16 minute read
Managing Cyberthreats
by AOPA
PROTECTING COMPANY AND PATIENT DATA IS NO LONGER OPTIONAL FOR O&P BUSINESSES
NEED TO KNOW
• Data breaches and ransomware attacks are a growing problem for U.S. healthcare companies, including O&P facilities, causing financial and reputational damage to facilities that are targeted. • Protecting patient data also is critical because
O&P facilities must comply with the HIPAA
Security Rule mandating that covered entities evaluate risks and vulnerabilities in their environments and implement appropriate security measures. • Healthcare facilities are experiencing phishing attacks that target employees and trick them into sharing sensitive business information, as well as ransomware attacks that aim to extract a ransom by locking a company’s stored data and demanding payment for a key to regain access. • Many O&P facilities choose to contract with security firms to assess vulnerabilities and handle
IT security, and some also choose to purchase cyber insurance to minimize damages should a breach occur. BY THE END of 2021, U.S. businesses will be targeted by a ransomware attack every 11 seconds, according to research firm Cybersecurity Ventures. Healthcare companies—including O&P facilities—are especially vulnerable because of the extensive and valuable patient data they maintain.
About 15 percent of all data breaches in 2019—ransomware, phishing attacks, and more—involved the healthcare system, with losses to the industry reaching $25 billion, according to the “2021 Data Breach Investigations Report.” And there’s more bad news: According to global cybersecurity giant Sophos, the cost of remediating ransomware attacks—in which cybercriminals seize records or entire computer networks and demand a ransom for their return—has doubled in the past year. A growing number of organizations are paying ransom demands ranging from an average of $10,000 to more than $1 million,
but only 8 percent of those who pay manage to get all of their data back.
The O&P industry, like other healthcare sectors, is a target because facilities store patient information that could potentially be leveraged on the dark web: Medicare ID numbers, Social Security numbers, insurance information, and even payment data.
“If those could potentially be tapped into, they can be used for very unpleasant purposes—not just trying to steal someone’s ID but exposing people to public knowledge about their personal health trials and tribulations,” says Rebecca Snell, information technology and marketing director at Dankmeyer Inc. The financial and reputational harm to an O&P company if patient data is made public can be devastating.
“We’re talking about the goodwill of your patients and clinical partners,” Snell explains. “How many O&P companies could survive the loss of 50 percent of their patients who bail, because you are required by law to notify patients of a potential breach? Who’s going to stick around if they think you did a horrible job of protecting their data?”
Faced with increasing cyber threats, O&P facilities are expanding their efforts to understand the potential costs and dangers and ramping up initiatives to prevent and minimize damage from breaches.
Understanding the Latest Threats
Cyber breaches typically emanate from one of two threats: phishing or ransomware. A phishing attack typically involves a malicious person using social engineering techniques to trick an individual into supplying sensitive personal or business information. A ransomware attack, which can be delivered through a phishing communication such as an email, aims to extract a ransom from a victim by locking their files and demanding payment for a key to regain access.
The vulnerabilities don’t necessarily end at a clinic’s front door. A study released in July by cybersecurity firm CynergisTek found that 76 percent of healthcare providers are not adequately validating that their outside vendors are meeting contractual security obligations.
The Privacy Rule in the Health Insurance Portability and Accountability Act (HIPAA) allows covered providers and health plans to disclose protected health information (PHI) to business associates if they obtain satisfactory assurances that the associates—typically paid contractors—will use the information only for the purposes for which it was engaged and protect the information. Some examples of business associates are a third-party administrator that assists a health plan with claims processing, a CPA firm, attorneys, consultants, and more.
According to Security Intelligence, a website devoted to informing organizations about cybersecurity issues, supply-side attacks could arise in various ways. Digital attackers could prey upon openings within a supplier’s network, possibly from a mobile healthcare app or a product’s outdated firmware to make their way through the supply chain. From there, criminals can get access to a healthcare entity and steal its stored PHI.
Healthcare providers not only have to worry about the typical—and sometimes staggering—costs of ransomware attacks, they also risk running afoul of federal law. HIPAA requires that any entity covered under the law that experiences a ransomware attack or other cyber-related security incident “must take immediate steps to prevent or mitigate any impermissible release” of PHI. Failure to comply can potentially be fatal for small businesses. Under HIPAA’s Enforcement Rule, the Office of Civil Rights (OCR) in the U.S. Health and Human Services Department (HHS) may assess civil money penalties of up to $1,677,299 per violation, per year, against a covered entity that fails to properly protect PHI.
Boosting Preventative Measures
The good news is that the HHS website (www.hhs.gov/hipaa/for-professionals) offers plenty of guidance on compliance designed to help healthcare providers implement appropriate protections and processes to help protect against cyberattacks. The guidelines include recommendations on how to comply with security awareness and training requirements, ensuring outside contractors meet HIPAA security standards, understanding facility access controls, securing individual workstations, understanding electronic transmission of data, and much more.
