What can you count on these days?
If you are like most of the healthcare leaders we work with, your answer is probably something like, “Not a whole heck of a lot!”
It’s understandable: As the pace of change accelerates and the world becomes increasingly complex, certainty can easily give way to vertigo. But, in these dizzying times, your organization’s success, even its survival, depends on your ability to keep your balance and your eyes wide open.
If you scanned even a fraction of the information generated during Cyber Security Awareness Month, you saw an abundance of new threats and little if any opportunity. That’s why we are happy to present the Cyber Opportunity Issue of HealthSure Headlines. To help keep things simple in the face of daunting complexity, we present a trio of articles that uncover and explore the opportunities lying behind all of those cyber threats.
Stop buying cyber insurance… Really?
When the head of IT security at a major Texas health system tells an audience of hospital administrators that cyber insurance is not worth buying, it causes quite a stir… to say the least.
Philip Alexander, the director of information security for the UMC Health System in Lubbock was speaking at an NWTHA (Northwest Texas Hospitals Association) conference in Abilene. His premise that cyber insurance might not pay claims as expected certainly got the attention of those in the audience who have purchased cyber insurance.
In a telephone interview a few weeks later, Philip clarified his statement and, while discussing what would appear to be a massive threat – insurers denying cyber claims – he spoke about significant opportunities ripe for exploiting by healthcare leaders.
Innovation drives improvisation
Cyber insurance is a new frontier for insurance companies according to Philip. It’s a point well made. While actuaries have decades of data to work with when designing traditional products like auto insurance, the rapid evolution of technology means there is a lack of data behind the design of cyber insurance. In essence, he says, insurers are making as good a guess as possible in order to tap into a new market.
Because technology will always outpace regulation, Philip says the onus for compliance is on the insured. Which in turn means the insurance companies are not accountable. Wondering what this means for your organization? Here’s a simple way to look at it: cyber insurance will only work if the insurance company believes your organization has fulfilled its cyber security duties. Those duties are twofold: practicing the due diligence needed to protect your organization from cyber crime and meeting regulatory requirements when a breach occurs. This is key to the whole issue; cyber insurance is not designed to cover the gaps in your cyber security policies and procedures. It is there to cover the cost of a breach after you have done everything you can do, as well as, everything the law requires you to do.
You’ve got help
Because it’s a matter of when, not if, a cyber breach will occur, agreeing with your insurance company on a clear definition of due diligence will go a long way towards avoiding a claim being denied. It will help you do everything you can to reduce the likelihood of a breach and prevent unnecessarily high claims when one does occur.
Clearly there is a lot of work to do for insurers and the insured alike when it comes to making cyber coverage work. Fortunately, you and your insurer are not alone; there are several noteworthy organizations leading the charge towards workable cyber due diligence.
Perhaps the most significant work is the Cybesecurity Framework, developed and kept up to date by The National Institute of Standards and Technology (NIST).
According to the NIST website, “The Framework… consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.”
HITRUST, is another leader in this field and it specializes in cyber security certification for healthcare organizations. It has created HITRUST CSF, described as a “scalable, prescriptive and certifiable framework specific to healthcare organizations.” HITRUST CSF is designed for organizations that create, access, store and exchange personal health and financial information.
Philip Alexander’s clear-eyed appraisal of how to ensure your cyber coverage works, includes a world in which the insurer and the insured agree to a certifiable, sustainable standard of due diligence. Knowing cyber security requires two types of investment – due diligence/compliance and premiums for coverage – is essential and creates the opportunity to turn your employees into your security team.
Good business and good for business
This is where opportunity lies.
In a report on technology security and risk priorities, Forrester Research reminds us that 88% of the S&P 500 market value consists of goodwill and intangible assets such as reputation, brand, and customer experience. Boards have a fiduciary responsibility to protect these assets. Because data breaches can seriously harm these assets, the board and management team must know the right cyber security questions to ask and be able to get the best answers possible.
The pursuit of asking and getting great answers naturally leads to engaging and educating employees, managers, suppliers and other partners in their role in ensuring cyber security. In meeting the cyber challenge you will find an opportunity to strengthen your organization’s ability to perform at a high level. And, the financial benefits go beyond lower premiums. Patients are increasingly aware of the danger to their personal financial well being created by a breach. Knowing that your organization has taken all the best possible steps to ensure their health records are safe is a significant factor in the choices they make.
So, to keep things simple in the complex world of cyber security, healthcare leaders have to remember only two things: creating and sustaining a cyber secure organization is not only good business, it’s good for business.
Understanding emerging opportunities a fiduciary essential
“If all you have is a hammer, everything looks like a nail.”
