Compliance officers in the healthcare industry should make a New Year’s resolution to revamp their cyber-security practices in 2016, following a surge in data breaches and the emergence of new cyber-threats that most healthcare organizations are still ill-equipped to address.

Earlier this year, hackers in China infiltrated the computer system of health insurer Anthem, stealing 78.8 million records containing protected health information (PHI) and other sensitive data, making it the largest data breach to ever hit the U.S. healthcare industry. It also marked the first state-sponsored cyber-attack of several that occurred in 2015.

In the second largest cyber-attack targeting the healthcare industry this year, health insurer Premera announced in March that Chinese hackers had gained unauthorized access to its systems, stealing 11 million records containing PHI.

The advanced nature of state-sponsored attacks makes them especially difficult to uncover. Premera, for example, said it discovered its cyber-attack in January 2015, almost nine months after the initial attack occurred in May 2014. In another example, health insurance company Excellus, which made headlines this year for suffering the third largest cyber-attack in the healthcare industry for affecting 10 million records, concluded that its breach occurred as early as December 2013. 

The Anthem, Premera, and Excellus breaches are only the tip of the iceberg. According to data compiled from the HHS’ Office of Civil Rights, 249 data breaches affecting 500 or more individuals occurred in 2015, resulting in the breach of 113.2 million total records. Of that amount, 56 were caused by a hacking incident.

“As opposed to an organization trying to invest more money in firewalls or other types of technical solutions to protect against an intrusion, at this point you almost have to assume your network has already been breached.”

Rick Kam, President, ID Experts

Because of the widespread use of electronic health records (EHR) today, hackers are able to access individuals’ personal information, credit information, and protected health information (PHI) all in one place, which translates into a high financial payout for any medical record sold on the black market. According to the Federal Bureau of Investigation, cyber-criminals are selling such information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHRs can then be used for such criminal activity as identity theft, filing fraudulent insurance claims, or obtaining prescription drugs illegally.

Vulnerabilities Persist

Despite healthcare organizations being a lucrative and easily vulnerable target for hackers, the healthcare sector is “not as resilient to cyber-intrusions compared to the financial and retail sectors,” the FBI warned in a notice issued last year to healthcare providers. Such vulnerabilities further increase the risk of a cyber-attack.

In fact, cyber-attacks in the healthcare industry have increased 125 percent since 2010, according to a healthcare breach report conducted this year by the Ponemon Institute. The most vulnerable targets include hospitals, clinics, healthcare providers, and their “business associates (BAs),” which the Department of Health and Human Services (HHS) defines as a person or entity that performs services for a healthcare provider—such as patient billing firms, health plans, claims processing, and cloud services—involving the use or disclosure of PHI.

According to the report, the majority of healthcare organizations and BAs lack the funds and resources needed to protect patient data and are unprepared to meet the changing cyber-threat environment. Specifically, of the 90 healthcare organizations and 88 BAs polled, only 33 percent of healthcare organizations and 41 percent of BAs said they have sufficient resources to prevent or quickly detect a data breach.

WORKING WITH EHR & HEALTH IT DEVELOPERS

Below is an excerpt from the Guide to Privacy and Security of Electronic Health Information issued by the Office of the National Coordinator for Health Information Technology.
When working with EHR and health IT developers, you may want to ask the following questions to help understand the privacy and security practices they put in place.

When my health IT developer installs its software for my practice, does its implementation process address the security features listed below for my practice environment?
o   Electronic protected health information (ePHI) encryption
o   Auditing functions
o   Backup and recovery routines
o   Unique user IDs and strong passwords
o   Role- or user-based access controls
o   Auto time-out
o   Emergency access
o   Amendments and accounting of disclosures

Will the health IT developer train my staff on the above features so my team can update and configure these features as needed?

How much of my health IT developer’s training covers privacy and security awareness, requirements, and functions?

How does my backup and recovery system work?
o   Where is the documentation?
o   Where are the backups stored?
o   How often do I test this recovery system?

When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?

How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?

If I want to securely email with my patients, will this system enable me to do that as required by the Security Rule?
Source: The Office of the National Coordinator for Health Information Technology

The cost of not investing in effective privacy and security controls is a staggering $6 billion annually, with the average economic impact amounting to $2.1 million per healthcare organization, according to Ponemon figures. Even more telling is the fact that more than 90 percent of healthcare organizations said they experienced at least one data breach, with 40 percent experiencing more than five data breaches over the past two years.

Cyber-Security Measures

High-profile attacks like the ones that targeted Anthem and Premera—and even low-profile attacks that affect only a few individuals—should serve as a wake-up call to healthcare organizations to enhance their cyber-security efforts.

When working with your EHR and health IT developers, the Office of the National Coordinator Health Information Technology recommends asking the following questions to help understand their privacy and security practices:

When my health IT developer installs its software for my practice, does its implementation process address security features such as encryption, auditing functions, backup and recovery routines, strong passwords, and more?

Will the health IT developer train my staff on the above features so my team can update and configure these features as needed?

How much of my health IT developer’s training covers privacy and security awareness, requirements, and functions?

How does my backup and recovery system work? Where is the documentation? Where are the backups stored? How often do I test this recovery system?

How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?

Understanding the location of your sensitive data and putting security controls around it—such as data encryption, limiting network access to that data, and having in place an early alert system—are good starting points, says Jason Rebholz, principal consultant at cyber-security firm Mandiant.

Network segmentation—segmenting computer networks into sub-networks—also helps thwart a cyber-attack, as does securing accounts with strong passwords and changing them regularly. You also want to have someone in your organization with the technical expertise to be able to identify the scope of the compromise and what data is potentially at risk, Rebholz adds.

Incident Response Plan

Being well-prepared to respond to a data breach means having a response team in place before a breach even occurs, conducting a mock cyber-attack to test the preparedness of your team, and having partners and vendors on call to help with a response plan. Some large healthcare organizations have gone so far as to purchase cyber-insurance to cover the losses incurred by a breach.

According to the Ponemon Institute’s report, most healthcare organizations have an incident response process in place. Sixty-nine percent of organizations have a process with involvement from information technology, information security, and compliance.

“As opposed to an organization trying to invest more money in firewalls or other types of technical solutions to protect against an intrusion, at this point you almost have to assume your network has already been breached,” says Rick Kam, president of ID Experts, a data breach software and services provider. Looking at your internal systems and identifying where vulnerabilities lie, he says, will inform where you need to apply resources.

In the meantime, healthcare providers, as a class, are still struggling to deal with what is for them an elevated cyber-liability risk. Their low overall level of security, high value of PHI, and regulatory oversight makes any data breach a compliance nightmare waiting to happen. But as the mega breaches of 2014 and 2015 have amply shown, suffering a data breach in the healthcare sector is never a matter of if. It is a matter of when.