In 1799, General George Washington said, “…offensive operations, often times, is the surest, if not the only… means of defense.” This wisdom was boiled down in 1967 by the boxer Jack Dempsey who reportedly said, “The best defense is a strong offense.”
Times have changed. While offense is still the best defense elsewhere, when it comes to cyber security, our feature article proves the opposite is now true. In the face of a relentless onslaught by anonymous and most frequently untouchable criminals, you have to think backwards; the only offensive strategy that works is the best possible defense you can muster.
Think Backwards for Greater Cyber Security
“IT security has become just as important as keeping the lights on.”
By Barry Couch, CIC, ARM
Earlier this year, Hill Country Memorial in Fredericksburg, TX, announced a phishing attack had potentially exposed patient medical records to cyber theft. Even though a forensic analysis did not reveal medical records were stolen, the hospital’s preparedness and quick response are an instructive case study for how a strong defense is the best offense.
Hill Country CIO, John Mason, generously agreed to discuss the phishing attack and the lessons learned as a result. His recommendations for prevention and recovery are a valuable blueprint for rural hospital cyber security.
The details of the attack mirror a typical phishing scheme:
- Busy Director receives an email from what appears to be a trusted source
- Email prompts Director to click on a link to download important documents
- Director clicks link, is prompted to log in
- Log in leads to a blank web page
- Director thinks, “That’s weird…” and goes on to the next task forgetting about the incident
- The next day accounts payable receives an email that looks like it is from the Director requesting an invoice be paid immediately
- Accounts payable requests a W-9 because the vendor is new to them
- W-9 is sent within 10 minutes with a note saying, “Please pay now because we are late.”
- Accounts payable, still unsure, asks Chief Nursing Officer if the invoice was approved
- CNO texts the Director asking about invoice
- Director says, “I don’t know what you’re talking about.”
- Phishing attack thwarted
Mason explained what happened, “Under the covers, they used the Outlook web email system to access this account. They looked at her email, figured out who normally pays the bills, and then created a rule that any time the person who pays the bills responded, the response landed in a folder that the Director couldn’t see. It was invisible, so they (the bad guys) just carried on this conversation with accounts receivable.”
Once the attack was detected, the email account was disabled and a predetermined breach response process was put in motion.
“In reality, while labeled a breach, we don’t have any sense they were after health records, or did anything with them. But, because we couldn’t 100 percent prove otherwise, we decided to report it as a potential breach. Our executive did have patient information in her email, which is allowed, because you still have to function as a hospital. Even though there was no evidence that records were compromised, we decided to err on the side of caution and hired a forensics firm.”
The bad guys do their homework
There is an immediate and easily implemented improvement to email policy Mason recommends: train everyone to add the word “external” in brackets to the subject line of all outside emails before forwarding them to others.
This attack wasn’t Mason’s first experience with cybercrime.
“I’ve seen things like this before and the level of sophistication may surprise you. They start by sifting through your web pages and social media presence, to find out who is who in your organization. They then look at the personal social media pages of those individuals for information they can use. For example, in one case, a CFO posted on his Facebook page how he was looking forward to a two-week vacation. While he was away, the hackers attempted to have an illegitimate invoice paid.”
Three social media rules to live by
The vacation incident highlights the importance of training staff to be social media savvy.
The first recommendation Mason makes is to limit your personal social media profile to the very minimum. “If you have financial decision-making authority, you’ve really got to be careful on social media; where you are, when you’re out, when you’re in, that kind of thing. They’re waiting for you to go on vacation. You can use your name, but I wouldn’t use your cellphone number, email, or any of those kind of things.”
The second rule is to regularly check the security settings of the social media platform you’re on. “You can’t assume that since you set them once, they are still set correctly.” Mason says. “Facebook doesn’t want that. They want everything accessible to everyone, so, when you reinstall a new update, it changes your security settings. You’ve got to be constantly vigilant.”
