Value-Based Payment News
Sponsor Message

Today's Topic

Comparing protective measure taken versus the current state of aggression by hackers, are healthcare providers and plans generally more or less vulnerable to data breaches in 2017 versus the recent past?"

Mark Ford
 Mark Ford

Mark Ford
Principal, Cyber Risk Services Deloitte & Touche LLP
  Health care faces a unique challenge when it comes to cyberattacks in that the data collected by the industry is, by nature, personal and highly valuable to hackers. In addition, health care organizations have not historically had the same resources or incentives as other industries to invest heavily in building stronger cybersecurity programs. 89 percent of health care organizations sustained a data breach during the past two years - and nearly half of those attacked reported five or more breaches. The combination of valuable information and lack of sophisticated cybersecurity program to protect it has led the industry to become a prime target for cyberattacks, a trend that may continue for some time if cybersecurity issues are not thoroughly addressed.

Given the risks, what should health care executives be thinking about and addressing in order to prepare for and respond to cyber incidents?

• Convene the right team. Cybersecurity is not just an IT issue, but a business issue that requires involvement from stakeholders across the organization.
• Identify top risk areas and assets. In most enterprises, particular data sets (such as patient records), clinical systems, medical devices, or other digital assets represent high value unto themselves.
• “Right size” spend to reduce incident impact. While greater investment may be required, understanding an organization’s unique risks and investing in a risk-focused manner is key.
• Modernize what “readiness” means. With awareness of what assets matter most to the organization, plans can be made to involve the various parties needed to protect, defend, and recover if compromised.

Cyber readiness is not just about being prepared to respond after an incident occurs. According to a recent report by Deloitte, over 95 percent of the impacts of a cyberattack on a health care organization may not be immediately identifiable - and the full impact may take years to play out. Executives need to recognize that cyberattacks impact their entire business and are not just a task for IT departments and third-party security vendors. A risk-based cyber risk management program must be implemented and exercised to reduce the impact of an attack. Cybersecurity starts at the top, and understanding this can help health care executives build stronger, more secure organizations.
Robert J. Hudock
 Robert J. Hudock

Robert J. Hudock
Member of the Firm, Epstein Becker Green

Overall, we believe organizations may be less vulnerable to attacks because of better patching and security awareness. However, incentives are such that we expect to see more frequent and more severe data breaches in 2017.

Healthcare providers and plans have spent significant resources in deploying new security tools in 2016. At the same time, market incentives continue to encourage hackers to create better methods to gain access to sensitive information systems. Compared to only a few years ago, ransomware has emerged as a key risk, where hackers are able to easily profit from the malicious encryption of patient records. We have also seen a major uptick in identity theft rings who now regularly seek out healthcare providers to obtain patient records.

Moreover, the evolution of social media, including LinkedIn and Facebook (as well as other open source research resources), greatly assists hackers in researching an organization and then carrying out more effective phishing attacks. Instabilities around the world have also resulted in more individuals being drawn into a life of crime as a hacker, partly because of the absence of profitable alternatives. Being a black hat hacker is now a viable career choice in the Ukraine, Russia, and China (to name only a few).

 Probably most concerning is the unintended consequence of many security tools being brought to market. Organizations concentrate on the acquisition of new tools opposed to focusing on understanding how the organization works and tightening the organization’s attack surface. Tools are great, but if not coupled with competent security professionals, the tool is merely eye candy.

 Finally, in the absence of competent guidance, organizations adopt a check-the-box-type security model and implement security controls, typically by deploying a new tool, to conform with an industry standard, opposed to addressing real security risks of the organization.

Cyndy Nayer
 Cyndy Nayer

Cyndy Nayer
CEO, Center of Health Engagement
  It has become clear that security breaches will continue for at least another year. There are three main reasons:

First, health care providers, from hospital/health systems to single-physician offices to outpatient clinics and urgent care centers, have not uniformly kept up with installing updates to any security software. Since updates are not uniform and the requirement for reporting is not immediate, there are more breaches reported, and often they are several months old (or older).

Second, because patients use many sites for care, and records have to travel to each of the sites (at least occasionally), the security of these transmissions from each site to the next can be compromised with little difficulty. FHIR technology can detect some of these interceptions and alert the sender/receiver, but it typically does not ensure the safe sending between two different platforms that are outside FHIR code.

Third, it is important to remember that healthcare providers and plans send to administrative consultants, such as payment management, benefits consultants, plan sponsors, pharmacies, among others. Their platforms are unlikely to be on the same secure platforms as the health system, nor have the FHIR technology that could alert quickly that someone has seen a record (s) that should not have been accessed.

The most important, zero-tolerance action that needs to be taken is to create an internal mandate at any company that sends or receives medical health records. Everyone on the staff, from receptionist to CEO should be trained and retrained in the security procedures that endanger patient information. There should never be paperwork laying in open areas, the laptops and desktops should be sharing the same security levels and updates. Any breaches must be immediately reported, with new precautions installed and reported to all staff.
Upcoming Webinars

Measuring and Benchmarking SNF Performance Metrics for ACOs and MA Plans, March 14, 2017
Making an earlier impact on health and outcomes -- Why Wait?, March 15, 2017
MACRA and Medicare Advantage Plans: Synergies and Potential Opportunities, March 29, 2017
2017 Population Health Web Summit, May 24, 2017
2017 Predictive Modeling Web Summit, June 22, 2017


MCOL - Positioning you for change in health care
1101 Standiford Ave., Suite C-3
Modesto, CA 95350


MCOL respects your privacy.
Please read our online Privacy Policy.