Last month Robert Felps and I were fortunate to attend THA’s inaugural Texas Health Care Security & Technology Conference. Great speakers, wonderful host and facility, collegiate atmosphere – a great learning experience overall. Hats off to Fernando Martinez, THA’s Chief Digital Officer, and his team for a great couple of days. Here’s a brief recap of the key takeaways.

REALITY

1. Cyber threats are dynamic. Bill Virtue reminded us that there have been more than 4000 ransomware attacks per day since the beginning of 2016 (that’s 2,892,000 attacks in 2 years!), and Michael Echols reported that the cyber criminals are continually learning and sharing information.

2. Patient safety is at stake. Randy Yates, Bill Phillips, and Bob Chaput all gave examples of how the proliferation of medical IoT presents an increasing risk of patient harm if an attack shuts down or alters the performance of both diagnostic and treatment equipment, including CAT scanners, ultrasound machines, infusion pumps, and ventilators. 

3. The real financial impact of a breach can be 10x the OCR fine! The hard costs of notifications can add up quickly, the most common being legal fees, lawsuits, technology support, forensics experts, increased marketing costs, and increased staff time. The less tangible costs of brand damage will be evident in the bottom line. The examples were sobering.

Before everyone fell into complete despair, however, each speaker also offered guidance and remedies – as Bob Chaput of Clearwater put it, “No matter where you are, there is a path forward.” Below are key themes of the speakers’ recommendations, which I’ve labeled “reality management” because another key takeaway from the conference was that there is no such thing as being “done” with cybersecurity because cyber risk management is an ongoing process.

REALITY MANAGEMENT

1. Cybersecurity is risk management. This was the title of Michael Echols’ presentation and pretty much sums up all the points that follow.
2. Cybersecurity is a team sport. IT cannot and should not be managing cybersecurity in isolation. Everyone in the C-suite needs to understand the role they play in keeping patient data safe and the steps they need to take to get their managers and staff on board.
3. A Security Risk Assessment is the essential first step. “You can’t secure your system if you don’t know where the vulnerabilities are.”
4. Any device or equipment that connects to the network must be included in the SRA. Even devices that don’t tie directly into the EHR, such as a remote-controlled thermostat on the blood refrigeration unit – or the aquarium in the waiting area! – can be a point of entry for a malware attack.
5. Cybersecurity requires a holistic, programmatic approach. A single, new cybersecurity technology will not make your organization secure. Once the vulnerabilities have been identified via the security risk assessment, addressing those vulnerabilities will require administrative action, process improvements, and staff education and reinforcement, as well as technology adjustments. See #2 – cybersecurity is a team sport.
6. Establish an incident response plan – and practice it regularly. Organizations that prepare recover faster and incur fewer costs – hard and soft costs – in the event of a ransomware attack or other breach.
7. Bottom line: Start now – and continue! Cyber risk management is a continuous improvement process.

In summary: (1) the threat is real and persistent; (2) technology alone won’t solve the problem.

If you’ve been an active cybersecurity player, there are few surprises here. Hopefully, however, it is reassuring to hear that you’re on the right path, and you’re not alone – hospital executives across the state and across the country are working hard to get out of the fire-fighting business and into holistic cyber risk management.

Building a CyberConfident™ World

The 2017 Global Information Security Workforce Study (GISWS) released in February 2017 forecast a shortage of 1.8 million cybersecurity workers by 2020, while a study by Cybersecurity Ventures estimates “3.5 million unfilled cybersecurity jobs” by 2021. While the projected magnitude of the shortfall varies from one study to the next, government experts, consultants, and pundits alike are unanimous in predicting that the current shortage of qualified cybersecurity workers will only get worse for the foreseeable future, a situation Steve Morgan has called “the greatest cyber risk of all.”

There is less agreement about why the shortage exists and, therefore, how to fix it.  The traditional school of thought is that educational institutions haven’t prepared enough graduates to meet the growing need. The implied solution from this perspective is to increase educational capacity by creating new programs and increasing enrollments in all programs through better marketing and outreach efforts. Outspoken critics of this perspective, however, say that cybersecurity is not an entry-level position and that graduates of cybersecurity programs lack the technical depth required to be effective.

These critics offer an alternative perspective – cybersecurity professionals are not trained in the classroom but must be developed on the job after gaining expertise in IT operations. So rather than casting about externally for cybersecurity talent that isn’t available, IT managers should be looking within their own ranks for people who could be trained in security. For instance, in a 2015 Computerworld column, “The myth of the cybersecurity skills shortage,” Ira Winkler wrote, “The best security practitioners have experience in the technology and processes that they are supposed to secure…If you have no experience as a system administrator, you cannot maintain the security of a system.” He goes on to say that most of his work as a security professional has been to shore up poorly designed, poorly configured, and poorly maintained systems, which requires IT knowledge, rather than using hacking knowledge he gained in his training. But this perspective also has critics.