His third rule provides guidance on just how public social media is. “I know it’s your personal site and where you communicate with your family and look at your grand baby and those things, but you’ve got to be really careful about what you’re telling people. Anything you post is just like you’re publishing it in the local paper… one that is available globally.”
You’re not beneath the bad guy’s radar
Even in the face of increasing economic, political and regulatory pressure, our nation’s rural hospitals continue to play a vital, lifesaving role in the communities they serve.
Rural hospital leaders have no choice but to find new ways to cut costs while still providing quality patient care. In this pressure-packed environment, it can be tempting to downplay the threat cybercrime poses. Thinking your hospital is too small to be of interest to cyber crooks is a mistake according to Mason.
“This particular incident goes to show they’re not just after large, multi-billion dollar health systems. It’s no different for a single hospital because the value of the data is there regardless. For the criminals, it’s an industry of averages; if they can get 50 small payments, they’re doing pretty well.”
A blueprint for cyber security success
While understanding the lack of resources poses a significant challenge, Mason warns, “Good technology is no longer just nice to have. It’s not secondary to the organization’s survival. It is now the same as keeping the lights on or having air conditioning. Because ultimately, when you do have an incident, if the system is down, it is not just a technical issue. All of a sudden you have physician satisfaction and patient safety issues. If you don’t have good technology, you will go out of business. You cannot run a hospital on paper; you just can’t do it.”
Mason recommends focusing on three fundamental IT and cyber security strategies as the best way to move forward despite scarce resources:
- Conduct an IT audit to identify what’s most valuable, most at risk and how to protect it
- Implement a robust, validated, and frequently tested backup system
- Have a dedicated, visible and accountable leadership champion and enforce simple, well-communicated cyber security policies and procedures
IT Audits: You don’t know what you’ve got ‘til it’s gone
Knowing what needs attention immediately and what can be dealt with over time is the one way to control the cost associated with developing and managing a sound IT and cyber security program. Detailed knowledge helps you identify the most efficient, cost-effective solutions.
“You need someone who can conduct at least two maybe three kinds of audits,” Mason says.
“Start with an initial executive-level assessment conducted by somebody who can give you a broad picture of the areas you need to focus on. Now, in some cases, the CIO may be able to address these areas themselves, if they have the experience needed.
After that, you need a technical audit. This includes penetration testing. Can they get through your firewall? Do you have things locked up?
Then you need what I would call an EHR audit. It’s a security audit that’s required to meet meaningful use and is conducted by a firm that’s certified to do so.”
Investing in these audits creates a framework for improving your system and its cyber security. After that, it’s what you do with that framework that counts.
“The commitment isn’t so much with the audit. The commitment is with addressing the list of things that have to be fixed. You’ve got to put a timeline in place, start with the highest priority and then work your way down. It could be a year worth of fixes, or more in some cases, depending on how old your infrastructure is and how much it needs to be improved.”
Does your backup have your back?
According to Mason, a hospital’s backup process is the first and foremost item to address. “I think backups are kind of the dirty little secret of IT; there’s an assumption that because you’ve put a lot of money into the backup and restore process, it must therefore be working. The reality is even backups in large hospital systems are probably only good 60% of the time. The question becomes, ‘What’s in that 40% that you didn’t get backed up?’”
To ensure your backup system will get you back up and running in the event of an incident or some form of cyber-attack, Mason recommends three key strategies:
- Validate your backup process: “Do you have one? Do you know it’s running on a regular basis? Have you documented what is being backed up and when?”
- Test your system: “This doesn’t mean testing it on the day that something goes bad. You need a regular process for testing. You don’t have to test 100%, but you need to test some random percentage of it on a regular basis, because you need to know early on that something’s not going well.”
- Make it someone’s primary duty: “It’s got to be a primary duty. What I see, especially in rural, is it’s secondary. I hear people say things like, ‘We don’t have enough people so we’ll get to it sometime…’ It has to be a primary role because it is the only thing that will save your bacon when you get that first ransomware.”
