When we see a financial services company – like Citigroup or Equifax – fall victim to a major data breach, or when we see a major retailer – like Target or TJX – fall victim to a breach, it makes sense. Much like how robbing a physical bank or a convenience store makes sense -they have and control large amounts of money. If you’re looking for a financial payoff for your criminal activities, you go where the money is.
What may seem to make less sense is when a company like Anthem, or a health group like Verity Medical Group, falls victim to a data breach. What do malicious actors have to gain from compromising the networks and data of a healthcare company?
To get the answer to that question, we sat down with two cyber insurance and cyber risk experts, Brett Anderson, a Breach Response Services Manager, and Frank Quinn, a Breach Response Risk Manager, both at Beazley Breach Response, the cyber insurance division of the specialty insurer with three decades of experience working with clients worldwide.
The company recently released their, “US Healthcare Data Breach Insights Report,” which detailed the risks facing American healthcare companies and broke down the kinds of attacks that healthcare companies are facing. A complimentary copy of that report can be downloaded by clicking HERE.
During my discussion with Brett and Frank, we talked about the report’s findings, why malicious actors attack healthcare companies, what they can do to protect themselves and if they feel that healthcare companies are doing enough to protect themselves against breach – including purchasing cyber insurance.
Here is what they had to say:
Insurance Tech Insider (ITI): What does the threat landscape look like for healthcare organizations? Who would want to compromise healthcare data and why?
Frank Quinn: The threat landscape is active and full of challenges for healthcare organizations. A typical patient medical record contains not only sensitive personally identifiable information such as a Social Security numbers and medical account numbers but also information about physical and mental health conditions, treatments, and prescriptions.
These elements taken together constitute protected health information (PHI) which is very attractive to criminals. PHI is valuable; theft of PHI has lead to identify theft and insurance fraud, and also to extortion demands where healthcare organizations face the threat of external disclosure of PHI.
ITI: How do healthcare organizations rank in terms of priority among malicious actors? Obviously financial services and retail are among the top targets for data thieves…but how do healthcare organizations compare?
Frank Quinn: Healthcare is often targeted due to the robust nature of PHI and the volume of data maintained by healthcare organizations. Medical records generally trade on the black market at rates higher than credit card numbers, for example. Of the over 7,000 data incidents managed by Beazley’s Breach Response (BBR) Services team, the vast majority come from the healthcare sector.
ITI: Your report found that unintended disclosure accounted for the largest percentage of healthcare data breach incidents. What does “unintended disclosure” entail and include? Why is it harmful to the company and its patients?
Frank Quinn: Unintended disclosure refers to disclosure of PHI to the wrong recipient. Most often, unintended disclosure involves carelessness, whether it’s an email containing PHI sent to the wrong recipient, discharge instructions given to the wrong patient, or patient records transmitted or faxed to the wrong destination.
The federal Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to investigate unintended disclosures to determine if there is a HIPAA breach and – if so – to notify affected individuals, which can have operational and reputational costs. Because the healthcare organization must also report breaches to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) – the agency that enforces HIPAA – unintended disclosures may open the door to an expensive investigation of the organization’s overall HIPAA compliance program.
ITI: How can healthcare organizations fight against unintended disclosure? What processes and technologies can they look at to eliminate the threat of unintended disclosure?
Frank Quinn: The number one control involves workforce training regarding how employees and staff must protect PHI. Organizations should train employees to verify patient identities by confirming at least two pieces of information, such as full name and date of birth or insurance number. Before sending any PHI electronically, employees should double-check the email address or fax number to confirm they’re sending it to the right recipient. Employees should include only the minimum PHI necessary for the communication.
Technologies such as encrypted email, patient portals, and data loss prevention software can also assist, if they’re configured properly and employees are trained how to use them. We live in a world where technology allows us to immediately communicate and we have to train staff to slow down and take their time, given the potentially drastic consequences of mishandling this data.
ITI: What kinds of breach incidents comprised the other 59 percent of breach incidents reported?
Brett Anderson: Insider incidents – such as an employee intentionally looking at the patient record of a family member or local celebrity without authorization – made up another 15 percent, meaning that more than half of incidents are caused by employee behavior.
Organizations can reduce risks through training, creating a culture that takes reporting and investigation seriously, and auditing access to electronic medical records. External causes of breaches include hacking or malware, theft or loss of portable devices or of paper records, and social engineering.
ITI: In your opinion, are healthcare companies doing enough to combat and mitigate their risk of data breach?
Brett Anderson: Healthcare organizations are hit from all sides in terms of regulations that require operational changes, so it is no surprise that healthcare organizations are challenged and playing catch-up regarding privacy and security best practices.
Healthcare, in general, seems to have moved forward in terms of awareness but we still hear too many CISOs not able to get the budget they need to hire skilled information security staff or even to implement basic security controls such as full-disk or full-device encryption. In fact, today having multi-factor authentication is becoming a best practice, and most healthcare organizations will be in catch-up mode on this.
ITI: Just based on your own experience, what percentage of healthcare organizations would you say have implemented a cyber security or data breach insurance policy? Is this in line with other markets and industries? Do you anticipate that number increasing in the near future?
Brett Anderson: In general, only about one-third of businesses have purchased a cyber liability policy but healthcare is slightly higher. We do expect a large increase of buyers in the next 3-5 years.
ITI: What services is Beazley offering healthcare and other companies against cyber risks and data breaches?
Brett Anderson: Beazley has been underwriting cyber insurance to the healthcare sector and other sectors for almost two decades. Our Beazley Breach Response (BBR) product provides turn-key incident investigation and breach response services managed by our BBR Services team.
Through our interaction with thousands of the nation’s healthcare organizations, we know that many organizations need help before an incident arises, that is, help to prevent a breach. Our services portfolio contains, in addition to our breach response services, many pre-breach and post-breach risk management services and resources available to our policyholders. Beazley offers an array of proactive technical services pre-incident, a comprehensive breach response service during the cyber incident, and an advisory service after a breach to shore up security.
ITI: How do these services benefit customers both before and after they fall victim to a breach?
Brett Anderson: Beazley recognizes that preparing for and preventing breaches have become inseparable from insuring against data breaches. With the increasing need for pre-breach and cyber security services, Beazley established Lodestone Security LLC, a wholly owned subsidiary of Beazley plc, to offer both strategic and tactical services and expertise so that small and mid-sized organizations can enhance their cyber defenses before an incident occurs.
On our risk management information portal, BeazleyBreachSolutions.com, insureds benefit from resources to create and test their incident response plan, develop policies, and train their employees.
We also provide live webinars and other educational materials on emerging cyber threats, information security controls, and regulatory developments. And if an insured does experience a suspected data breach, our BBR Services team assists with the legal, forensic, and other services needed to investigate the incident, notify affected individuals if necessary, and resolve any regulatory inquiries or litigation.
To learn more about the cyber risks facing healthcare companies, click HERE to download Beazley’s “US Healthcare Data Breach Insights Report.” To learn more about the company’s cyber insurance solutions click HERE to go to their corporate Website.