Closing the Data Risk Gap
Within the past year, health care insurers Anthem, Premara, and CareFirst Blue Cross Blue Shield all fell victim to hackers, with the attack on Anthem garnering the most media attention.
In the Anthem case, hackers obtained names, birthdays, email addresses, Social Security numbers or medical identification numbers, addresses and employment data, including income, from a database that had information on 80 million people across 14 states.
The weak upside to the hack was that no credit card or actual medical information — such as claims, test results or diagnostic codes — were stolen.
But to many observers, it comes as no shock that data security within the health care industry is vulnerable.
“Health care companies today are facing unprecedented threat levels whilst many are still battling to implement some of the most fundamental IT security controls.” — Graeme Newman, chief innovation officer, CFC Underwriting
“Health care companies today are facing unprecedented threat levels whilst many are still battling to implement some of the most fundamental IT security controls,” said Graeme Newman, chief innovation officer at CFC Underwriting, a specialty lines underwriting agency based in London.
KPMG recently reported that health care organizations are at increased risk for cyber attacks because of the “richness and uniqueness of the information that health plans, doctors, hospitals, and other providers handle.”
Its report, “Health Care Cybersecurity Survey,” found that 81 percent of health care executives said their organizations were compromised by at least one malware, botnet or other cyber attack during the past two years.
Only half of the respondents felt adequately prepared to prevent attacks.
“The magnitude of the threat against health care information has grown exponentially, but the intention or spend in securing that information has not always followed,” said Michael Ebert, a KPMG partner and health care leader at the firm’s cyber practice.
The problem for risk managers is they have options, but little real authority, to deal with cyber security issues.
“A risk manager has the power to affect change, yes — ensure it, no,” said Ryan Kalember, senior vice president, product marketing, at Proofpoint, a cloud-based security and compliance firm.
Anthony Giandomenico, senior security strategist with Fortinet, a cyber security provider in Sunnyvale, Calif., said that an overall risk-based approach is necessary to build in information security and protect data assets.
Today’s sophisticated attacks, the complexity of networks, the volume of attacks and the fact that security budgets are always shrinking mean that standard best practices for security controls are insufficient, he said.
“There are many vulnerabilities within an organization — the key is for the security and risk management teams to understand the true risk to the business and make those vulnerabilities top priorities to address,” Giandomenico said.
Without a risk-based approach, there may be misallocation of security budgets, and ultimately, the company suffers because too much effort and spending was focused on an area that had very little impact to the overall business, he said.
“This leaves the bigger risk impacts neglected, leaving the company less secure and more open to bigger impacts when breached,” Giandomenico said.
He said risk managers have a big part in this, but it’s up to the chief information security officers (CISOs) to work with risk managers to figure out how to interweave the security program into the company’s risk management program.
This is challenging for some CISOs who do not possess a strong business or risk management background.
Protected Health Information
In the typical organization, ensuring that health care records are properly secured is a matter of implementing many processes and technologies, depending on the myriad ways that protected health information (PHI) is actually used, both inside and outside electronic medical records systems.
“CISOs, let alone risk managers, are not typically empowered to ensure that all the right technologies are used and processes are implemented or followed, so it is imperative to collaborate across functions.Risk managers can play a key role in that,” Kalember said.
“CISOs, let alone risk managers, are not typically empowered to ensure that all the right technologies are used and processes are implemented or followed, so it is imperative to collaborate across functions.” — Ryan Kalember, senior vice president, product marketing, Proofpoint
He added that different PHI applications have different implications for risk, and risk managers should be aware of the proper technologies and processes to secure those applications.
For example, data masking and anonymization for group health care data are two protection strategies. However, he said, risk managers will typically have to work with their broader IT and IT security teams to ensure the appropriate technologies and processes are actually implemented.
The challenges are many, said CFC’s Newman.
The health care industry is riddled with legacy IT platforms, many of which were built years ago when security was not top of mind, he said. Furthermore, IT budgets are often restricted and gaining board approval for significant investments into information security is not an easy task.