In most cases, vendors providing backup software and hardware can help you establish standards and implement systems for validating, documenting and testing your back up system.
Benefits of cyber security go beyond defense from attacks
The phishing incident at Hill Country illustrates the importance of creating a culture of vigilance throughout your hospital. Based on his experience, Mason says it starts with making sure everyone knows their role and their responsibilities when it comes to cyber security.
Mason recommends starting with the standards published by the National Institute of Standards and Technology (NIST). “If you can meet the NIST standards, you may not be 100 percent, but it’s a good framework to get started.”
And, for hospital specific standards, you also need to be aware of those set by the Center for Medicare and Medicaid Services.
The benefits of establishing, communicating and enforcing cyber security policies and procedures are many. Not only do you create a strong defense against attacks, it also allows your hospital to take advantage of new collaboration opportunities (e.g.: outsourcing), demonstrate due care, and more easily meet compliance obligations. It can also improve the cost efficiency of your cybersecurity spending because it helps you know how much is enough and avoid overspending.
Finally, because the best offense is surely a strong defense, being prepared includes the appropriate insurance coverage to protect your hospital from the costs associated with a breach. Having sound policies, procedures and systems in place makes it easier to get the right amount of coverage for the best possible price.
Ms. Jayne Pope, CEO of Hill Country stated it best, “I don’t like surprises in the board room. Our board requires and expects us to remain vigilant in protecting our patients and our employees.”
Need some help?
HealthSure can help you stay safely ahead of the cyber security game. Please contact us if you have questions or would like to learn more about our executive-level audit services, as well as the audit and risk management services of our strategic partners.
The National Rural Health Association (NRHA) and HealthSure announce the creation of a new risk and insurance management program available to all rural and critical access hospitals in America.
Called Rural Hospital Insurance of America (RHIA), the program’s overarching purpose is to ensure rural hospitals, stay safely ahead of the game.
“We have been listening to what our members need,” says Larry Bedell, executive director of NRHA Services. “We’ve done thorough research to get to the bottom of what has been working for rural hospitals. Because of what we’ve been told and what our research shows, we believe HealthSure is the best fit for this program.”
Larry says HealthSure’s singular focus on rural hospitals and the years of success it has achieved regionally makes it ideal for the national stage. “Barry and Brant really know what makes rural hospitals tick. Barry has tremendous insight thanks to his many years of experience as a hospital board member. They have both proven themselves to be valuable partners of the hospitals they serve. Most of all, they have a precise understanding of the amount of risk rural hospitals can safely manage. And, when called upon to do so, they know how to deliver the most effective, economical and appropriate prevention and protection solutions available.”
“Everything we’ve learned during 20 plus years of helping rural hospitals succeed is going into this new program,” says Barry Couch, HealthSure’s CEO and founder. “Because of our deep, practical understanding of the challenges and opportunities ahead for rural hospitals, the risk and insurance management expertise and solutions we deliver are unique.”
Using a carefully designed education and information campaign, NRHA and HealthSure will deliver proven strategies developed from the collective experience, effort, and determination of all program participants.
“Our experience in Texas and beyond proves there is strength in numbers,” Barry says. “With RHIA, the influence and power of participating rural hospitals will be multiplied resulting in more options, greater value, and better service from property and casualty, health, professional, and other insurance solution providers.”
Brant Couch, president of HealthSure, says “With decades of experience acquired by focusing exclusively on rural hospitals, we know what work best for gaining greater control of costs, preventing avoidable risk, tackling the rising cost of health insurance, and protecting rural hospitals today and in the future.”
The RHIA program is offered to all rural and critical access hospitals nationwide (NRHA membership is not required). Its mission is to keep all American rural and critical access hospitals safely ahead of the game. Program members benefit from group buying power, access to innovative, class-leading solutions, and the collective wisdom that comes from decades of dedication to rural hospital success.
