other penalties. If you still think cyber crime is just a hobby pursued by bored computer geniuses, thing again. Cyber crime has become a highly-organized business which increasingly means legislation and policies designed to improve security may not be enough. Organizations need to go beyond a compliance-based approach to security, and adopt a more risk-based approach.

Technology is all about choosing the right infrastructure and software and it is perhaps the most difficult area to simplify. In a world where even the smallest change can set off a cascade of unforeseen glitches and breakdowns, it is little wonder healthcare leaders view technology as a digital Pandora's box. So, while choosing not to provide any technical advice in the quest for optimal cyber-secure technology, the one principle we offer as guidance is protect your data and information first. By this we mean focus on highest risk areas first and take action there rather than trying to safeguard everything.

Protection is not "Get it and forget it"
In this rapidly evolving environment, it is important to realize most traditional business policies do not cover risks associated with:

• The theft of customer data resulting from a lost or stolen laptop
• Failure to follow federal or state patient notification regulations when personal data has been illegally accessed
• Connected medical devices, network-attached printers, faxes and surveillance cameras (these devices are being targeted more often than major information systems according to SANS: a respected source for computer security training, certification and research).
• Online health monitoring
• Accidentally passing a virus or other type of malware to suppliers and ACO partners
• Employee slander of another organization in a blog or social media site
• Content posted on your website that infringes on copyrighted material

Cyber-breach policies typically cover the costs associated with responding to and fixing the problem (remediation). If structured properly these same policies can help mitigate the cost of business interruption, business-to-business lawsuits coverage, ransomware cases, and other risks.

Is your coverage enough?
As the cyber insurance business grows in size* and sophistication, it may be tempting to think the insurance companies have got it all figured out and you can simply pay your way out of danger. This is not the case. If you put the growing appetite and effectiveness of cyber criminals together with the increasingly severe costs and penalties, insurers are becoming increasingly wary of providing coverage, especially for entities that have not implemented or maintain an ongoing cyber security program. (*Consulting firm PwC estimates it to be $3 billion today and projects it will grow to $7.5 billion by 2020.)

According to Philip Alexander, the director of information security for the UMC Health System in Lubbock, TX, cyber insurance is a new frontier for insurance companies. While actuaries have decades of data to work with when designing traditional products like auto insurance, the rapid evolution of technology means there is not a lot of data behind the design of cyber insurance. In essence, he says, insurers are making as good a guess as possible in order to tap into a new market.

Because technology will always outpace regulation, Philip says the onus for compliance is on the insured. Which in turn means the insurance companies are not accountable. Wondering what this means for your organization? Here's a simple way to look at it: cyber insurance will only work if the insurance company believes your organization has fulfilled its cyber security duties.

Those duties are two fold: practicing the due diligence needed to protect your organization from cyber crime and meeting regulatory requirements when a breach occurs. This is key to the whole issue; cyber insurance is not designed to cover the gaps in your cyber security policies and procedures. It is there to cover the cost of a breach after you have done everything you can do as well as everything the law requires you to do.

There is help
Because it's a matter of when, not if, a cyber breach will occur, agreeing with your insurance company on what a clear definition of due diligence is will go a long way towards avoiding a claim being denied. And, it will help you do everything you can to reduce the likelihood of a breach and prevent unnecessarily high claims when one does occur.

Clearly there is a lot of work to do for insurers and the insured alike when it comes to making cyber coverage work. Fortunately, you and your insurer are not alone; there are several noteworthy organizations leading the charge towards workable cyber due diligence.

Perhaps the most significant work is the a Cybesecurity Framework, developed and kept up to date by The National Institute of Standards and Technology (NIST), part of the U.S. Department of Commerce.

According to the NIST web site, "The Framework... consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk."

HITRUST, is another leader in this field and it specializes in cyber security certification for healthcare organizations. It has created HITRUST CSF, described as a "scalable, prescriptive and certifiable framework specific to healthcare organizations". HITRUST CSF is designed for organizations that create, access, store and exchange personal health and financial information.

What are your odds?
We are not there yet, but it appears we are headed to a future in which the insurer and the insured agree to a certifiable, sustainable standard of due diligence. Today however, if you want to stop rolling the data breach dice, you must be making two types of investment: due diligence/compliance and premiums for coverage.

- 30 -

About the Author
Brant Couch, CPA, CIC is President of HealthSure, one of the largest specialized insurance advisory and brokerage firms operating out of Texas. Brant leads business development, program delivery, and strategic account management for the firm.

For further information contact:
Curtis Verstraete

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Top 40 Articles from the Past 6 Months