Most boards of directors are beginning to understand the grave consequences of not paying close attention to information risk management. All of the items below have relevance for all board members, not just those in healthcare.
This article was originally published on Directors&Boards.com
As data breaches increase, many companies are now legally responsible for the actions of their business associates, including health insurers. And some of the biggest data breaches in the last several years have occurred when seemingly low-risk vendors (like heating & cooling companies) have gotten hacked, opening a back door to corporations’ most sensitive data assets.
1. Data breaches occur in a multitude of ways, and all of them can be costly.
While large-scale hacking events make the headlines (like recent data breaches at Premera, Anthem, and CareFirst), breaches can happen in a variety of ways that don’t involve hackers: burglaries, employees snooping into health records, lost or stolen laptops containing unencrypted data, and many more. There’s still a surprising number of non-digital data breaches involving improper disposal of paper records, misplaced x-rays and other images, and the like.
Here are a few examples:
- Cedar-Sinai Hospital fired six employees for snooping into the health records of Kim Kardashian during the delivery of her child in 2013. There have been many other highly publicized celebrity-snooping incidents involving stars like George Clooney and the late Farrah Fawcett.
- Last year, Northfield Hospital in Minnesota reported a data breach involving about 1,800 documents containing patients’ Protected Health Information (PHI) that had not been shredded before being sent to a commercial dumpster.
- Advocate Health Care in Illinois experienced a data breach that was the result of a burglary, not a hack. Thieves stole four laptops from unmonitored rooms – and the computers contained unencrypted Social Security numbers and PHI of about four million people.
Don’t neglect to include equipment and facility security in your plan, and ensure consistent application of sanctions to those who break the rules, intentionally or not.
2. The costs associated with data breaches are no longer high – they’re staggering.
It’s been estimated that Anthem will exhaust its $100 million cyber-insurance policy just to cover the cost of notifying the 80 million people whose data was compromised. The insurer is also facing an avalanche of other costs, including IT system remediation and looming class-action lawsuits. A study by Temple University’s Beasley School of Law found that the average settlement award in data breach class-action suits is $2,500 per plaintiff, with mean attorney fees of $1.2 million. If all 80 million people eventually receive that amount, Anthem’s losses would be greater than $200 billion. A recent ruling by the California District handed down in the Adobe breach case stated that the “increased risk of future harm” may be sufficient to confer standing to the victims. There was “no need to speculate as to whether the hackers intend to misuse the information …” thereby allowing a putative class of plaintiffs to proceed in Federal court. So the intent to misuse the information, and the ability to do so, is now a critical factor in determination of a class-action suit.
3. Boards are being held more accountable each year.
The Federal Trade Commission is now invoking the False Claim Act against healthcare organizations (and any of their business associates) whose websites claim that patient data is protected and then experience a data breach. And the Securities and Exchange Commission has already stated that boards of organizations responsible for safeguarding PHI will be held accountable for lax security policies.
While many healthcare organizations are not public companies, boards should be aware that they may still have reporting requirements. The Securities and Exchange Commission has suggested that the following disclosures might be appropriate:
- Discussion of the organization’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences.
- To the extent the organization outsources functions that have material cybersecurity risks, descriptions of those functions and how the company addresses those risks.
- Description of cyber incidents experienced by the organization that are individually (or in the aggregate) material, including a description of the costs and consequences, plus risks related to cyber incidents that may remain undetected for an extended period.
- Description of relevant insurance coverage (more on this later).
Although Target Corp. has already replaced its CIO and is looking for a new CEO in the wake of its major data breach, Institution Shareholder Services is calling for the company to replace seven of the 10 members of its board of directors.
4. Roughly 90 percent of data breaches are caused by an organization’s own employees and business associates.
As a trustee, your biggest worry shouldn’t be international cyber-espionage teams. Insiders are responsible for more than 9 out of 10 data breaches. According to the latest data from the Office for Civil Rights, business associates are responsible for almost 60 percent of those breaches. BAs work on behalf of healthcare organizations in numerous ways: billing and collections, IT services, benefits administration and so on. Many of the BAs that have reported breaches are household names that include Iron Mountain, McKesson, ADP and K-Mart. Make sure you have risk-rated your BA inventory based on the amount of data, the sensitivity of that information, the criticality to your organization and the BAs’ breach or incident history. It’s a good time to ensure you have a backup plan if your BA breaches a material requirement in the contract.
5. The vast majority of data breaches are preventable through effective policies and training.
All employees need a thorough introduction to the organization’s policies and processes concerning data security: reporting suspicious activity, password protection, encryption, and more. This training and education needs to be much more comprehensive than a perfunctory online tutorial.
Here are some examples of breaches that could have been prevented with adequate training and policy enforcement:
- Last year, Penn State Hospital’s system was breached when an employee used a personal email account to send PHI to physicians.
- According to many sources, the Anthem breach occurred when several employees clicked on “phishing” links in ordinary email that enabled thieves to obtain their passwords.
6. Some breaches don’t involve data theft, but pure malice.
A growing number of hackers aren’t interested in stealing financial data, but are instead intent on tampering with medical devices and altering health records. Studies show that it’s relatively easy for digital intruders to change the dosages on infusion pumps or modify defibrillator settings (causing them to either send a massive shock or not work at all). One study found that even surgery robots are vulnerable.
Then there are the hackers that will hold your information for ransom (with the help of software called “ransomware”), which allows the bad guys to encrypt your data and hold it hostage until you pay a ransom to get it released.
7. Cyber-insurance is very expensive, and may only cover a portion of the total costs of a data breach.
Cyber-liability insurance for a healthcare organization can carry annual premiums in the $200,000 range and deductibles as high as $500,000. These numbers are likely to grow larger as courts quantify damages in future cases, resulting in costly settlements typically covered by insurance. Cyber-insurance usually covers investigation, defending against lawsuits and other claims, business interruption, third-party liability and the cost of a regulatory investigation. Get it while it’s still (somewhat) affordable.
And be sure to read and understand the details of your policy’s obligations to protect the data. In a complaint filed in U.S. District Court in California, an insurance company is denying a claim following a data breach because the healthcare provider and their business associate failed to follow “minimum required practices” as spelled out in the policy because they failed to install encryption.
8. Most organizations have not conducted a NIST-based Information Risk Management analysis/audit.
The AHA cybersecurity guide for trustees recommends implementing the NIST Cybersecurity Framework and adhering to its key benchmarks. Yet only a fraction of hospitals and health systems in the U.S. have even conducted a NIST-based information risk management analysis to provide baseline metrics. Most of the healthcare organizations that have experienced serious data breaches failed to do a thorough analysis/audit of their risks beforehand.
Remember that risk management is an ongoing process. It’s wise to establish a governance or oversight committee to ensure that you’re staying regularly informed about new threats and vulnerabilities, in addition to progress on remediation plans.
Hospital trustees aren’t expected to be technical gurus or compliance experts, but they must be familiar with the security issues highlighted in this article. Armed with this information, hospital boards can help their organizations avoid the colossal costs and reputational damage arising from preventable data breaches.
This article was originally published on Directors&Boards.com
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis: OCR-Quality Audits | Another opportunity to provide assurance to leadership - March 22, 2017
- HIPAA Risk Analysis Tip – OCR CAP Data: Learn Why 9 of 10 Organizations Fail - January 28, 2017
- The Importance of Improving Medical Device Security - November 14, 2016