Six Steps for Healthcare Organizations to Manage Cyber Risk
10/16/2017 9:00:00 AM
Although every industry faces a variety of cyber and privacy-related risks, healthcare is arguably one of most exposed. According to Verizon's 2017 Data Breach Investigations Report, 15% of all breaches involved healthcare organizations, making it the second most susceptible industry behind financial services. For healthcare providers, the adoption of electronic health records (EHR) systems and related technologies has transformed the industry, often allowing for greater efficiencies and improved patient outcomes. However, the digitization of health records and increasing reliance on information systems can also heighten a provider's exposure to data and privacy risk.
From a regulatory perspective, the 2003 HIPAA Security and Privacy Rules require covered entities - broadly defined to include healthcare providers and health insurers/health plans - to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting medical records. Further, with the 2009 HITECH (Health Information Technology for Economic and Clinical Health) Act, these rules now extend to "Business Associates," which can include medical billers, third party administrators, EHR software companies, or any other entity that uses or discloses protected health information (PHI) for or on behalf of a covered entity. Breaches of PHI must not only be reported to individual state regulators (in accordance with breach notification statutes), but also directly to the Department of Health and Human Services' Office for Civil Rights (OCR), which maintains the authority to investigate breaches and reach monetary settlements with entities found to be in violation of HIPAA's requirements. Breach costs related to regulatory defense, fines, and penalties - as well as the usual legal, forensics, notification, and credit monitoring - can make healthcare data breaches incredibly costly and disrupting for healthcare providers.
In order to prevent and mitigate the impact of data and privacy breaches, healthcare organizations should consider a combination of technology tools, policies and procedures, and risk transfer mechanisms. Here are just a few cyber and data risk management tips for healthcare organizations to consider:
1. Conduct a risk analysis
Organizations subject to HIPAA - whether covered entities or business associates - should undergo a thorough (and documented) risk analysis. The analysis should review cyber and privacy risk, develop policies and procedures to protect patient data, and implement a monitoring or auditing program to ensure continued compliance.
2. Utilize Business Associate Agreements
These should be executed with each and every third party that handles, accesses, or stores PHI on your behalf. This contract should clearly outline the permitted uses of PHI by the Business Associate, ensure that they have implemented appropriate controls to comply with HIPAA, and require them to notify you in the event of any actual or suspected breach.
3. Encrypt data
Consider using software and technology which encrypts all sensitive data (including PHI) at rest and in transit - encryption adds an additional layer of security in the event of unauthorized access to your system and can often provide safe harbor against breach reporting requirements.
4. Develop a cyber incident response plan
The plan should outline breach investigation steps, establish which third party attorneys and vendors will assist in handling the breach, delegate responsibilities for key individuals and stakeholders within your organization, and contemplate back-up recovery in the event of an IT system disruption.
5. Educate employees
Educate your employees on their roles and responsibilities in protecting patient privacy and preventing cyberattacks. This includes enforcing policies and procedures around proper "cyber hygiene" - password strength, awareness of phishing scams, laptop/mobile device security, etc.
6. Buy cyber insurance
Discuss the purchase of cyber insurance with your agent or broker - with policies designed to cover both first party expenses and third party liabilities, dedicated cyber coverage can address a range of exposures faced by the healthcare industry.
All PHLY Cyber policyholders receive complimentary access to the eRiskHub, our online cyber risk management portal. Access information can be found in your policy, or by contacting your agent or broker.
Written by Evan Fenaroli
Cyber Liability Product Manager, Management & Professional Liability
IMPORTANT NOTICE - The information and suggestions presented by Philadelphia Indemnity Insurance Company in this E-Brochure is for your consideration in your loss prevention efforts. They are not intended to be complete or definitive in identifying all hazards associated with your business, preventing workplace accidents, or complying with any safety related, or other, laws or regulations. You are encouraged to alter them to fit the specific hazards of your business and to have your legal counsel review all of your plans and company policies.