Jeffrey Schultz, partner and cybersecurity expert at Armstrong Teasdale, a full-service national law firm, helps healthcare firms navigate the stressful and bewildering aftermath of an attack, especially counseling them on their regulatory and other legal requirements, as well as their incident response.
10 TIPS
FOR PREVENTING A CYBER ATTACK
1. Establish a security culture. Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
2. Protect mobile devices. An increasing number of healthcare providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
3. Maintain good computer habits.
New employee onboarding should include training on best practices for computer use, including software and operating system maintenance.
4. Use a firewall. Anything connected to the internet should have a firewall.
5. Install and maintain antivirus
software. Simply installing antivirus software is not enough. Continuous updates are essential for ensuring healthcare systems receive the best possible protection at any given time.
6. Plan for the unexpected. Files should be backed up regularly—automatically, if possible, or at least weekly—for quick and easy data restoration. Organizations should store this backed-up information away from the main system if possible.
7. Control access to protected health
information. Access to protected information should be granted to only those who need to view or use the data.
8. Use strong passwords and change
them regularly. A Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak, or stolen. Healthcare employees should not only use strong passwords, but ensure they are changed regularly.
9. Limit network access. Any software, applications, and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
10. Control physical access. Data also can be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.
SOURCE: “Cybersecurity: How Can It Be Improved in Health Care?” University of Illinois—Chicago, https://bit.ly/3s8NQYq
Healthcare providers that are HIPAA regulated and involved in a cybersecurity breach will typically be contacted by OCR at HHS, according to Schultz. If OCR accepts a complaint for investigation, it will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity will be asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts, Schultz notes. Covered entities are required by law to cooperate with complaint investigations.
If a complaint describes an action that could be a violation of the criminal provision of HIPAA, OCR may refer the complaint to the Department of Justice for investigation. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining voluntary compliance, corrective action, and/or resolution agreement.
Raising Awareness of the Dangers
It is critical that healthcare companies, especially smaller organizations like O&P facilities, realize that they are not immune to cyberattacks, according to Schultz. “There needs to be some sort of recognition that you’re not just going to fly beneath the radar,” he says. “You might be thinking, ‘Nobody will come after me, they’ll go after the big outfits.’ Really, it doesn’t have to do with size, and it doesn’t have to do with the industry in which you’re operating. It’s opportunistic. And if you can be hurt, from a business or reputational perspective, by having an incident, you’re a target.”
Schultz and Snell agree that the top cyber vulnerability at most health organizations is the staff. “The experts tell us that the No. 1 cause of incursions is employee error, people who click on things they should not be clicking on and who don’t recognize it,” Snell says.
“It’s the folks who say, ‘Hey, it’s really difficult to go through the two-factor authentication to access all this data on our network,’” Schultz adds. “They create their own sort of shadow IT, and they put unencrypted information on a flash drive so they can access the data more easily. And with the pandemic, there are more people working remotely. That in and of itself has created more vulnerabilities,” he says. “Making sure that you get your employees trained and that they’re complying, and that they understand the importance of compliance, is a big, big first step.”
RISK ANALYSIS REQUIREMENTS
UNDER THE HIPAA SECURITY RULE
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule mandates that covered entities “evaluate risks and vulnerabilities in their environments” and “implement reasonable and appropriate security measures” to guard against possible security threats to protected health information (PHI). While the security rule does not state a specific assessment methodology, it does establish “several objectives that any methodology” must accomplish.
The security management process standard in the security rule states the following for risk analysis:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule: a Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain, or transmit. a What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI? a What are the human, natural, and environmental threats to information systems that contain e-PHI?
In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. For example, the Rule contains several implementation specifications that are labeled “addressable” rather than “required.” An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so.
The outcome of the risk analysis process is a critical factor in assessing whether an implementation specification or an equivalent measure is reasonable and appropriate. Organizations should use the information gleaned from their risk analysis as they, for example: a Design appropriate personnel screening processes. a Identify what data to backup and how. a Decide whether and how to use encryption. a Address what data must be authenticated in particular situations to protect data integrity. a Determine the appropriate manner of protecting health information transmissions.
SOURCE: “Guidance on Risk Analysis,” U.S. Department of Health & Human Services, https://bit.ly/2VHeJab
To help keep data at Dankmeyer safe, the facility has contracted with a security firm to handle its email security for the past eight years, according to Snell. “They have very, very strenuous controls to trap malware and quarantine it,” she says. “They’re an incredible company, and they help me with sleeping at night” because of their security expertise and diligence.”
A midsize company (35 employees) could spend anywhere from $4,000$6,000 annually for such a service, depending upon how many different platforms can be used to access the email and how much storage is provided per email user, according to Snell. The firm Dankmeyer uses is priced on a per user basis, per month.
