COPIC INSIGHT is a new, exclusive resource for COPIC-insured individuals, practices,
and facilities. It provides insight on a timely issue in health care, along with resources
to help insureds address this in their own setting.
CONTENTS
Cyber Liability ... 2
Cyber Risk Assessment ... 4
Vulnerabilities ... 4
Mitigating Cyber Risk ... 5
What Now? ... 8
Considerations When Looking for External Support ... 9
Resources ... 9
* Information provided is for general education purposes and not intended as legal guidance or practice standards. ©COPIC Insurance Company—September 2015
CYBER LIABILITY
Cyber liability is a rising concern among health care providers, who increasingly depend on a variety of technologies to care for patients, share health information, and collaborate with other providers. Increased reliance on these technologies has led to a large universe of cyber-related vulnerabilities, ranging from data loss or corruption to hacking and privacy breaches. Any of these can have serious civil, regulatory, financial – and even criminal – consequences. However, steps can be taken to reduce the risks and mitigate the impacts of cyber events.
The Risk of a Data Breach
Given the frequency and potential impact, the most critical exposure for medical practices is data breach. Intrusion into supposedly secure databases is a daily event. Thousands of attacks are intercepted per second. In 2013, there were more than 600 reported data breaches in the United States. Just one year later, that number hit a record high of 783. Nearly half of these occurred in health care organizations.1 Both the number and scale of events are growing.
Cyber Claim Trends
While every health care practice or facility has a unique risk profile, NAS Insurance Services (COPIC’s partner for cyber liability coverage), reports the following trends in recent claims:
1. Lost device. The single greatest exposure to cyber liability arises from lost or stolen devices,
particularly laptops that are not encrypted.
Mitigating this risk: Encrypt all data storage devices that are taken out of the office such as removable drives, tablets, cell phones used for email, and USB flash drives. Ensure that laptops are password-protected.
2. Ransomware: Typically targeting smaller organizations, cyber-extortionists introduce a virus (often
in an official-looking email message) that invades and encrypts data, cutting off access to all users. The extortionists demand a ransom to provide the password to unlock the practice’s data.
Mitigating this risk: It is important that everyone is trained to be wary of opening emails
from senders they do not recognize, and that organizations invest in anti-virus software for all computers. When in doubt, contact your IT department to determine whether an email poses a risk.
1 http://www.idtheftcenter.org
Data breach occurs when confidential information is exposed to an unauthorized party. Health care practices and facilities are accountable for three categories of data:
1. Patient data (PHI – Protected Health Information)
2. Employee data (employment, background, banking, contact, insurance, etc.)
3. Business or business associate data (accounting, banking, trade secrets, strategies, patents, etc.)
Myriad federal and state laws, and civil claims create liability exposure for data breaches.
3. Third-party complaints: There is an increase in lawsuits and demand letters from third parties
(mainly patients) when their data is affected by a data breach. Apart from lost privacy, breaches open the door to identity theft and medical fraud.
Mitigating this risk: It is best to ensure that systems are in place to prevent a breach in the first place. However, once a breach occurs, transparency is paramount. Report the breach as quickly as possible to your carrier and appropriate management to determine when and how patients should be alerted.
4. Before and after pictures: A higher risk for dentists, plastic surgeons, and dermatologists,
these claims stem from providers neglecting to gain permission before using or transmitting photos of procedures or patient care – including advertising. Even photos that have been de-identified may be recognized by patients, family, or co-workers, giving rise to privacy violations.
Mitigating this risk: Ensure that patients sign a photo release form prior to sharing any photos, whether or not the photos have been de-identified.
5. Employee access to restricted files: Employee “snooping” gives rise to HIPAA violations. Patients
who are politically or socially prominent, co-workers, family members or those whose information is otherwise sensitive need extra privacy.
Mitigating this risk: Protect patient privacy by establishing individual accounts and controlling who can access which files. Ensure that access logs are kept so that if “snooping” occurs, the culprit can quickly be identified.
Best Practices Are Emerging
The variety of health care settings makes it difficult to prescribe “one-size-fits-all” solutions. Nevertheless, there is general advice for data protection.