Every day, more than 1 million people become victims of cyber crime, according to a study by Symantec, a computer security software company. Businesses, both large and small, are increasingly reliant on the Internet for daily operations, creating attractive and potentially lucrative targets for cyber criminals.
With such heavy use of and reliance on computers and the Internet by both large and small organizations, protecting these resources has become increasingly important. Learning about cyber attacks and how to prevent them can help you protect your organization from security breaches.
Cyber Attacks Compromise Your Organization
Cyber attacks include many types of attempted or successful breaches of computer security. These threats come in different forms, including phishing, viruses, Trojans, key logging, spyware and spam. Once hackers have gained access to the computer system, they can accomplish any of several malicious goals, typically stealing information or financial assets, corrupting data or causing operational disruption or shut-down.
Both third parties and insiders can use a variety of techniques to carry out cyber attacks. These techniques range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at gaining network access.
Cyber attacks can result directly from deliberate actions of hackers, or attacks can be unintentionally facilitated by employees—for example, if they click on a malicious link.
A breach in cyber security can lead to unauthorized usage through tactics such as the following:
- Installing spyware that allows the hacker to track Internet activity and steal information and passwords
- Deceiving recipients of phishing emails into disclosing personal information
- Tricking recipients of spam email into giving hackers access to the computer system
- Installing viruses that allow hackers to steal, corrupt or delete information or even crash the entire system
- Hijacking the organization website and rerouting visitors to a fraudulent look-alike site and subsequently stealing personal information from clients or consumers
Cyber attacks may also be carried out in a manner that does not require gaining unauthorized access, such as denial-of-service attacks on websites in which the site is overloaded by the attacker and legitimate users are then denied access.
Securing Your Organization’s Mobile Devices
Gone are the days when contact names and phone numbers were the most sensitive pieces of information on an employee’s phone. Now a smartphone or tablet can be used to gain access to anything from emails to stored passwords to proprietary company data. Depending on how your organization uses such devices, unauthorized access to the information on a smartphone or tablet could be just as damaging as a data breach involving a more traditional computer system.
The need for proper mobile device security is no different from the need for a well-protected computer network. According to computer security software company McAfee, cyber attacks on mobile devices increased by almost 600 percent from 2011 to 2012 with no signs of slowing down. Untrusted app stores will continue to be a major source of mobile malware which drives traffic to these stores. This type of “malvertising” continues to grow quickly on mobile platforms.
The Vulnerable Become the Victims
The majority of cyber criminals are indiscriminate when choosing their victims. The Department of Homeland Security (DHS) asserts that cyber criminals will target vulnerable computer systems regardless of whether the systems belong to a Fortune 500 company, a small business or a home user.
Cyber criminals look for weak spots and attack there, no matter how large or small the organization. Small businesses, for instance, are becoming a more attractive target as many larger companies tighten their cyber security. According to the industry experts, the cost of the average cyber attack on a small business is increasing exponentially and shows no signs of slowing down. Most small businesses don’t have that kind of money lying around, and as a result, nearly 60 percent of the small businesses victimized by a cyber attack close permanently within six months of the attack. Many of these businesses put off making necessary improvements to their cyber security protocols until it is too late because they fear the costs would be prohibitive.
Simple Steps to Stay Secure
The DHS, which issues bulletins and alerts that provide information on potential cyber threats, has issued more than 5,000 alerts and advisories in a single year. With cyber attacks posing such a prominent threat to your business, it is essential to create a plan to deal with this problem. Implementing and adhering to basic preventive and safety procedures will help protect your organization from cyber threats.
Following are suggestions from a Federal Communications Commission roundtable and the DHS’s Stop.Think.Connect. program for easily implemented security procedures to help ward off cyber criminals. These suggestions include guidelines for the organization as well as possible rules and procedures that can be shared with employees.
Security Tips for the Organization
- Install, use and regularly update anti-virus and anti-spyware software on all computers.
