Cyber security in the healthcare industry has become imperative as data breaches and security incidents have surged in the last year, exposing patients’ personal medical records to cyber thieves. Experts have reported that medical records, which often contain Social Security numbers, insurance IDs, addresses and medical details, are more valuable to cyber criminals than stolen credit card information.
As the healthcare industry continues to be a target for data breaches, healthcare executives must ensure that their companies have an effective cyber risk management plan in place. The goal of the plan should be to try and prevent confidential material from being stolen but it should also focus on mitigating harm when a breach occurs.
How to Implement Proper Cyber Security for Your Healthcare Organization
In order to mitigate a breach, Healthcare organizations should institute a formal data breach plan developed by both the IT and risk management departments. A data breach plan should include the following:
- Who to report the suspected breach to.
- The IT department’s role in responding to the potential threat, such as quarantining the system or taking it offline until the situation has been resolved.
- Engaging outside vendors, including a forensics team to investigate the threat and a public relations firm to address proper communication to affected individuals and the public.
- A law firm that can handle potential class action suits and are knowledgeable about how to comply with the different state notification laws.
Cyber Liability Insurance
An organization’s risk management program should also include a cyber liability insurance policy to adequately protect the company in the event of a data breach. Healthcare companies should review their policy on an annual basis to see if it includes the main coverage components, such as:
First-Party Expense Coverage. This coverage pays for the costs of notification of the breach. It would also include other outside vendors to assist in managing and mitigating the cyber incident (like a public relations firm).
Third-Party Coverage. This coverage pays for liability claims arising from failure with the company’s network security and failure to protect personal information, as well as confidential corporate information. Coverage should also be provided for associated regulatory actions, including HIPAA/HITECH.
Network Business Interruption Coverage. This covers for loss of income due to a network security failure like a denial of service attack.
Cyber Extortion Coverage. The policy should also include coverage that responds to pay for the threat of intentional security attacks against a company by an outsider attempting to extort money.
Ensuring your organization has the right coverage is not the only way to be protected against cyber threats. A comprehensive risk management program should also include educating and training employees on cyber security issues.
Spear phishing, for example is a very targeted email scam that appears to be from an individual the victim knows, but is really from a criminal hacker. A large Philadelphia health system was recently breached in this fashion. These emails typically ask the recipient for confidential information. Organizations should warn employees of these suspicious emails. There should also be phone verification with the recipient before transmitting confidential information.
Because we are in an era of BYOD (bring your own device) to work, employees can work remotely and transmit sensitive data any time, which could lead to a breach. Companies should think about installing encryption technology so health information stored or sent on laptops, tablets and smartphone devices are protected. Mobile devices should also require passwords to unlock screens. Technology that “wipes” or cleans the device of all data if the device is lost or stolen should also be installed.
If a company takes the time to carefully review their cyber risk management program, they can more likely avoid a breach and prevent sensitive data from being exposed to cyber criminals.
Philadelphia, PA, 19102