A third point of view is that IT managers who only look for security professionals with IT/computer science credentials are creating the shortage through their own myopia. In a Harvard Business Review article, Marc van Zadelhoff, General Manager of IBM Security, describes IBM’s approach of creating “new collar” jobs. They look for people with “unbridled curiosity, passion for problem solving, strong ethics, and an understanding of risks” – characteristics that can’t be taught – and then train them in the necessary technical skills through on-the-job programs, vocational and community college courses, and industry certification programs, such as those offered by (ISC)². Supporting this view is the finding in the Global Information Security Workforce Study that 87% of current cybersecurity workers began their career in another field, some in other IT roles but many in non-IT fields.

So what’s the answer?

Like most difficult organizational problems, there is no single cause and, therefore, no single solution. Addressing the cybersecurity personnel shortage will require focused and creative efforts on the part of educators, managers, trade associations, and employees alike.

• Educators need to work closely with industry to identify the needed knowledge and skills to integrate into existing curricula or to serve as the basis for new programs.
• Managers, meanwhile, with support from HR and other training resources, may need to create their own internal on-the-job training programs for existing personnel, creating opportunities for lateral moves into security positions.
• Managers may also need to cast a wider net for potential security talent as IBM has done, looking for people with the necessary character and an eagerness to learn outside the IT ranks.
• Trade associations, such as ISSA and (ISC)², can pool resources to raise awareness of high school, college, and midcareer professionals of available cybersecurity career options and the paths available for acquiring the needed knowledge and skills.
• Workers already in cybersecurity positions will need to adapt to their role as teacher/mentor to those moving into security positions, respecting those with non-IT backgrounds as possibly bringing in fresh perspectives.

Finally, even if there were an excess of cybersecurity pros, they cannot safeguard an organization alone. All workers, managers, and executives, from the front desk and loading dock up to the C-suite must come to recognize that cybersecurity is now a part of everyone’s job! More on this in the weeks to come.

Is a personnel shortage putting your organization at risk? Contact us for a third-party Security Risk Assessment to find out: 512.310.0020 or info@thirdrock.com.

Hopefully, you’ve realized one of your pieces of defense in the cybersecurity war is Cyber Liability Insurance or Data Breach Insurance, sometimes called Cyber Insurance.  What you may not know is that cyber liability insurance is getting more difficult to obtain.  Several insurance companies we’ve spoken with have reported that in 2017, cyber liability claims outpaced other claim types, including medical liability claims!  In very simple terms, this means that cyber liability insurance is costing the insurance companies a lot of money.  As you know insurance companies are not in business to lose money, so they are now taking steps to reduce their losses.

More Difficult to Acquire

As the cost of providing cyber insurance increases, the insurance companies look for ways to offset those costs or losses.  One of the obvious ways is to raise premiums, but that’s not good for sales.  Another way is to better evaluate each client and charge according to their risks or liabilities.  The insurance companies have done this by asking more technical questions during the application process to ascertain how well the client is protecting the valuable data.  The smart insurance companies are now requiring a Cybersecurity Risk Assessment (aka “HIPAA lite”) before quoting the price of cyber insurance.

More Expensive

One of the effects of all the cyber attacks is a rise in cyber liability premiums.  Although we couldn’t find reliable estimates of the increase in premiums for cyber liability insurance, we did talk to several insurance companies that estimated premiums have more than doubled in less than 18 months.  Whether they have gone up 5% or 100% isn’t the issue – the issue is that cyber attacks are so common that the insurance companies are having to pay out on claims and they plan to recover their losses.  Take note of this and take action.  Harden your systems, make sure your backups can be restored successfully and buy cyber insurance from a reputable company (and read the fine print).

More Needed

Most small businesses either don’t have cyber liability insurance or not near enough.  The average remediation effort after suffering a cyber breach and loss of data is over $800,000 dollars.  Of small businesses that actually have cyber liability insurance, the estimated average coverage is $100,000.  That’s leaving them with a $700,000 shortfall to pay out of pocket.  That doesn’t include loss of reputation, revenue, and clients.

