HIPAA Violations Are Just One of the Exposures in a Workers’ Comp Industry Cyber Attack

Cybersecurity threats are often overlooked in workers’ comp. Here’s what your company should watch out for.
By: | March 3, 2020

When a workers’ compensation payer is hacked, it’s not just financial data that’s vulnerable; an injured workers’ medical and personal data are also on the line. 

As more and more workers’ compensation insurers move to using artificial intelligence and machine learning in their claims management processes, this vulnerability will only increase. 

“We’ve heard a lot about artificial intelligence and machine learning over the last few years and how companies are using that for predictive analytics in various business functions to drive sales and be able to show the trends of customer habits, etc.,” said Robert Klob, president of the technology consulting firm Premier Mindset.   

Klob participated in a recent webinar, “How Do You Know Your MSP Compliance Data is Secure? Understanding and Preventing Cybersecurity Threats,” which examined issues of cyber security in workers’ compensation.

The presentation paid particular attention to the thorny issue of Medicare Secondary Compliance which, with its requirements of data sharing across public and private entities, can be particularly vulnerable to cyber attacks.  

Why Workers’ Comp Pros Should Care About Cybersecurity

Cybersecurity may not be an issue that’s top of mind for most workers’ compensation executives. 

The threat of ransomware or data breaches doesn’t top industry trends lists in the same way that opioid abuse, changing workforce demographics and regulatory issues do, even though more workers’ compensation professionals are anticipating a digital health care revolution

Despite the fact that this issue isn’t receiving the same level of attention as other threats to the industry, workers’ compensation is being targeted by data breaches, ransomware and other cyber threats. 

“In 2019, there were multiple municipalities and hospitals and other businesses that were the victims of ransomware attacks. We even saw one of the largest claims administrators shut down for several days because of a ransomware attack,” Mark Walls, vice president of communications and strategic analysis at Safety National, who spoke during a January webinar that highlighted workers’ compensation industry trends.

As workers’ compensation care providers turn more towards telemedicine and payers turn towards automation, risks of a data breach will grow. If a payer or provider gets hacked, HIPAA violations, reputational damage and interruption in injured worker care could all ensue. 

“Our clients are increasingly using technology throughout their processes. Insurers, employers, TPAs have been doing significant upgrades to their systems along these lines and beyond that with defense claimant attorneys that are handling data,” said Daniel Anders, chief compliance officer at Tower MSA Partners. 

Furthermore, given the many parties involved in a workers’ compensation claim, payers and providers may not have complete control over data security. If a third party administrator or a hospital that is working with an insurer to provide care or claims management gets hacked, sensitive data the workers’ compensation payer shared with them could be exposed. 

“You’ve got various entities that are involved in gathering this information and all potentially open to cyber attack,” Anders said. “We’re transmitting obviously thousands of pages of medical records and personal health information as well as identification information.”

In addition to compromising sensitive data, breaches and ransomware attacks can also lead to business interruption costs for workers’ compensation payers. For small insurers, these losses can be fatal.  

“Ten percent of small businesses breached shut down in 2019, and as a result of cyber crime, 69% of those businesses were forced offline for a limited amount of time, which means they had business loss. Thirty-seven percent of those experience financial loss,” said Chris Nyhuis, CEO of the cybersecurity firm Vigilant. 

Medicare Secondary Payer Compliance: A Cyber Security Nightmare

Within workers’ comp, Medicare Secondary Payer Compliance is a particularly vulnerable area for cyber attacks. 

“Once you identify someone as a Medicare beneficiary, you dive into even more data in terms of diagnoses and claims or dates of incident, policy numbers for the carrier, states of venue,” Anders said. 

“[That’s] a lot of information that’s tied personally to that claimant, information that’s tied to that particular business, to that particular RRE, [Responsible Reporting Entity], that’s being collected and ultimately reported.”

The data shared for Section 111 reporting compliance, which specifies who must report workers’ compensation data to the Centers for Medicare and Medicaid Services, what data must be reported and how it is reported, also creates cybersecurity problems. 

“Ten percent of small businesses breached shut down in 2019, and as a result of cyber crime, 69% of those businesses were forced offline for a limited amount of time, which means they had business loss. Thirty-seven percent of those experience financial loss.” — Chris Nyhuis, CEO, Vigilant

Even if your data is relatively secure, it could be exposed during a government hack. This is especially concerning. Due to the recent assassination of Iranian general Qasem Soleimani, the U.S. is increasingly becoming a target of cyber attacks from both Iran and Russia. 

“Right after Soleimani was taken out, if you look on the threat origin, Russia [had] 1,124 total occurrences. That is from one day. So what this is saying is in one day we had 539,000 total communications in and out of our system with 1,400 potential active threats,” said Jesse Shade, vice president of information technology at Tower MSA Partners. 

Since then, attacks from Russia have dropped, which causes Shade to speculate that the attacks were from Iranian hackers going through Russia. 

“Russia is no longer the top attacker, and those threats have dropped significantly. Actually they’re all but gone. Now that could’ve been Iran going through Russia,” he said. 

As cyberwarfare becomes an increasingly common form of retaliation companies need to be concerned about whether the data they’re sharing as part of Section 111 compliance requirements is secure.   

Cybersecurity Trends to Watch Out for in 2020

The webinar highlighted a number of cybersecurity trends that workers’ comp professionals should be aware of going into 2020. 

One is the transition from Windows 7 to Windows 10. Microsoft sunsetted Windows 7 in January of this year, which means that the system is no longer receiving security updates, leaving companies that have failed to switch over to Windows 10 vulnerable. 

“We saw an increase in attacks a few years ago when Microsoft sunsetted XP for Windows 7. And we anticipate the same for companies that haven’t moved to Windows 10 yet,” Kolb said.  

Another thing workers’ compensation payers should be aware of is the fact that systems are often infiltrated by hackers for months before an attack occurs. 

“In a lot of cases, once you find out that you’ve been breached, and there’s a data loss, a threat actor has been there for 99 days,” Nyhuis said.  

When threats go undetected for that long in your system, hackers have time to read and understand company policies to see how you’ll respond in the event of a breach. In the case of ransomware attacks, hackers will also look at a company’s financial data to see what kind of price they can demand.

 “They’re looking at all aspects of your business, particularly your financials and trying to figure out exactly, from a ransomware perspective, how much money would they pay to be able to get their environment back or un-encrypt everything that we’ve encrypt,” Kolb said. 

“[They read their] financials. They read their disaster recovery plan. They read their security policies. They knew everything about the way that this organization was going to respond to what they were doing,” Nyhuis added. 

Once they have this sensitive data, cyber criminals use it to their benefit. Nyhuis gave the example of one hacker who learned from reading a company’s cybersecurity policy that they backed up their information on the cloud for six months and then the data was rolled off. 

The hacker corrupted the cloud so that the information wouldn’t back up, waited six months and then deleted all the information of their server. Since their cloud was corrupted, the company was unable to restore any of that data. 

The hacker then called the CEO, whose phone number he got from the cyber security policy, and demanded $4 million. “Attackers can come into your environment and sit there for months and months and months, learn about you and then take you down to steal your data,” Nyhuis said. &

Courtney DuChene is a freelance journalist based in Philadelphia. She can be reached at [email protected].

More from Risk & Insurance