- Download and install software updates for your operating systems and applications as they become available; if possible, choose the automatic update option.
- Change the manufacturer’s default passwords on all software.
- Use a firewall for your Internet connection.
- Regularly make backup copies of important business data.
- Control who can physically access your computers and other network components.
- Secure any Wi-Fi networks.
- Require individual user accounts for each employee.
- Limit employee access to data and information, and limit authority for software installation.
- Monitor, log and analyze all attempted and successful attacks on systems and networks.
- Establish a mobile device policy and keep them updated with the most current software and antivirus programs.
Security Tips for Employees
- Use strong passwords (a combination of uppercase and lowercase letters, numbers and special characters), change them regularly and never share them with anyone.
- Protect private information by not disclosing it unless necessary, and always verify the source if asked to input sensitive data for a website or email.
- Don’t open suspicious links and emails; an indication that the site is safe is if the URL begins with https://.
- Scan all external devices, such as USB flash drives, for viruses and malicious software (malware) before using the device.
Most importantly, stay informed about cyber security and continue to discuss Internet safety with employees.
Don’t Let it Happen to Your Organization
According to the DHS, 96 percent of cyber security breaches could have been avoided with simple or intermediate controls. Strengthening passwords, installing anti-virus software and not opening suspicious emails and links are the first steps toward cyber security. In addition to the listed tips, the Federal Communications Commission (FCC) provides a tool for small businesses that can create and save a custom cyber security plan for your organization, choosing from a menu of expert advice to address your specific business needs and concerns. It can be found at www.fcc.gov/cyberplanner.
Your Emerging Technology Partner
A data breach could cripple your small business, costing you thousands or millions of dollars in lost sales and/or damages. Contact HealthSure today. We have the tools necessary to ensure you have the proper coverage to protect your organization against losses from cyber attacks.
What Are Critical Considerations in Risk Management?
Risk management is an essential aspect for healthcare organizations, requiring the right staff in place, proper cybersecurity frameworks, and a strong risk assessment process.
Elizabeth Snell HealthIT Security
Healthcare risk management is an increasingly critical area as cybersecurity threats continue to evolve. Regardless of an organization’s size, it needs to ensure that the right policies, procedures, and tools are in place so staff members can properly protect PHI.
Research is showing that more entities are focusing on cybersecurity, but malicious threats will also continue to become more intricate.
For example, the second annual HIMSS Analytics HIT Security and Risk Management Study found that more organizations are spending their IT budget on cybersecurity. Specifically, 24 percent of surveyed healthcare executives, C-Suite members, business and IT leaders, and clinical leadership said they spent 7 percent to 10 percent of their IT budget on cybersecurity in 2016. Only 10 percent reported doing so in 2015.
IT budgets and staffing issues were listed as the biggest barriers to having stronger healthcare cybersecurity programs, the survey showed.
There is often disagreement between the “business” and IT sides in healthcare. For instance, clinical and business respondents tend to have higher confidence in their organization’s cyber attack preparedness than their IT and security counterparts, according to the survey. Furthermore, business leaders more commonly view cybersecurity as a business risk issue, whereas clinical and IT leaders view it as a HIPAA compliance issue.
Even so, healthcare organizations can work toward creating stronger risk management programs by focusing on three main areas.
A trained and educated cybersecurity staff, an updated cybersecurity framework, and a thorough risk assessment process are three key ways for healthcare organizations to create stronger risk management.
Under the Health Insurance Portability and Accountability Act (HIPAA), a covered entity that experiences a ransomware attack or other cyber-related security incident must take immediate steps to prevent or mitigate any impermissible release of protected health information (PHI).
The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a checklist to help HIPAA-covered entities determine the specific steps they must take in the event of a data breach.
Employers that are subject to HIPAA should become familiar with the OCR’s checklist and other guidance for preventing and responding to cyber security breaches involving PHI. These employers should also ensure that they have procedures and contingency plans in place for responding to and mitigating the effects of any potential breach.
