Health Care Cyber Risk

Closing the Data Risk Gap

Health care risk managers may not be able to stop data attacks, but they can follow some basic strategies to minimize the impact. 
By: | October 15, 2015 • 8 min read

Within the past year, health care insurers Anthem, Premara, and CareFirst Blue Cross Blue Shield all fell victim to hackers, with the attack on Anthem garnering the most media attention.

Advertisement




In the Anthem case, hackers obtained names, birthdays, email addresses, Social Security numbers or medical identification numbers, addresses and employment data, including income, from a database that had information on 80 million people across 14 states.

The weak upside to the hack was that no credit card or actual medical information — such as claims, test results or diagnostic codes — were stolen.

But to many observers, it comes as no shock that data security within the health care industry is vulnerable.

“Health care companies today are facing unprecedented threat levels whilst many are still battling to implement some of the most fundamental IT security controls.” — Graeme Newman, chief innovation officer, CFC Underwriting

“Health care companies today are facing unprecedented threat levels whilst many are still battling to implement some of the most fundamental IT security controls,” said Graeme Newman, chief innovation officer at CFC Underwriting, a specialty lines underwriting agency based in London.

KPMG recently reported that health care organizations are at increased risk for cyber attacks because of the “richness and uniqueness of the information that health plans, doctors, hospitals, and other providers handle.”

Its report, “Health Care Cybersecurity Survey,” found that 81 percent of health care executives said their organizations were compromised by at least one malware, botnet or other cyber attack during the past two years.

Only half of the respondents felt adequately prepared to prevent attacks.

“The magnitude of the threat against health care information has grown exponentially, but the intention or spend in securing that information has not always followed,” said Michael Ebert, a KPMG partner and health care leader at the firm’s cyber practice.

Teamwork Needed

The problem for risk managers is they have options, but little real authority, to deal with cyber security issues.

“A risk manager has the power to affect change, yes — ensure it, no,” said Ryan Kalember, senior vice president, product marketing, at Proofpoint, a cloud-based security and compliance firm.

Anthony Giandomenico, senior security strategist, Fortinet

Anthony Giandomenico, senior security strategist, Fortinet

Anthony Giandomenico, senior security strategist with Fortinet, a cyber security provider in Sunnyvale, Calif., said that an overall risk-based approach is necessary to build in information security and protect data assets.

Today’s sophisticated attacks, the complexity of networks, the volume of attacks and the fact that security budgets are always shrinking mean that standard best practices for security controls are insufficient, he said.

“There are many vulnerabilities within an organization — the key is for the security and risk management teams to understand the true risk to the business and make those vulnerabilities top priorities to address,” Giandomenico said.

Without a risk-based approach, there may be misallocation of security budgets, and ultimately, the company suffers because too much effort and spending was focused on an area that had very little impact to the overall business, he said.

“This leaves the bigger risk impacts neglected, leaving the company less secure and more open to bigger impacts when breached,” Giandomenico said.

He said risk managers have a big part in this, but it’s up to the chief information security officers (CISOs) to work with risk managers to figure out how to interweave the security program into the company’s risk management program.

This is challenging for some CISOs who do not possess a strong business or risk management background.

Protected Health Information

In the typical organization, ensuring that health care records are properly secured is a matter of implementing many processes and technologies, depending on the myriad ways that protected health information (PHI) is actually used, both inside and outside electronic medical records systems.

“CISOs, let alone risk managers, are not typically empowered to ensure that all the right technologies are used and processes are implemented or followed, so it is imperative to collaborate across functions.Risk managers can play a key role in that,” Kalember said.

“CISOs, let alone risk managers, are not typically empowered to ensure that all the right technologies are used and processes are implemented or followed, so it is imperative to collaborate across functions.” — Ryan Kalember, senior vice president, product marketing, Proofpoint

He added that different PHI applications have different implications for risk, and risk managers should be aware of the proper technologies and processes to secure those applications.

For example, data masking and anonymization for group health care data are two protection strategies. However, he said, risk managers will typically have to work with their broader IT and IT security teams to ensure the appropriate technologies and processes are actually implemented.