Take Aways

1. Perform a cyber risk assessment that complies with the government-required standards for your industry. (HIPAA, NIST 171, GDPR, FISMA, NAIC’s Insurance Data Security Model Law). The risk assessment will give you the information you need to reduce your probability of a cyber breach and if you are breached, the information needed to reduce the impact. Reducing the risk of a breach and reducing the impact if a breach should occur should also translate into reducing your cyber insurance premiums.
2. Based on the risk assessment results, take the necessary corrective actions to harden your cyber defenses.
3. Consider purchasing cyber liability insurance. If you already have cyber liability insurance, you might consider purchasing more than you already have.
4. Do the risk assessment first!

Do you need help performing a cyber risk assessment?  Email us at info@thirdrock.com or give us a call at 512.310.0020.  We’d be more than happy to help!

Protect your Clients. Protect your Organization. Protect Yourself.™

Right now the healthcare industry is in the final race to complete the requirements for MACRA, the new reimbursement scheme for Medicare. Thousands of dollars are at risk – failing to satisfy the MACRA requirements in 2017 will result in payment reductions for all of 2019!

Submerged within the 2,398 pages of MACRA lies a key requirement for eligibility – completing a security risk assessment (SRA). The SRA is a “core requirement.”  Without an SRA, a healthcare practice can undo all their other efforts to achieve the high score needed to get full Medicare reimbursements and bonuses. In fact, without an SRA, a practice is likely to face payment penalties in 2019.

Be aware of two misunderstandings that give healthcare practices a false sense of security in meeting the annual requirement for a Security Risk Assessment:

• “My EHR is HIPAA-compliant, so I don’t need to do an SRA.”

Simply installing a certified electronic health record (EHR) does not fulfill the Meaningful Use or MACRA requirement for a security risk analysis.  Even with a certified EHR, you must perform a full security risk analysis to ensure that you are properly safeguarding all the protected health information (PHI) you maintain, whether in paper or electronic form.

• “My IT service takes care of all that security stuff.”

Don’t assume your IT service provider is taking care of security.  IT companies typically believe they are only responsible for installing a firewall and anti-virus application and keeping your computers running. They assume the Practice Manager is handling all other aspects of system security, including policies and procedures, staff training, password maintenance, mobile device management, and facility security.

The Security Risk Assessment isn’t just busy-work. Completing an SRA and fixing any identified gaps will increase your cybersecurity and complete a critical HIPAA requirement, saving you thousands in penalties and fines as well as protection from a breach.

Doing an SRA should be an important year-end “To do.”  It will give you peace of mind, letting you go into the New Year feeling more protected and positioned to increase your revenue. Don’t miss out!

If you have any questions about performing a Security Risk Assessment,

please contact us at: compliance@thirdrock.com.

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

A couple of weeks ago, I was talking with a technology vendor who is starting to move into the healthcare space. Their technology isn’t used in the creation or manipulation of patients’ protected health information (PHI), but they do store information on behalf of healthcare organizations that could potentially include PHI. They wanted to know, “Are we required to comply with HIPAA?” Technically – yes. On the other hand, there are hundreds of healthcare organizations and healthcare vendors who actively choose not to comply.

As a healthcare organization or vendor with narrow profit margins, it’s understandable that one might think of HIPAA as a deferrable expense. After all, what are the chances of an information breach? Of an OCR audit?

Unfortunately, the chances are significant – and growing. Consider these facts:

• A healthcare record is worth 100-300 times the value of a credit card record on the black market (i.e., $100-$300 per healthcare record vs. $1 per credit card account number). Consequently, cyber criminals are targeting healthcare organizations.
• Healthcare organizations, in general, are very vulnerable to cyber attacks for a variety of reasons, including lack of personnel with cybersecurity expertise; years of under-investment in IT infrastructure; naivete regarding the threats; high staff churn; and poor physical facility controls.
• The risk of an OCR audit is very small. The risk of a covered entity being breached is very high. If breached, the risk of an OCR audit goes to 100%.
• If a Covered Entity is breached and then audited, the risk of that Covered Entity’s Business Associates being audited is also very high.
• When audited, organizations that can demonstrate they have taken all appropriate precautions will be fined at the lowest rate – or not at all. On the other hand, organizations that have actively neglected cybersecurity and HIPAA compliance will be fined at the “highest rate.” In fact, some recent fines levied by the OCR have exceeded what was previously thought to be the “maximum allowable.”
• The fine is only a portion of the total breach remediation costs. Other costs include patient notification (approximately $4 per affected patient); credit monitoring for affected individuals (free to the patients) for 1-3 years; legal fees; class action lawsuit settlements; personnel time spent handling the remediation; and reputation loss.
• Finally, HIPAA violations can now be prosecuted as both civil and criminal offenses.