(The Psychology of Science by Abraham Maslow)
Sick of cyber yet? After being assaulted by the din of a thousand hammers pounding away at cyber threats, security, due diligence, compliance and insurance, it is understandable if you’re inclined to turn a deafened ear. But perhaps, with a little noise-cancelling perspective, you may be able to hear in the cyber conversation a broader, more holistic opportunity.
Cyber risk is a lightning rod for attention because it is continuously emerging. As the pace of technological advancement accelerates, cyber represents a rapidly evolving and ongoing risk that must be addressed in a proactive and aggressive manner. While you may be tempted to think of cyber as an isolated challenge, it is part of a much bigger challenge and opportunity. By adopting a more proactive and aggressive approach to managing cyber, boards create the opportunity to use the same approach to manage all other emerging (and existing) risks.
The board of the future
If proactive and aggressive are not words you would use when describing how your board addresses emerging risks, consider this simple opportunity: If hospitals and other healthcare organizations are going to survive and flourish, the board must become an agile, dynamic, skilled and highly connected entity.
As a member of the Baylor, Scott & White Memorial Hospital – Temple board, I am in this game. As we expand our market by entering into agreements with rural hospitals, we are becoming increasingly aware of a transformation in the role we play and the expectations placed upon us.
The challenges and opportunities we face are unprecedented. Not only is the pace of change accelerating, its depth and breadth is expanding geometrically. And, thanks to technology and human nature, the world in which we must succeed is becoming increasingly interconnected and interdependent. You simply can’t make a change in one area without impacting many if not all other areas.
Acknowledging this new normal makes clear the need for a modern board. The board of the future must be capable of providing leadership excellence while actively engaging with management, physicians, nurses, volunteers, patient advocates, community stakeholders and others. Only then will it be able to meet the challenges we face and realize the opportunities ahead.
Emerging risks abound just as old challenges become more acute. Healthcare organizations are being asked to improve the patient care experience and the overall health of a population by providing high-quality affordable care. And, while expectations grow, the national spotlight on the cost of care has never been brighter. We are being asked to do much more with much less.
It is in this environment that boards are looking for new opportunities including mergers and acquisitions, better physician contracts and partnerships, micro hospitals, free standing ERs, and many others. Within all of these opportunities lies a bigger opportunity: leveraging leadership excellence to create a community-wide awareness of each person’s role in creating a sustainable healthcare system. The solution to what will otherwise be a healthcare crisis unlike anything our country has ever known starts with the board.
Risk is everywhere as is opportunity; they are two sides of the same coin. The modern board must be willing and able to take on new risks in order to realize new opportunities. The modern board must be able to take on new risks with the support and assistance of all stakeholders. That’s why a modern board sees fostering collaboration as job number one. It will provide the expertise and energy needed to manage the complexity and uncertainty the health care environment is continuously creating.
Huge tree, little forest
Felling a huge tree with a dull axe is not a task worth pursuing. Which brings us back to cyber risk: in order to fell the cyber risk tree, boards have to throw away their axes and bring in modern equipment to not only make the job easier but make sure every sliver of the tree is utilized.
Using technology to achieve better healthcare outcomes and reduce utilization, adopting population health tools and data analytics to identify risks requires a whole new approach to the board’s leadership role. When it comes to cyber risk, the board must insist on collaboration between everyone involved in patient care while ensuring the EHR technology used is transparent and completely secure.
Despite the din, the cyber risk hammer may just be the tool that hits the board modernization nail on the head.
In mid-July, the Office for Civil Rights (OCR) reported the number of major health data breaches YTD in 2016 had risen to 43 as compared to 37 during the same time in 2015.
Known as the “Wall of Shame”, OCR’s website has been publicizing the details of breaches affecting 500 or more people since 2009. An interesting and informative difference between 2015 and 2016 is 35 times fewer people were affected in 2016 versus 2015 (93.2 million people versus 2.7 million). That’s largely because the 2015 attacks targeted large health plans including the two biggest health data breaches ever: Anthem Inc. effected 78.8 million individuals, and Premera Blue Cross compromised data from 11 million individuals.
Of even greater interest is the changing nature of the attacks. The cyber watchdog website Data Breach Today quotes Dan Berger, CEO of security consulting firm Redspin, who says, “Rather than the state-sponsored, large-scale attacks on insurers we saw in 2015, it appears that primary care facilities and specialty clinics – podiatry, radiology, oncology, pain management – are being targeted this year. This tells me that more local actors and identity thieves are apt to be involved – and that black market demand for personal health information remains strong.”
Tales of woe from “The Wall”
Digging into the OCR’s Wall of Shame takes some time, patience and a tolerance for the somewhat arcane language of big government, but it is highly instructive. Each report includes a press release containing the broad details of the breach and a pdf of the Resolution Agreement and Corrective Action Plan. Within these action plans lies a wealth of practical, how-to information for healthcare leaders looking to succeed in cyber security.