Has your entity just experienced a ransomware attack or other cyber-related security incident, and you are wondering what to do now? The guide issued by OCR explains, in brief, the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident.
In the event of a cyber attack or similar emergency, a covered entity:
Continue reading for more information on various aspects of the HIPAA Security Rule, which was provided by OCR along with the checklist.
HIPAA Covered Entities
HIPAA is a federal law designed in part to protect the privacy of certain health care information known as PHI. In general, the HIPAA privacy and security rules apply to all health plans that provide or pay for the cost of medical care. These include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. However, a group health plan with less than 50 participants is not a covered entity if it is administered solely by the employer that established and maintains the plan.
The HIPAA privacy and security rules also apply to business associates of HIPAA-covered entities. A business associate is any vendor that creates, receives, maintains or transmits PHI for or on behalf of a covered entity. This includes vendors that have access to PHI in order to provide information technology-related services to a covered entity. Other activities a business associate may perform on behalf of a covered entity include claims processing, data analysis, utilization review and billing.
Protected Health Information
PHI includes all individually identifiable health information held by covered entities. Information is “individually identifiable” if it identifies, or if there is a reasonable basis to believe it can be used to identify, an individual. This information is PHI if it relates to:
- The individual’s past, present, or future physical or mental health or condition;
- The provision of health care to the individual; or
- The past, present or future payment for the provision of health care to the individual.
HIPAA Security Rule
Under HIPAA’s Security Rule, a “security incident” is defined as the attempted or successful unauthorized access, use, disclosure, modification or destruction of information, or interference with system operations in an information system. The Security Rule requires covered entities to:
- Identify and respond to suspected or known security incidents;
- Mitigate, to the extent practicable, harmful effects of security incidents that are known to the entity;
- Document security incidents and their outcomes; and
- Establish and implement contingency plans, including data backup plans, disaster recovery plans and emergency mode operation plans.
Reportable Incidents and Indicators
HIPAA regulations also require covered entities to report certain cyber-related security incidents to affected individuals, the OCR and other agencies. In general, a reportable breach occurs anytime PHI was accessed, acquired, used or disclosed.
Certain “cyber threat indicators” may be reportable under the Cybersecurity Information Sharing Act (CISA) as well. CISA describes cyber threat indicators as information that is necessary to describe or identify any of the following:
- Malicious reconnaissance;
- Methods of defeating a security control or exploitation of a security vulnerability;
- A security vulnerability;
- Methods of causing a user with legitimate access to defeat a security control or exploitation of a security vulnerability;
- Malicious cyber command and control;
- A description of actual or potential harm caused by an incident; or
- Any other attribute of a cyber security threat, if disclosure of such attribute is not prohibited by law.
Enforcement and Liability
Under HIPAA’s Enforcement Rule, the OCR may assess civil money penalties of up to $1,677,299 per violation, per year, against a covered entity that fails to properly protect PHI. In determining the amount of an applicable penalty, the OCR may consider all mitigation efforts taken by a covered entity during any particular cyber security breach investigation. A covered entity’s mitigation efforts may include voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations.
In addition, the CISA provides liability protection to entities that monitor information systems or share or receive indicators or defensive measures in a manner consistent with the HHS sharing process.
Therefore, covered entities should ensure that their procedures for protecting PHI meet HIPAA standards and should take the steps outlined in the above OCR checklist in the event of a cyber security incident involving PHI.
Small but important print
This communication is designed to provide a summary of significant developments to our clients. Information presented is based on known provisions. Additional facts and information or future developments may affect the subjects addressed. It is intended to be informational and does not constitute legal advice regarding any specific situation. Plan sponsors should consult and rely on their attorneys for legal advice.
What Happens Next? This ACA Compliance Bulletin is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice.
©2017 HealthSure. All Rights Reserved.
©2017 Zywave. All Rights Reserved.