DO
DON’T
Get advice, training, and support for everyone. Take privacy and security lightly. Keep written records of policies, training, risk
assessments, and actions taken. Assume things are OK as long as you have not detected obvious problems. Know where your data is and who has access to it. Store PHI on unprotected devices. Use a layered approach to data protection, with
multiple safeguards operating in different ways. Stop reviewing vulnerabilities and safeguards after your initial assessment. Make plans for likely risks and disasters. Enter into electronic transactions or communications with unknown correspondents.
NAS Insurance Services estimates that health care providers will pay between $10 and $30 per affected patient record for breach response services. These typically include legal and investigative services, patient notification, credit protection, regulatory response and fines, and cost of repairing provider systems and reputation. A breach that impacts 1,000 patient records could easily cost $10,000 to $30,000, excluding penalties.
CYBER RISK ASSESSMENT
HIPAA requires providers to conduct a risk assessment of the privacy and security of their protected information (PI). You can download COPIC’s Electronic Risk Assessment–Checklist for Office Practices (available on COPIC’s website at www.callcopic.com/resources/pages/medical-guidelines-and-tools.aspx under the Practice Management Resources section).2 This step-by-step guide provides an overview of this mandatory process. The principles are simple, but the details can get technical; most organizations will need tech support.
STEP 1 Identify your information vulnerabilities and threats (risk audit). STEP 2 Take stock of your defenses and safeguards (your own and those
of business associates, vendors, contractors, etc.).
STEP 3 Consider your threats and vulnerabilities, and estimate their likelihood. STEP 4 Predict the harms of each threat occurring.
STEP 5 Describe measures taken to block vulnerabilities and mitigate impacts;
prioritize measures to adopt.
STEP 6 Implement. STEP 7 Document it all.
VULNERABILITIES
Three key areas of risk are virtually universal. Typically, these are the first to address, regardless of the setting. Here are some examples of questions to ask yourself in each of the three key areas.
I Data at Rest (Stored in Devices)
Q Can you list everywhere your protected information resides?
Q Do you carry PHI on portable devices (laptops, mobile phones, jump drives, etc.) outside of your office?
Q What physical protections do you have (locks, cameras, building security) for your office equipment (servers, routers, backup drives, computers, tablets, laptops, etc.)?
Q What is your disaster plan?
Q Are your drives (including portable devices) encrypted?
Q How do visitors get access to your office?
2 This is protected content and requires a username and password to access it.
Paper as well as electronically stored information is subject to data breaches. Keep this in mind when transferring and disposing of paper files.
II Data in Transit (Being Transmitted)
Q Do you use email, text messaging, or other data connections with external colleagues, facilities, and/or patients?
Q Do you connect to external PHI remotely (through a portal, VPN or FTP site)?
Q Do you have a Wi-Fi network at your office or home?
Q Do you connect to Wi-Fi networks away from the office or home?
Q How do you create and manage passwords?
III Data During System Transitions and Migrations
Q Is your EHR fully configured and implemented?
Q How do you prevent data loss/corruption during system updates?
Q When is the next time you plan significant changes to your information systems?
Q What is your security and privacy training program for new staff?
Q What is your EHR training program for new users?
Q What is your process for removing system access from terminated users?
MITIGATING CYBER RISK
Risk assessment is not fragmented into separate stages, but ideally involves recognizing risks, weighing impacts, and installing defenses all at the same time. You can’t do everything at once. You have to accept that your defenses will never protect against every conceivable attack or disaster. The wisest process deals with “first things first,” and prioritization is not based on a single factor.
• Basic steps are things you have identified as critical for protecting your organization from likely risks, are easiest to implement, and address vulnerabilities that are more or less “inexcusable.”
• Intermediate steps are the very next things you plan to address, after the basics. These either have lower priority, higher complexity, or demand greater effort.
• Advanced steps are the ones that ultimately let you sleep at night. These may address low-likelihood/ high-impact events; require upgrades to equipment, software, workflow, or policies; or entail more costs and technical resources.
An audit can satisfy you that you have taken every reasonable step prospectively. However, no system is immune from attacks by a determined, professional foe. Your priority should be to make reasonable efforts to prevent foreseeable attacks and accidents.
The following are suggestions that would apply to a typical range of risks for health care providers. These are not meant to be comprehensive, but rather to give a snapshot of a cyber risk management process.
