In the healthcare sector, patient data and cybersecurity are major concerns. Not only is the healthcare industry a preferred hacker target, but the management of workers’ compensation claims frequently requires sharing sensitive claimant data among service providers. This session at the 2018 National Workers’ Compensation & Disability Conference uncovered best practices for mitigating growing insider and third-party healthcare cybersecurity risks.
- Kevin Harried, Chief Risk Officer, One Call
- Adam Solandor, Partner, King & Spalding, LLP
Healthcare data is extremely valuable because the content of the information lends to a variety of fraud. Trends show increased sophistication of automated attacks through ransomware and artificial intelligence. Hackers like these methods because they leave less fingerprints on the breach, so it is hard to identify them.
Healthcare breaches are expensive. Recent studies by NetDiligence and Ponemon show that breaches cost healthcare organizations $408/record. In addition, crisis services cost three times more than other industries and credit/identity monitoring costs four times more than the average.
Despite company size or budget, a variety of solutions exist to reduce risk factors related to insider threats and program set up. Service providers are also available to help set controls.
- Educate to decrease insider threats. 25% of breaches result from employees clicking on something that they think is legitimate. Employers can help combat this ever-growing problem by educating employees on how to identify red flags. Why invest? Breaches resulting from employee actions represent the highest regulatory and legal expense costs. Good education programs are shown to reduce breach costs by $9/record.
- Create response programs. Knowing what to do and how to investigate a data breach is very cost-effective. Create and train an incident response team through on-site mock breach exercises. This has shown to reduce the cost of a breach by $14/record and shorten post-breach investigation time.
Program Set Up
- Data classification and elimination is very important. Old is bad data and it collects rapidly if not destroyed in a responsible fashion. The ROI on eliminating old data has proven to reduce breach cost by $5/record.
- Implement extensive use of encryption. Best practices are to apply this as much as possible from appropriate e-mails to data storage to employee mobile phones that can easily be lost. Often, if you can prove that the data is encrypted, it is not considered a breach. This can reduce a breach by $13/record
- Monitoring to identify and contain a security event provides critical information. The faster a breach can be identified and contained, the lower the cost. For instance, stats show that if you can contain a breach within 30 days, an organization can save approximately $1 million in post-breach costs.
- Specialized managed security services are available to take care of security-related work. Studies show that companies that deploy this type of automation can reduce breach costs by 35%. This does not include the cloud-based services. You need people to manage this function.
- Cyber security insurance is available and you can leverage these carriers to help shape up your program. It is in their best interest that you avoid a breach, so use them as a resource. Also, cyber insurance is an area where you do not want to bargain shop. Discuss various programs with your carrier or broker to understand the value that accompanies each cost level.
- Services exist to monitor third-party providers. There are inexpensive security score cards that you can purchase to evaluate vendor security. Ultimately, you want to conduct a risk assessment that identifies policies around timely reporting, compliance programs and technical safeguards.