In today’s digital word, the persistent threat of cyberattacks has become a business issue facing all industries, especially health care companies. Globally, two-thirds of 1,100 senior IT security executives at large enterprises worldwide have experienced a security breach, and 20% of them reported being hacked within the past year, according to a survey conducted by data protection company Vormetric. The same survey reported 91% of companies across the globe feel vulnerable to hacks.
No industry has been hit harder by cyber invasion than the health care industry, where companies work with private documents, proprietary medical records, and personal patient information on a daily basis. The numbers are staggering: last year alone, 100 million medical records were compromised from more than 8,000 client devices in over 100 countries across the globe, according to IBM’s recent “2016 Cyber Security Intelligence Index.” The attacks are not slowing down, as cybercriminals are becoming more adept at slipping into computer networks undetected and finding new ways to monetize their efforts.
More and more health care companies are now being forced to pay expensive ransoms just to get their stolen information returned. Modern Healthcare Magazine reported that six health care systems, including large provider MedStar, were recent victims of ransomware attacks. One of the most notable victims was Hollywood Presbyterian Medical Center, which agreed to pay $17,000 worth of bitcoins to a group of criminal hackers back in February to regain control of its computer network.
This high-profile crime serves as a reminder for all organizations to reevaluate their cybersecurity protocols. Regardless of your company’s cybersecurity budget, increasing your prevention and protection measures can effectively deter cybercrimes. Here are three primary strategies every CFO should implement to fight off cyberattacks.
It’s always better to be safe than sorry. Every health care CFO needs to think about what’s at risk. They need to identify their companies’ crown jewels and do everything they can to ensure their enterprises’ safety. In the health care setting, patient data is the primary target. The adoption rate of electronic health record systems and use of computerized physician order entry may lead providers to think that cyber insurance is necessary only if they are using certain kinds of software.
But the reality is that paper records, the use of smart phones and other devices, and employee error all create exposure for health care providers. As health care delivery becomes more of an outpatient, or even an in-home model, attention to BYOD (bring your own device) exposures should increase.
Understanding where and how a system stores its confidential patient information is critical. Robust security policies and procedures are essential not only for employees, but also voluntary attending physicians, contractors, vendors, and other business associates. A strong Business Associate Agreement outlining responsibilities and liability for these third parties is critical.
With regard to the ever expanding use of smartphones and PDA’s, it’s imperative to preemptively encrypt all of a companies’ mobile assets and allow remote wiping if the device is lost or stolen. If employees transact business on mobile devices, CFOs should make sure they download high-tech mobile apps, such as Good Technology or IronBox Secure File Transfer, which can provide a level of security for the company’s mobile devices.
Any apps used by the company should be thoroughly vetted by the IT department and come from a reputable company. Employees should also be trained on what actions they can take to prevent a breach. For instance, they should be taught to identify email scams and know when not to mix personal devices with work tools.
Social engineering or “deception fraud” is a commonly used and very simple method of tricking people into providing sensitive data like Social Security numbers. These confidence schemes use various techniques such as phishing, pretexting, impersonation that may result in financial loss. Companies of all sizes are targeted every day.
The best way CFOs can ensure their companies are protected is to create robust systems, policies and procedures and ensure they’re well communicated throughout the enterprise. But, risk prevention alone is no longer sufficient. Securing the best possible cyber coverage (network security and privacy liability insurance) is equally important.
Cyber liability insurance is not standard and can come with procedure requirements and significant exclusions. Knowing your company’s insurance will help avoid the denial of claims. A detailed planning session including risk management, IT, senior leadership, perhaps as a part of an enterprise risk management (ERM) process, is a recommended practice.
Hacked organizations can face fines and public scrutiny that can destroy a reputation built on decades of trust and success. A breach can lead to lost productivity, lost revenue, and the potential exposure of confidential patient information. As seen in recent cases of ransomware, the hospitals targeted were forced to revert to business continuity plans and IT downtime procedures like manual record keeping, scheduling, and billing.
Health care CFOs must have a response plan in place to mitigate these effects. Successful cybersecurity response strategies are all about repetitive training. A little bit of practice and planning goes a long way. The primary objective in designing an incident response strategy is to create an actionable plan. The strategy should account for places, people, and procedures, and should be applicable to multiple situations. Be inclusive in your employee education and communication before and during your response. Include software developers, call centers, physicians, and other critical third parties in all training sessions.
Identify Your Weaknesses
Health care finance chiefs should have their companies’ IT departments or hire third-party technology services vendors to conduct vulnerability and penetration tests and try to hack into company systems. This is a great way for CFOs to find out if their companies are using their security technologies effectively .
It will also enable CFOs to see if their companies are vulnerable and where systems may have weaknesses. Use social engineering exercises to test the weakest link in security chains: the company’s own staff. In this case, a social engineering attack would involve tricking people into breaking normal security procedures by expressing a sudden sense of urgency. Scammers, for example, will call the authorized employee with some kind of urgent problem that requires immediate network access. To prevent this from happening, employees must remember to never respond to such requests to rush to give out confidential information by email or phone. Many scam artists will rush the process so that they can get what they need quickly enough to evade a background check.
Human error is the leader in creating openings in security for hackers to leverage. A thorough IT vulnerability assessment can help finance chiefs understand whether their companies’ security policies and awareness programs will actually prevent outsiders from obtaining valuable information or confidential patient data directly from their companies’ employees.
Tony Consoli is president of the Mid-Atlantic region at CBIZ Insurance Services.