As increasing experience reveals, no system is immune from attacks by a determined,
professional foe. What we can do in health care is demonstrate that
Risks to Data and Devices at Rest
Risk is inherent in any device or data storage system, from smartphones, laptops, and flash drives, to servers, cloud storage, and file sharing systems. Organizations must demonstrate robust efforts to protect stored information. The standard is, “What are the necessary and reasonable measures?”
RISK EXAMPLES
EXAMPLES OF MITIGATION STEPS
BASIC INTERMEDIATE ADVANCED Lost/stolen devices:
Laptops; tablets; phones; USB/flash drives; CDs/DVDs; external disk drives; backup media; other portable data-carrying devices.
Don’t forget that even “desktop” computers and servers are small enough to steal. • Physical security. • Off-site backup. • Inventory of all devices. • Review insurance coverage. • Policies for employee use. • Encryption on everything portable.
• Ensure mobile devices have remote location/ lockdown capability. • Encrypt everything. • Remote device location/lockdown software. • Employee training program.
• Disaster plan with contingencies for loss/destruction of devices or loss of access. Unauthorized access/ intrusion:
Data exposed accidentally or intentionally.
• Physical security; who has a key? • Inventory all PHI;
where it resides; how it can be accessed. • Encrypt external
data connections. • Mandate complex
passwords; password policy; individual user accounts. • Screen locking during inactivity. • Up-to-date antivirus and antispyware software on network router and every storage device. • No remote
network access; no guest access.
• Encrypt all channels used for PHI. • Two-factor
authentication.3 • System access logs. • Physical access logs. • Secure remote
access.
• Written policy for credentialing all users, including consultants, tech support, guests, etc. • Separate Wi-Fi
network for guests.
• Regular review of data access logs. • Hacker/penetration
testing.4
System failure:
All mechanical systems fail; data can be lost or corrupted inadvertently or deliberately.
• Physical safeguards (power protection, fire protection, etc.). • Off-site backup. • Insurance.
• Test and confirm backup process actually works.
• Disaster plan. • Business
continuity plan.
3 Two-factor authentication adds a second level of authentication, beyond entry of a password, to an account log-in. A user is required to provide a second piece of information, which may include a second password, authentication via another device such as a phone, or a biometric identification, such as a fingerprint.
Risks to Data in Transit
Any transmission can potentially be intercepted. Organizations must demonstrate robust efforts to protect communications from intentional interception and accidental leakage.
RISK EXAMPLES
EXAMPLES OF MITIGATION STEPS
BASIC INTERMEDIATE ADVANCED Data exposure – intentional: Intentional interception of information through electronic intrusion (hacking) or eavesdropping. • Enforce password complexity. • Firewall. • Strong Wi-Fi encryption. • Don’t use email
for PHI. • Password expiration rules. • IP/MAP address restrictions.5 • Secure email application. • Encrypt all transmitted PHI. • Secure data exchange network. • Secure patient portal
Data exposure – accidental:
Inadvertent sharing of information with unauthorized persons (e.g. emails accidentally forwarded, texts sent to wrong person).
• Basic HIPAA and security training for all staff. • Secure destruction of documents and devices. • Written security policy.
• Social media policy. • Email policy and
safeguards. • Advanced security training. • Limited “contacts” list. • Monitor social media, email, and website for inappropriate, negative or unwanted activity.
5 IP/MAP address restrictions limit access to a system to users accessing the system from specific IP or MAP addresses.
Organizations must demonstrate robust efforts to protect
communications from intentional interception and accidental leakage.
Risk During Transition/Migration of IT systems
Practices merge and split; facilities retire old systems and implement new ones; organizations hire and terminate employees; software and hardware are upgraded, updated, and replaced. Each of these events entails risk of data loss, corruption, or exposure.
RISK EXAMPLES
EXAMPLES OF MITIGATION STEPS
BASIC INTERMEDIATE ADVANCED System updates:
Data is lost, compromised, or corrupted during a software update or reconfiguration.
• Backup. • Backup again.
• Test functionality after updating.
• Testing with actual data before committing to changes.
• Run concurrent systems until stability of the new system is assured.
System migration:
Data is lost, compromised or corrupted during transition to a new system (e.g., merging practices).
Same as system updates.
Data exchange:
Confidential information is lost, corrupted or exposed by business associates, correspondents, or contractors. • HIPAA business associate agreements. • HIPAA business associate agreements.