The challenges are many, said CFC’s Newman.

Advertisement




The health care industry is riddled with legacy IT platforms, many of which were built years ago when security was not top of mind, he said. Furthermore, IT budgets are often restricted and gaining board approval for significant investments into information security is not an easy task.

“But fundamentally, it is important to remember that this is an industry where data security is not the primary purpose, which is saving lives and providing vital health care services,” Newman said.

Newman said risk management teams within health care rightly focus primarily on issues such as patient safety. At the same time, he noted, health care data is hugely valuable, adding that there is a thriving underground market for the resale of medical data and increasing levels of interest from state-sponsored hacking groups.

Cyber Policy Purchases

Newman said that more than 90 percent of the world’s cyber insurance is purchased in the U.S., but to date, cyber policies have been very generic — for example, a retailer typically buys exactly the same policy as a hospital.

“Fundamentally, this is not right,” he said. “There are many very specific differences in exposure and this is what our specialist product aims to address.”

Keeping IT security a core part of any selection of vendors or partners is also crucial, he said.

When it comes to information security, he said, most companies will only really take it seriously when they start to lose business because of it.

He recommended risk managers undertake regular audits of all suppliers as a key component within an overall risk management program.

“Most companies still don’t do the basics,” he said. “We see countless cases where patient data is stored on unencrypted laptops or portable memory sticks.” — Graeme Newman, chief innovation officer, CFC Underwriting

“Most companies still don’t do the basics,” he said. “We see countless cases where patient data is stored on unencrypted laptops or portable memory sticks.”

Losing these devices then results in serious financial loss, regulatory actions and significant reputational harm. In many cases, this can be mitigated by simply activating built-in encryption technology or installing one of the many third-party encryption technologies (at little to no cost).

Patch management is often neglected as well, he said.

Simply put, the vast majority of successful hacker attacks or malware outbreaks exploit known vulnerabilities. By patching systems on a regular basis and keeping applications up-to-date, these known vulnerabilities will be closed.

Risk managers also need to recognize that people generally are an organization’s biggest risk.

Data must be made available to employees to be useful, but all staff need to be made aware of the risks and trained on the steps that must be taken to ensure that data remains secure.

Third-Party Risks

Austin, Texas-based Michael Bruemmer, vice president, consumer protection, at Experian Data Breach Resolution, said that sharing data with third parties is definitely a serious concern when it comes to data security.

Michael Bruemmer, vice president, consumer protection, Experian Data Breach Resolution

Michael Bruemmer, vice president, consumer protection, Experian Data Breach Resolution

To Bruemmer, the good news is there are steps risk managers can take to proactively plan for such an incident, including requiring vendors to have the same security standards in place as their own in-house security policies. “The recent proliferation of data breaches is spurring more companies to update contracts with third-party vendors to hold them liable in the event of a data breach,” he said. “And, specific to the health care industry, HIPAA and HITECH laws require any third parties handling protected health information to be liable.”

Since data breaches are not always preventable, Bruemmer recommended several strategies, in addition to having a data breach response plan.

First and foremost, he said, make sure vendors and partners are protected by a cyber insurance policy because that will indicate a high level of preparedness. Companies should also ensure third-party risks are accounted for within their own cyber insurance policy.

“Ideally, risk managers will have ensured in advance that third-party partners — such as their insurers — are abiding by the same data protection standards and their contracts hold them liable for data lost during a breach,” he said.

Another strategy is to conduct frequent security training for employees, and have regular communication with regulators about expectations.

“While it may be out of a risk manager’s control that employee data is lost in a breach, they should be prepared for how to respond to this type of incident,” he said, noting that cyber incidents can range anywhere from an “Anthem-type” data breach to a compromised implantable medical device.

Whether the entire workforce or just a small group are affected, a data breach is not a good reflection on the company and poses risks for lawsuits and regulatory fines.

Advertisement




To respond effectively, the response plan should especially consider how to communicate with and protect employees.

