by Alex Ricardo, CIPP\US
Director, Breach Response Services, Beazley

It’s Thursday afternoon and when you return to your office after lunch, the head of IT is waiting for you. He notifies you the organization has been targeted by a sophisticated foreign phishing attack and over the last two days employees have been clicking on an email, inadvertently exposing information on nearly 20,000 pediatric patients (either by giving up credentials or allowing malware to infiltrate your network).

It gets worse. You learn the infiltrated data includes patient names, clinical information, phone numbers, addresses, insurance information and Social Security numbers. Forensics, legal counsel, call centers and credit monitoring agencies must be immediately marshaled to respond to the breach. Oh, and you need to inform the board of the breach and the potential liabilities that may result from it.

This scenario is unfortunately taking place every day in businesses and health care organizations across the country, highlighting the fact that cybersecurity is far more than a data center issue. It’s a board-level concern for all organizations, especially those in health care.

Protected Health Information (PHI) can be at risk from many things: hackers and malware, an employee’s accidental mishandling of patient records, or a lost or stolen laptop. In fact, unintended disclosure, e.g. misdirected faxes and emails or improper release of discharge papers, accounted for 40% of health care industry breaches managed last year by Beazley, a leading specialty insurance underwriter.

Examining the full costs

First-party expenses, those incurred by a company to notify clients that their information has been compromised, like purchasing credit monitoring services for customers affected by the breach, launching a public relations campaign to restore the reputation of the company, compensating the business for income that it isn’t able to earn while it deals with the fallout and/or paying a cyber extortionist, and more, can add up quickly when you tally the various moving parts required to respond post-breach.

In addition, health care organizations are heavily regulated both by the U.S. Office for Civil Rights (OCR) and state Attorneys General. The OCR and the Department of Health and Human Services (HHS) have provided strong indications that resolution agreements arising from these breaches – which already reach tens of millions of dollars -- will continue to climb. If PHI in your organization’s care is breached, your door is open for regulators to investigate not just that incident but all aspects of your privacy and security practices – from employee training to online credentialing. So, alongside breach-related fines and penalties, you could face audits and mandatory, costly corrective actions to make practices compliant with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

In case that’s not enough reason for board members to be concerned, there is also the immeasurable threat data breaches pose to your organization’s reputation. Consumers are extremely concerned about the prospect of PHI disclosure. When a breach occurs, notifications and the inevitable media coverage of a data breach spread the word. Patients may opt to go elsewhere, costing your organization revenue.

Important steps you should take

How can you reassure your board that breach-related risks are managed?

  • Invest in education. E-learning helps keep your team aware of digital and physical security threats and deterrents. Supplementing with email reminders (rotating topics) keeps information fresh and vulnerabilities – from tailgating to phishing – top of mind with your workforce.
  • Assess security architecture. Hackers move quickly. Regular assessments of your IT security and potential vulnerabilities are critical to keep pace. They should happen annually at a minimum.
  • Test workplans. Your enterprise should carefully review and update your data breach response workplan annually at a minimum. Hands-on reviews should encompass everything from processes for notifications and regulatory compliance post-breach, to detecting intrusions and managing media fallout. Switching up vendors to bring a fresh set of eyes to your processes is also recommended.
  • Secure insurance. Data privacy and security protection extends not only to liability costs, it covers the costs of the multiple vendors required to respond to a breach – and aligns your organization with the right resources to respond swiftly and strategically when an incident occurs or is suspected.

Besides damaging your balance sheet, putting PHI at risk can irreparably harm your organization’s reputation. Board members have good reason to care about privacy and security vulnerabilities. Making them aware of the dangers – and the solutions – is critical.

About the author. In his role at Beazley, Ricardo uses his extensive background of service to Fortune 500 corporations and government agencies to provide breach preparedness and response guidance. During his career, he has addressed information leakage prevention, data/e-discovery, messaging encryption, and internal threat management. As a certified information privacy professional credentialed by the International Association of Privacy Professionals, Ricardo possesses a keen understanding of privacy principles, general privacy law and information security best practices throughout the U.S. and around the globe. Prior to Beazley, Alex worked with Kroll Inc., where he served as the privacy subject matter expert for the data breach services team and personally oversaw more than 250 data breaches.

Published: July 6, 2017