For example, in early October of 2016, St. Joseph Health (SJH) agreed to pay $2,140,500 for possible HIPAA violations that occurred in 2011 and 2012. It also agreed to implement a corrective action plan that includes an enterprise-wide risk analysis, the development and implementation of a risk management plan, a revision of its policies and procedures, and the ongoing training of its staff on the new policies and procedures. (SJH operates 14 healthcare facilities in California and in parts of Texas and New Mexico.)
The breach was reported in 2012 after SJH had determined files it created participation in the Meaningful Use program containing electronic health information (ePHI) were accessible on the internet from February 1, 2011, until February 13, 2012, via Google and possibly other internet search engines.
The server used to store the files had a file sharing application on it with default settings allowing anyone with an Internet connection to the files. This gave the public unrestricted access to the ePHI records of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.
Missing: An ounce of prevention
The OCR investigation revealed SJH failed to evaluate the risks inherent in bringing a new server online. What is very telling and a powerful warning in this case is that even though SJH had hired contractors to assess the risks and vulnerabilities of ePHI in its possession, the assessments where “conducted in a patchwork fashion and did not result in an enterprise-wide risk analysis.”
So now SJH has to spend considerable time and money to do an enterprise-wide risk assessment that meets the OCR’s standards.
Here is a great opportunity for leaders of healthcare organizations: comparing your cyber security policies against the OCR’s definition of an enterprise-wide risk analysis allows you to double check your standards, significantly reduce the likelihood of a breach, and improve your ability to mitigate the negative impact when a breach does occur.
As a first step in completing the risk analysis, the OCR is giving SJH 60 days to provide “an accurate and thorough enterprise-wide risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by SJH, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic protected health information…”
That’s just the beginning, the analysis must include a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI.
And now the fun begins; once the analysis is submitted for review, the OCR will provide its recommendations for a revised risk analysis. After which SJH will have another 60 days to provide a revised risk analysis for further review. The in the words of the settlement, “This submission and review process shall continue until (OCR) approves the risk analysis.”
One more for good measure
In July of 2016, The University of Mississippi Medical Center (UMMC) agreed to pay $2,750,000 and adopt a corrective action plan to help assure future compliance with HIPAA Privacy, Security, and Breach Notification Rules. The breach was reported after a password-protected laptop was stolen from the ICU. With the laptop and a generic user ID and password, the thief had access to the ePHI of 10,000 patients stored on a UMMC network.
Among many of its findings, the OCR reported that UMMC failed to implement existing policies and procedures designed to prevent, detect, contain, and correct security violations. As a result of the settlement, UMMC has agreed to designate an “Internal Monitor” who has to review UMMC’s compliance with all terms the corrective action plan. A quick scan of the duties of the internal monitor would indicate this person would have very little time for anything else. What this means is UMMC has to repurpose a senior person or hire someone with the appropriate qualifications to conduct the ongoing watchdog duties.
A simple lesson learned again, and again, and…
After 7 years, there isn’t much the Wall of Shame hasn’t seen. Without exception, each case shows that there is always more you can do to prevent and protect your organization from the occurrence and impact of a cyber breach. And, even more clear is that it would have cost the organizations that fell victim to a breach a lot less money to prevent, than ended up costing them after the fact.
(If you would like help with your cyber security preparedness, contact David Hampton.)
Here We Grow Again
The HealthSure team welcomes two new members!
To help our clients succeed in an increasingly complex world, we are always looking ahead. In order to help our clients deal with rapid change, we are constantly strengthening and refining our team.
Jennifer Bartley: better than ever
Many of our clients have met and worked with Jennifer in her role assisting Barry and Brant Couch. What many of you may not know is Jennifer has also been responsible for the coordinating HealthSure’s communications and IT. With the addition of Pamela Muniz to our team, Jennifer will now be able to dedicate much more of her time to getting the word out about HealthSure and the clients and community we serve.
Associate Account Manger | Employee Benefits
We are pleased to welcome Brandi to our team. With more than seven years of experience in HR and employee benefits, Brandi has acquired a robust knowledge of medical and ancillary products. She is a graduate of Texas State University holding a bachelor’s and master’s degree. As your account manager, Brandi will ensure your group receives exceptional customer service.
As our team, capabilities and systems grow, so too does the need for someone to keep all the plates spinning at once. Pamela (Pam) has bravely taken on that role as well as the role of executive assistant to Barry Couch, CEO, and Brant Couch, President. Prior to joining us, Pam spent 15 years in senior administrative roles with the Seton Healthcare Family and the Helping Hand Home. She received her Bachelor of Arts from Ripon College located in Ripon, Wisconsin.