Whether and how to invest in cybersecurity training and technology and HIPAA compliance is a business decision only you can make based on your own ethics and risk tolerance. Be sure, however, to base your decision on facts. Up-to-date breach information across industries is available at the Identity Theft Resource Center (ITRC). A list of healthcare organizations fined for HIPAA violations following a breach can be found on the HHS OCR’s Breach Report list. Whatever your choice, ensure that you have protected your customers’ data, protected your organization from the risk of data loss, and protected yourself by understanding and complying with all relevant laws.

Protect your Patients. Protect your Organization. Protect Yourself.™

One of the first lessons of process improvement is that preventing errors is much less expensive and time-consuming than remedying the damage after the fact. The same is true for an information breach. The time and cost for installing new software, training staff members, and reinforcing policies and procedures pales in comparison to cleaning up the damage of an information privacy or security breach.

Recent headlines of multi-million-dollar OCR fines and the hundreds, thousands – even millions! – of lives affected suggest the scale of the damage to both businesses and individuals. The news reports rarely explain, however, exactly how the breach could have been averted. This is the first in a new series of articles using publicly reported breaches as teaching opportunities for breach prevention. These are not intended as an “I told you so” for the organizations breached – each incident could happen at almost any healthcare organization today. The goal is for all of us to continuously improve our understanding of the risks to patient information and the options available to us for protecting that information without creating an oppressive atmosphere for our patients, staff, and visitors.

Unauthorized photographs of a surgical patient

This first example was reported in the HIPAAJournal just last week. Basically, surgical staff members photographed a patient’s genital injury using their personal phones and shared the photos with friends. Details of the incident are available in the HIPAAJournal post. What we want to focus on here is whether and how management could have prevented this breach.

This incident is particularly egregious because the information disclosed was so sensitive and because so many health care professionals and staff members – the very people charged with keeping the patient and his information safe – were complicit in the violation. I understand that in the face of such irresponsible behavior, a manager might be tempted to feel helpless – “I can’t watch every person every minute. What can I possibly do to make sure none of my staff ever do something stupid?” Here are some suggestions.

Action 1: Policy disallowing use of personal phones in the OR (or any patient area) for any reason.

As a former frontline nurse, I understand the tendency to scoff at policy – “What good’s a policy? People will do whatever they want to anyway!” There’s some truth to that – practice never perfectly matches policy – but what a policy does do is establish clear guidelines for expected behavior.

If the hospital wants staff to have mobile communications, they need to supply them with Vocera badges or other devices and not rely on staff members’ personal telephones. Personal phones can be used at the desk and in the break room, but not in patient areas – period. Responsibility for enforcing the policy must be shared by charge nurses and circulating nurses, not just the department manager or director. A charge nurse found not to be enforcing the policy could be suspended just as if s/he had been using the phone him or herself.

Action 2:  Intensive staff training, retraining, and reinforcement.

The speed and shamelessness with which these staff members brandished their phones suggests gross ignorance of the HIPAA Privacy and Security Requirements and of the potential consequences for violating them – termination, civil charges and fines, and criminal charges that could include probation or jail time.  Staff should receive comprehensive HIPAA training during their orientation before being given access to patients or PHI. That training should then be reinforced with shorter refresher courses and/or routine discussions of patient privacy and information security in staff meetings, organizational Town Hall sessions, and online forums on the organization’s intranet.

Action 3:  Leadership in the moment.

In the OR, the anesthesiologist, the surgeon, and the circulating nurse all possess significant authority. Any one of these individuals could have called a halt, required everyone to power off their phones, sealed the room, and called hospital security to confiscate the phones until someone from IT could sit with each individual involved to clear the photos.

This action is still more Band-aid than prevention, but it is the actions of leaders in the heat of the moment that either reinforce or undermine policy and training. It did sound like the executives were taking the incident very seriously and had applied appropriate sanctions. It may also have been the case that the circulating nurse or surgeon brought the incident to the executives’ attention – that information wasn’t included in the article. The critical takeaway is that protecting patient privacy, confidentiality, and information security are now as important a leadership responsibility as patient safety and infection control.

The above actions, taken together, are the pillars of creating a Culture of Compliance. Whether the focus of the compliance is HIPAA, CLABSI protocols, or hand washing – all require clear expectations, appropriate training, and unrelenting leadership. Culture is powerful – the trick is to create a culture that makes it easy – automatic – to do the right thing.

Our very best wishes to the patient and everyone at UPMC Bedford Memorial trying to remedy the situation.

If you need assistance establishing a culture of compliance please contact us at compliance@thirdrock.com

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™