“But fundamentally, it is important to remember that this is an industry where data security is not the primary purpose, which is saving lives and providing vital health care services,” Newman said.
Newman said risk management teams within health care rightly focus primarily on issues such as patient safety. At the same time, he noted, health care data is hugely valuable, adding that there is a thriving underground market for the resale of medical data and increasing levels of interest from state-sponsored hacking groups.
Cyber Policy Purchases
Newman said that more than 90 percent of the world’s cyber insurance is purchased in the U.S., but to date, cyber policies have been very generic — for example, a retailer typically buys exactly the same policy as a hospital.
“Fundamentally, this is not right,” he said. “There are many very specific differences in exposure and this is what our specialist product aims to address.”
Keeping IT security a core part of any selection of vendors or partners is also crucial, he said.
When it comes to information security, he said, most companies will only really take it seriously when they start to lose business because of it.
He recommended risk managers undertake regular audits of all suppliers as a key component within an overall risk management program.
“Most companies still don’t do the basics,” he said. “We see countless cases where patient data is stored on unencrypted laptops or portable memory sticks.” — Graeme Newman, chief innovation officer, CFC Underwriting
“Most companies still don’t do the basics,” he said. “We see countless cases where patient data is stored on unencrypted laptops or portable memory sticks.”
Losing these devices then results in serious financial loss, regulatory actions and significant reputational harm. In many cases, this can be mitigated by simply activating built-in encryption technology or installing one of the many third-party encryption technologies (at little to no cost).
Patch management is often neglected as well, he said.
Simply put, the vast majority of successful hacker attacks or malware outbreaks exploit known vulnerabilities. By patching systems on a regular basis and keeping applications up-to-date, these known vulnerabilities will be closed.
Risk managers also need to recognize that people generally are an organization’s biggest risk.
Data must be made available to employees to be useful, but all staff need to be made aware of the risks and trained on the steps that must be taken to ensure that data remains secure.
Austin, Texas-based Michael Bruemmer, vice president, consumer protection, at Experian Data Breach Resolution, said that sharing data with third parties is definitely a serious concern when it comes to data security.
To Bruemmer, the good news is there are steps risk managers can take to proactively plan for such an incident, including requiring vendors to have the same security standards in place as their own in-house security policies. “The recent proliferation of data breaches is spurring more companies to update contracts with third-party vendors to hold them liable in the event of a data breach,” he said. “And, specific to the health care industry, HIPAA and HITECH laws require any third parties handling protected health information to be liable.”
Since data breaches are not always preventable, Bruemmer recommended several strategies, in addition to having a data breach response plan.
First and foremost, he said, make sure vendors and partners are protected by a cyber insurance policy because that will indicate a high level of preparedness. Companies should also ensure third-party risks are accounted for within their own cyber insurance policy.
“Ideally, risk managers will have ensured in advance that third-party partners — such as their insurers — are abiding by the same data protection standards and their contracts hold them liable for data lost during a breach,” he said.
Another strategy is to conduct frequent security training for employees, and have regular communication with regulators about expectations.
“While it may be out of a risk manager’s control that employee data is lost in a breach, they should be prepared for how to respond to this type of incident,” he said, noting that cyber incidents can range anywhere from an “Anthem-type” data breach to a compromised implantable medical device.
Whether the entire workforce or just a small group are affected, a data breach is not a good reflection on the company and poses risks for lawsuits and regulatory fines.
To respond effectively, the response plan should especially consider how to communicate with and protect employees.
For example, Bruemmer said, employees are typically more active and engaged compared to customers after a data breach, so that requires risk managers be prepared to account for a higher volume of requests in their call center and online forums.
They should also account for a potentially higher redemption rate of identity theft protection services.
“It is definitely possible for an employee to file a lawsuit against their employer if they are impacted by a data breach,” he said. “As with any data breach, risk managers can account for this by having legal counsel available as part of their incident response plan.”