Preventing and Responding to Cyber Attacks

A SURVEY CONDUCTED by the American Medical Association and Accenture in 2017 revealed more than four in five U.S. physicians (83 percent) experienced some form of a cyber attack. And 55 percent of the 1,300 physicians responding to the survey were either very or extremely concerned about future attacks in their practice. Their main concerns were that future attacks could interrupt their clinical practices (74 percent), compromise the security of patient records (74 percent) or affect patient safety (53 percent). And, while these attacks were twice as likely to happen to physicians from medium and large practices than those in small practices, even small physician practices are easy targets.¹

The most common type of cyber attack reported by survey respondents was phishing (55 percent), followed by computer viruses (48 percent). But cyber attacks are also increasingly coming in the form of ransomware, which occurs when an organization’s data is scrambled by an attacker who promises to unscramble it for a price. Indeed, in 2016, the healthcare industry was the victim of 88 percent of all ransomware attacks in the U.S. The reason: Cyber criminals know healthcare organizations tend to pay the ransom amount that is demanded in return for patient data.² And, patient data is lucrative. Medical information is worth 10 times more than a credit card number on the black market.³ What’s more, hospitals are the most vulnerable, with a prediction ransomware attacks will quadruple by 2020.⁴

Steps to Preventing a Cyber Attack

The most effective way to prevent cyber attacks is to implement cybersecurity best practices, which involve a combination of employee training and technology safeguards.

Unfortunately, employee training often takes second seat to technology safeguards. And, this is an oversight, because employees are the biggest potential vulnerability, who should be trained to recognize potential scams related to both digital and paper breaches, says Paige Schaffer, president and CEO of Generali Global Assistance’s Identify and Digital Protection Services Global Unit.³ According to the U.S. Department of Health and Human Services, which manages breaches of unsecured protected health information (PHI) affecting 500 or more individuals, in the last six months of 2017, almost three million individuals were affected by breaches caused by paper and films being leaked to email security breaches (often the result of poor network security), lost portable electronic devices or a break that occurred through a desktop computer. 5 Schaffer recommends employees be trained to:³

• Keep digital files instead of physical ones whenever possible;
• Safeguard paper files with as much vigilance as digital ones;
• Collect only the information needed; and
• Shred any physical documents they no longer need.

In addition, written cyber policies on how to protect devices and data should be provided to employees. And, mandatory HIPAA (Health Insurance Portability and Accountability Act) training should be required. In fact, HIPAA requires healthcare organizations provide training for all employees and to provide periodic refresher training. And, while the definition of “periodic” is not defined, best practice is considered to be annual training.⁶

Organizations should also conduct annual HIPAA risk assessments. Indeed, government regulations require health care providers submit their systems to an annual security evaluation.⁷

From a technology standpoint, the following are best practice steps:

Devices. Inventory hardware by listing all devices that belong to the practice, providers and employees, and determine which access PHI and which portable devices can be removed from the practice. Those left in the practice should be locked up after business hours. All devices should have passwords and go into sleep mode when left idle. And, settings should be enabled to allow someone in the practice to wipe all devices remotely if they go missing.⁸ Organizations that let employees bring their own devices to work should establish a well-defined bring-your-own-device policy to help prevent infected devices from introducing malware into the organization’s network and infecting other devices.⁹

Data. Stored and transmitted PHI can be protected by encrypting sensitive information such as medical records, addresses, Social Security numbers, etc. Even data that is stored and not actively used should be encrypted.⁹

Data access should be carefully controlled. One way to do this is to designate different access levels. For instance, a receptionist may not need to see a patient’s full record. In addition, passwords should be changed regularly, and passwords should be disabled for employees who leave the organization’s employment.⁸

Networks. While guests often expect Internet access at healthcare facilities, they should not be allowed to access the same network healthcare workers use. Instead, subnets (separate networks) should be created for workers and guests, access keys should be regularly changed and all data should be encrypted. 9 However, while subnets will prevent local cyber attacks, they can’t always protect attacks coming from the outside. To accomplish this, patient data should be covered by a company grade advanced network security system that can quickly detect indicators of compromise.⁷

Insurance. Lastly, although it is new, most major insurers now offer cyber insurance to help mitigate losses from data breaches. Providers can ask about specific cybersecurity policies or tools that can help reduce premiums.⁸

Responding to a Cyber Attack

For most healthcare facilities, it’s not a matter of if but when a data breach will occur. Therefore, a response plan must be established. Tom Saine, chief information officer for Spok, a company that specializes in healthcare communications, outlines eight steps organizations should take to respond to a cyber attack:¹⁰

1) Create a response team that includes representatives from the organization’s executive, IT, legal, risk management, privacy, public relations/marketing and customer service teams, as well as any required third parties to develop, document and maintain an incident response plan. The plan should define how to determine whether a breach is occurring, what information to collect about the breach and how, and who to notify under what circumstances.

2) When a breach has occurred, determine how to put the response plan in motion.

3) Identify the source of the breach and how it was caused, and then quarantine the affected system and remove the attacker.

4) Once contained, hire an external team of experts to perform testing to ensure it is fixed and to identify other unknown issues that a future attacker could exploit.

5) Have investigators perform a root cause analysis to prevent the problem from reoccurring.

6) Perform a risk assessment to determine whether the 2013 HIPAA Omnibus Final Rule applies to the breach. According to the rule, hospitals must perform notifications for any breach involving unsecured PHI unless the covered entity can demonstrate there is a low probability the PHI has been compromised.

7) If notification is required, the organization must contact the affected individuals no later than 60 days from the discovery of the breach. And, if the breach involves more than 500 individuals, details must be provided to the U.S. Department of Health and Human Services, and prominent media outlets in the region must be notified.

8) Continually evaluate the plan and implement policies, procedures and technology updates.

Preparing for the Future

History dictates there is no question healthcare data breaches are going to increase. Employees are going to fall victim to scams, and providers are continuing to transition to electronic data storage and transmission. Yet, while no security system can ever be 100 percent certain, applying best practices can certainly reduce the most common, controllabletypes of breaches.