• Consult your technical and legal advisors
WHAT NOW?
This document gives health care organizations a place to start in assessing and addressing cyber risk, but it only scratches the surface. It is important that health care professionals dedicate ample time to take inventory of their specific organization’s risks, and develop a tailored plan to address them. These five steps will help any organization better understand risks, develop plans to mitigate risks, and be prepared if a breach occurs.
1. Talk to your insurance advisors about cyber liability. The legal liabilities for cyber events (data loss,
privacy breach, defamation, unauthorized disclosure, or infringement, etc.) are not covered by typical liability insurance policies.
2. Have cyber liability coverage and understand it. Every COPIC insured receives basic cyber liability insurance as part of their COPIC policy. However, based on the unique needs of each organization, supplemental coverage may be necessary.
3. Document your cyber risk assessment.
4. Document your privacy safety and security policy. This should include guidelines regarding
employee handling of data and devices, access to systems, and policies for use and disclosure of protected information.
5. Document your mitigation plan. Note the steps you’ve already taken to address threats and
CONSIDERATIONS WHEN LOOKING FOR EXTERNAL SUPPORT
Some organizations seek an outside partner to help manage the audit process. For practices or facilities considering this route, asking these questions of a considered firm may be helpful.
1. Does the firm have a thorough understanding of HIPAA and HITECH requirements?
2. Has the firm worked with similar health care organizations to conduct similar types of audits? 3. How thorough will the firm’s work be? Will consultants interview employees, in addition
to completing checklists? Will the firm also audit your policies and procedures, in addition to your systems?
4. What is the outcome of the firm’s work? Will you receive a report of risks?
A full mitigation plan? Will the firm assist in mitigation efforts?
RESOURCES
Resources are available to help practices and facilities understand and respond to cyber liability risk.
Coverage and Resources for COPIC Insureds
Questions about COPIC cyber liability coverage or additional coverage options? If you work with
an agent, we encourage you to contact him or her directly first. COPIC can also serve as a resource.
Mitch Laycock, Account Executive, COPIC Financial Service Group
(720) 858-6297 • (800) 421-1834, ext. 6297
Resources available on COPIC’s website at:
www.callcopic.com/copic-services/Pages/ Cyber-Liability.aspx:
• Fast Facts: COPIC’s Cyber Liability Coverage • Supplemental Cyber Liability Coverage Details • Access to NAS Insurance Services cyber
liability resources, including: - Risk assessment tools
- HIPAA/HITECH compliance information - Industry best practices
- Webinars and online training programs - Sample policies
In-person seminars and online education courses (which also qualify for COPIC points) such as:
• Liability and Safety of Electronic Health Records
• Communicating Electronically with Colleagues & Patients
• Defending Electronic Documentation • Cyber Liability Insurance
• Social Media Liability
• Disaster Preparation and Response • Security & Privacy Risk Assessment • Health Care Transitions and
Task-Oriented Medicine
Visit www.callcopic.com/education for more information on seminars and courses.
Third-Party Tools and Resources
ECRI Institute
Guidance and tools to help health care facilities improve health IT safety
www.ecri.org
Federal Bureau of Investigation Cyber Crime Unit
Information on threats, scams and protections www.fbi.gov/about-us/investigate/cyber
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
Alerts, advisories, training opportunities, best practices and assessments
ics-cert.us-cert.gov
Office of the National Coordinator or Health Information Technology (ONC) Security Risk Assessment Tool
HIPAA compliance assessment tool
www.healthit.gov/providers-professionals/ security-risk-assessment-tool
U.S. Department of Health and Human Services (HHS) Office for Civil Rights
HIPAA guidelines and resources www.hhs.gov/ocr/privacy
HIMSS
Professional development and resources on a wide variety of health information topics www.himss.org
Specialty Societies
Contact your specialty medical society to gain an understanding of the specific risks that may be inherent in your specialty.
Research and Trends
Ponemon Institute
Research on privacy, data protection and information security policy
www.ponemon.org
Symantec Internet Security Threat Report
Overview and analysis of the year in global threat activity
www.symantec.com/security_response/ publications
Verizon Wireless Data Breach Investigations Report
Annual investigation into common threat patterns www.verizonenterprise.com/DBIR