This increased security has become even more important with the rise of more sophisticated data breaches carried out via “spear phishing,” which occurs when a malicious actor acquires specific information about a target and then tailors a phishing email with that information, so an employee may mistakenly believe the email is legitimate. Snell points to an incident where a supplier of O&P materials was hacked, with malicious actors using the supplier’s logo and other information in an email asking that the recipient “click on this invoice,” she says. “I have made phone calls before to suppliers to say, ‘Hey, one of our employees got an email that purports to be you.’”
Schultz recounts a story of a human resources manager who got an email that appeared to be from the firm’s CEO asking for all employees’ W-2 tax forms. “It was right around tax time, so what do you think was going to happen?” Schultz says. “The bad guy who was impersonating the CEO was going to take those and use them to file a whole bunch of fraudulent tax returns and try and get the refunds.”
Readying for Ransomware
In light of the increase in sophistication in ransomware attempts at healthcare facilities, O&P facilities should be boosting their efforts to ward off attacks. Until recently, if an O&P business had a ransomware plan that included computer data backup— or copies of their files and data in a separate location—they could avoid paying the ransomware fee and not lose much time in resuming business as usual. But that is no longer the case.
“Now one of the things that we’re seeing is exfiltration” when malware and/or a malicious actor carries out an unauthorized data transfer from a computer, Schultz says. “The bad guys can now have a backup and can say, ‘OK, well, not only is your data encrypted, but also if you don’t pay, we’re going to dump all your data out on the dark web and put it for sale.’ Essentially, they’re trying to give you additional motivation to pay” to avoid having patient data made public. O&P facilities should be aware of the threat ransomware attacks can cause and engage in appropriate preventive measures.
Snell contends that the O&P field isn’t as well protected against cyberattacks as other healthcare segments because of a lack of resources. “It’s not just a lack of equipment or hardware, but not having knowledge of the potential threat,” she says. “If you know about the threat, what resources do you have to defend yourself against it? Do you have someone on staff that can put a firewall in place? Someone who can install antivirus software? And if you don’t have that, do you have the financial resources to find a good consultant who can help you with those things? A lack of education and resources are the most difficult problems that we face in our industry, in order to be able to protect ourselves digitally.”
And if you have no—or very few— resources to protect yourself? At a minimum, you need antivirus protection, and you must understand where all of your data resides, says Snell. “Determine what data you have— where is it and what is the exposure. If you have any resources at all, focus it on the things where you have the greatest exposure. … Take it offline, or at least make sure you have backups … so you don’t lose everything” if a breach occurs.
“Ideally, you want to have a firewall,” but it’s just as important that a staff member understands how the firewall works, she adds. Snell says it may take an expert consultant to determine exactly where and how an O&P practice is most vulnerable to ransomware or phishing schemes. But the question isn’t “if” you are vulnerable. “Everyone is vulnerable,” she says, adding that HHS’s HIPAA guidelines offer toolkits to help small providers assess their data. “Hospitals get hacked, individual O&P practices have been hacked. No one is immune. The question is: Are you easy pickings, or are you going to require a lot of effort?”
Exploring Insurance Options
While no amount of preemptive spending can ensure 100 percent protection against cyberattacks, cyber insurance offers significant peace of mind if a successful incursion does occur.
Don Foley, a longtime healthcare industry insurance specialist at Cailor Fleming Insurance, says the averagesized O&P company—with seven or eight employees and approximately $1 million in annual sales—typically spends less than $5,000 annually for liability and property insurance, unless the real estate holdings are extensive. A cyber policy with a $1 million limit for a company this size costs around $1,500 a year, Foley says. He estimates that only 25 percent of U.S. O&P companies hold cyber insurance.
Cailor Fleming, as a matter of course, now adds $100,000 to every liability policy it issues. Other insurers also offer similar baseline coverage. “It’s an automatic addition, but it is not the best,” Foley concedes. “The average claim is about $250,000. So, that’s not going to cover it. And most of these policies don’t cover social engineering. This is an important point, and this is why companies ought to have a standalone cyber policy, because it is much more comprehensive. And it has a much higher limit of insurance.”
In addition to covering social engineering breaches, a good cyber policy will pay for legal representation, the cost of hiring a public relations firm to restore donor confidence or mitigate negative publicity, computer forensics specialists, required legal notices, credit monitoring and a call center for victims to seek recourse, and more. “And last but not least, is business interruption,” Foley says. “If you’re shut down for a week, and you lose all the profits for that week ... the carrier will reimburse you all the profits that you lost.”
A lot of O&P owners believe they have adequate cyber insurance, but the fact is most don’t. “That may be part of the reason why they’re not buying it,” Foley says. “They just don’t think it’s that important just yet.”
Being adequately prepared for a data breach and possible ransom demands is part of the new normal of doing business, so O&P facilities must be prepared—with insurance as well as other preventive measures. “I obsess over this,” Snell says. “It’s seriously important. We must be concerned about our patients, and the trust our patients place in us to protect their information.”
Michael Coleman is a contributing writer to O&P Almanac.