For example, Bruemmer said, employees are typically more active and engaged compared to customers after a data breach, so that requires risk managers be prepared to account for a higher volume of requests in their call center and online forums.

They should also account for a potentially higher redemption rate of identity theft protection services.

“It is definitely possible for an employee to file a lawsuit against their employer if they are impacted by a data breach,” he said. “As with any data breach, risk managers can account for this by having legal counsel available as part of their incident response plan.”

Tom Starner is a freelance business writer and editor. He can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

4 Companies That Rocked It by Treating Injured Workers as Equals; Not Adversaries

The 2018 Teddy Award winners built their programs around people, not claims, and offer proof that a worker-centric approach is a smarter way to operate.
By: | October 30, 2018 • 3 min read

Across the workers’ compensation industry, the concept of a worker advocacy model has been around for a while, but has only seen notable adoption in recent years.

Even among those not adopting a formal advocacy approach, mindsets are shifting. Formerly claims-centric programs are becoming worker-centric and it’s a win all around: better outcomes; greater productivity; safer, healthier employees and a stronger bottom line.

Advertisement




That’s what you’ll see in this month’s issue of Risk & Insurance® when you read the profiles of the four recipients of the 2018 Theodore Roosevelt Workers’ Compensation and Disability Management Award, sponsored by PMA Companies. These four programs put workers front and center in everything they do.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top,” said Steve Legg, director of risk management for Starbucks.

Starbucks put claims reporting in the hands of its partners, an exemplary act of trust. The coffee company also put itself in workers’ shoes to identify and remove points of friction.

That led to a call center run by Starbucks’ TPA and a dedicated telephonic case management team so that partners can speak to a live person without the frustration of ‘phone tag’ and unanswered questions.

“We were focused on building up a program with an eye on our partner experience. Cost was at the bottom of the list. Doing a better job by our partners was at the top.” — Steve Legg, director of risk management, Starbucks

Starbucks also implemented direct deposit for lost-time pay, eliminating stressful wait times for injured partners, and allowing them to focus on healing.

For Starbucks, as for all of the 2018 Teddy Award winners, the approach is netting measurable results. With higher partner satisfaction, it has seen a 50 percent decrease in litigation.

Teddy winner Main Line Health (MLH) adopted worker advocacy in a way that goes far beyond claims.

Employees who identify and report safety hazards can take credit for their actions by sending out a formal “Employee Safety Message” to nearly 11,000 mailboxes across the organization.

“The recognition is pretty cool,” said Steve Besack, system director, claims management and workers’ compensation for the health system.

MLH also takes a non-adversarial approach to workers with repeat injuries, seeing them as a resource for identifying areas of improvement.

“When you look at ‘repeat offenders’ in an unconventional way, they’re a great asset to the program, not a liability,” said Mike Miller, manager, workers’ compensation and employee safety for MLH.

Teddy winner Monmouth County, N.J. utilizes high-tech motion capture technology to reduce the chance of placing new hires in jobs that are likely to hurt them.

Monmouth County also adopted numerous wellness initiatives that help workers manage their weight and improve their wellbeing overall.

“You should see the looks on their faces when their cholesterol is down, they’ve lost weight and their blood sugar is better. We’ve had people lose 30 and 40 pounds,” said William McGuane, the county’s manager of benefits and workers’ compensation.

Advertisement




Do these sound like minor program elements? The math says otherwise: Claims severity has plunged from $5.5 million in 2009 to $1.3 million in 2017.

At the University of Pennsylvania, putting workers first means getting out from behind the desk and finding out what each one of them is tasked with, day in, day out — and looking for ways to make each of those tasks safer.

Regular observations across the sprawling campus have resulted in a phenomenal number of process and equipment changes that seem simple on their own, but in combination have created a substantially safer, healthier campus and improved employee morale.

UPenn’s workers’ comp costs, in the seven-digit figures in 2009, have been virtually cut in half.

Risk & Insurance® is proud to honor the work of these four organizations. We hope their stories inspire other organizations to be true partners with the employees they depend on. &

Michelle Kerr is associate editor of Risk & Insurance. She can be reached at [email protected]