Aventine Hill recently co-sponsored the second annual Healthcare Symposium in San Antonio on February 26. The focus was on cyber-security and the half-day agenda featured three topics.
- Bill Phillips, CIO of University Health System, presented on “Healthcare Industry Challenges with Cybersecurity.”
- Jeff Drummond, Partner at Jackson Walker LLP, presented on “Practical Ways to Manage HIPAA Concerns and Maintain Compliance.”
- Last was a panel discussion focused on “How Safe are You? Practical Tips for Protecting Your Company.” I participated as a panelist along with Jim Bygland, CIO for Bank SNB, Stephanie Chandler, Partner at Jackson Walker LLP, and Maurice Liddell, National Leader, IT Security & Infrastructure, BDO USA, LLP.
What are some unique challenges for healthcare?
Bill Phillips provided an excellent overview of the threats that all companies face. He made the threats real for the audience by highlighting major data breaches that have occurred in the healthcare industry and how the threats are increasing.
- For 2014, Healthcare comprised 42% of all major data breaches in the U.S. with a total 8.25 million records exposed.
- 91 percent of healthcare organizations reported a data breach in the past two years.
Healthcare data commands a materially higher price on the black market than typical identity theft data. There are many more ways to exploit the data for profit and many methods are not detectable by victims quickly in the same way that credit card fraud is.
The ransomware business is growing
Ransomware was a hot topic because of the recent public announcement by Hollywood Presbyterian Medical Center that they paid $17,000 in ransom to regain access to its critical data (see news article here). The organization reverted to paper during the attack before paying the ransom. There are many companies across all industries and even governmental institutions who have paid ransoms.
For me, there are clear market forces at play. The ransom amount is negotiable and the prices that are described by organizations that have gone public are less than what the internal IT effort or external consultants hours would be to remediate and recover (assuming this is possible). Prevention is the lowest cost solution. However, if that doesn’t work, the criminals are being smart to charge amounts that make paying a valid option.
HIPAA and Security
Jeff Drummond provided an in depth overview of how the Health Insurance Portability and Accountability Act (HIPAA) has evolved, especially its requirements for data security. One big takeaway from this discussion is how much formal HIPAA guidance lags how technology is actually used. There are many policies, procedures, and technical solutions put in place for “traditional” applications. But, with the vast expansion of medical devices connected to networks and capturing patient data, the number of entry points for hackers and the breadth of information are growing exponentially. The security on these devices is very weak at this time. For those outside the healthcare industry, this will be the same type of security risk that the Internet of Things presents. Healthcare has the added complexity of HIPAA privacy requirements.
People are the Weakest Link or Your Strongest Defense?
The panel discussion on “How Safe are You?” was last and, as highlighted above, our panel was well-constituted to provide diverse perspectives. The audience received great technical observations, a practical legal perspective, and risk management advice for both large and small firms.
A common theme in the security world is how people are the weakest link because they will often click on simple emails that let malware and hackers into an environment. I focused many of my comments on how to turn this around and make people a strength. Having worked in the chemical industry for many years where companies strive to operate safely, there are many lessons learned about safety awareness and preventing accidents. My experience working with clients who have made security awareness of similar importance is that the same techniques that create a strong safety culture will work to create a strong security culture. Having educated employees and a culture of security can be a smart alternative for smaller companies without a large budget for cyber-security.
One specific fraud technique that is common now is for criminals to send emails that purport to be from the owner or CEO of a company and direct the finance organization to wire transfer money to a bank account to be provided. There are companies where people were fooled and money was wired. Jim Bygland indicated that this is something that keeps him up at night at his bank. We at Aventine Hill have seen this activity too. An irony for this scenario is that common disbursement controls that companies should have in place anyway will mitigate this risk. But, many companies operate without an appropriate basic control framework so they end up being at greater risk of cyber-security attacks too.
It all starts with understanding the risks for your business
While the breadth and sophistication of cyber-security threats continues to grow, companies do not have to feel overwhelmed. Most attacks are using common techniques because criminals seek the easiest path to money. With a proper understanding of your own business and the risks that matter most to you, there are multiple cost effective ways to use combinations of policies, technology, and training to have an alert workforce that protects your assets. If you need expert assistance, we are happy to help identify your risks and recommend cost-effective methods to mitigate them.