Preparing for the Inevitable: Protecting Hospitals and Physician Groups From Cybercrimes

This article was written from the webinar “Preparing and Protecting Alabama Hospitals and Physician Groups from Cyberattacks” presented on Oct. 5, 2022. Click here to view the recording.

If you are in the health care industry, you understand why your records are valuable. PHI records go for as much as $1,000 each on the dark web compared to $5 for credit cards  and $1 for social security numbers – you can see the mark up.

It is estimated by some authorities that ransomware cost the world $20 billion in 2021. That number is expected to rise by $265 billion by 2031.

With October being Cybersecurity Month, it’s a good time to self-evaluate your cybersecurity response plan and other measures that show strengths and weaknesses. The sensitive nature of data collected coupled with the low tolerance for system down time has made the health care industry a prime target for cyber crime. It is more than likely that a health care provider is going to get hacked.  The question is: how will that play out?

Worst case, you suffer a breach and successful ransomware attack.

If not ransomware, but just a successful breach or access of your data, you must access and respond to the breach and comply with the requirements of HIPAA, including your audit and notification requirements.

In either of the above, once you get through the initial minefield, you must determine your duty to notify the Office of Civil Rights, and then you may have to deal with fines, other sanctions or the OCR version of the OIG corporate integrity agreement.

Why it matters

• • Your systems, operations, patients and reputation will be impacted.
  • You might have legal and regulatory exposure and legal liability.

What are the bare minimums that you need to protect yourself against bad acts?

• • Multi-Factor Authentication – you want to make sure that who is on your system on a remote location has authentication to be there.
  • Software Updates – you can go to your server provider settings to make sure that your security suites will be automatically updated to your system when they are readily available.
  • Phishing – 80 to 90 % of all ransomware attacks start with some type of phishing incident. They are going to need authorization and using phishing emails is still the easiest way to do that. There’s no better time than to send out a phishing exercise to see how many people hit the link and will help establish a good baseline.
  • Review Access and Rules – Look at who has access to your computer systems and what documents they have.
  • IT/Cybersecurity Team Members – We know now that you must bring in your IT and cybersecurity people into decision making measures. The days of IT people just looking only at your service and monitors is a day gone by - you need them to look at your cybersecurity as well. Have experienced cyber counsel on your team, if a breach occurs, your response and remediation need to begin instantly.
  • Test Back-Ups - test your systems now. If you have a backup, try to upload all your data on to a system to see if you are really prepared.

Absolute must dos

According to the security firm Sophos, in 2021 37% of all businesses and organizations were hit by ransomware. Recovering from a ransomware attack cost businesses $1.85 million on average.

Since 2018, the bad guys are going for the triple threat – they use ransomware, they encrypt your data and now they’re releasing your data publicly or not even giving it back to you – they put it on the dark web for others to have. Some absolute must dos for all hospitals and physician groups to minimize the risk and protect your data include:

• • Identify your team – have your team identified – if you have a data breach and you try to pull your team together at that time, it’s too late.
  • Data inventory – you should be looking at what type of information you have and where is it and who has access to it.
  • Risk Assessment – look at your crown jewels, what are the things you need to guard? And you need to be honest and say, how can someone get into this system?
  • Privacy Policy – this is an industry standard that wasn’t there many years ago. These policies are paramount and an industry standard now if you take in information from a website or a mobile app. What rights do they have? Tell people what you’re doing with that information. Similarly, when you are formulating your polices, you need to consider the HIPAA Security Rule and HIPAA Privacy Rule.
  • WISP – Written Information Security Policy – this is an overarching policy that contains all your documents regarding your data, privacy, cyber security and other rules and regulations including employee information and security policy. You need to let your employees know what their responsibilities are – putting the obligation on the company and the employees is important. You can enforce sanctions against an employee who has caused the damage.
  • CIRP – Critical Incident Response Plan - This is going to be your go to playbook that lists your team members and your insurance policy with your contact information. It’s going to have a forensic vendor supplied by your insurance company.
  • Laws and Regulations – laws are changing every day following the lead of California, Virginia, Ohio and Alabama have made or considering making significant changes their privacy laws. You must pay attention to your state laws that won’t be superseded by HIPAA regulations as well as Federal laws.
  • Encryption – If you encrypt your information, you’re basically exempt from many reporting requirements. If you’ve been breached of all your information – if that information is encrypted or anonymized, meaning that no one can use that information without the key to make that information usable, you are protected.
  • Data Retention – This is another safeguard that should be expanded upon by states. The healthcare industry has the HIPAA retention issue and the employee side as well. For instance, you must follow HIPAA retention laws when it comes to your patients data but your employee and other non-HIPAA personal information may have other retention periods to consider. The moment you aren’t required by law to retain information, you should get rid of it. If you don’t have the data, no one can get it.
  • Third-Party Vendor Contracts – You need to be aware of where all of your data is and ensure that your third-party vendors are holding themselves to the same safety standards as your industry.
  • Insurance Compliance - As losses have mounted and outstripped premiums, insurance companies are becoming tougher and more stringent on companies that are not following the obligations and conditions that they agree to in the insurance policy. Be familiar with your insurance policy and follow it to the letter.

The health care industry has baseline requirements to protect patient data in compliance with HIPAA. To keep the focus on patient care, it is important to evaluate where the holes in protection may arise. The same issues arise for both small and large health care providers, but response plans will differ.

Three things that can be done immediately are: encrypt information, review policies and procedures and perform cyber reviews.

Important considerations are policies regarding charting and imaging machines. Providers should consider their policies on paper charting backups in case electronic records are compromised. A recent study based on breaches involving medical imaging shed light that most breaches could be prevented by implementing basic physical and information security practices. Having the right policies and procedures in place and understanding your risk may reduce your risk of exposure to breach and will aid in a quick response when a breach occurs.

Please contact Walt Green or any member of the Phelps Cybersecurity, Privacy and Data Protection team if you have questions or need advice or guidance.