Don’t Assume You’re Immune to a Cyberattack

CAST | January 19, 2018 | by Geralyn Magan

Providers of aging services are at greater risk for cyberattacks than other health care organizations because they’re new to electronic record keeping and have less mature information security systems. Cybersecurity Expert John DiMaggio outlines steps you can take to keep your data safe. Be sure to check out "You Can Fight Back Against Cybercriminals," the second article in this cybersecurity series.

Think damaging cyberattacks only affect big department stores like Target or credit reporting agencies like Equifax?

Think again, says LeadingAge CAST Commissioner John DiMaggio, chief executive officer (CEO) of the cybersecurity firm BlueOrange Compliance, which is a CAST Supporter.

Target’s 2013 breach, which stole credit and debit card information from 40 million customers, made headlines we won’t soon forget, admits DiMaggio. And the 2017 Equifax breach, which exposed the personal information of 143 million American consumers, still takes our breath away.

We might be tempted to assume that the health care sector is immune to such headline-grabbing cyber disasters. But, if recent statistics continue to hold true, such assumptions will surely lead to rude awakenings.

Over the past 2 years, 89% of health care organizations had at least one data breach involving the loss or theft of patient data, according to CAST’s new Cybersecurity White Paper. Almost half of these organizations (45%) had more than 5 breaches.

Long-term and post-acute care (LTPAC) organizations are at a greater risk for these breaches because they’re new to electronic record keeping and have less mature information security systems than other health care organizations, says the white paper.

Making Money from Stolen Information

The risk of a cyberattack becomes even greater for LTPAC organizations when you consider that their electronic systems house the commodity hackers value most: personal health records containing the “trifecta” of hacker currency:

  • Personal health information, such as age and diagnoses;
  • Personal identifiable information, like social security and Medicare/Medicaid numbers; and
  • Financial information, including bank account and credit card numbers.

“If someone has your health record, they can actually be you,” says DiMaggio. “They can apply for Medicaid, fraudulently bill the government, and get health services, or even opioids. Health information is like a gold nugget. Someone is always willing to pay something for it.”

Some criminals will hack into electronic systems “just for the fun of it, to see how far they can get,” says DiMaggio. But most cybercriminals are after the large sums of money they can get by either selling personal information, or encrypting an organization’s data and then demanding a ransom to release that data. Both types of cybercrime require that criminals get inside your electronic networks by:

  • Finding and exploiting a vulnerability at the perimeter of your system;
  • Using a “phishing” scheme to trick an employee, via email or telephone, into handing over a user name and password that opens your system to nefarious operators; or
  • Brazenly walking onto your campus, sitting down at an unsecured computer, and helping themselves to personal health records they can sell to the highest bidder.

Dire Consequences

No matter how a hacker gets into your system, the consequences of that breach are likely to be dire for your organization and the people it serves, says DiMaggio.

Residents and clients could face financial ruin if a cybercriminal uses their personal data to raid a bank account or steal other assets. The pain and suffering associated with trying to reclaim a stolen identity could be even more personally damaging.

Organizations without good data backups could end up turning over a hefty bounty to reclaim data that was locked through a ransomware attack.

Even small LTPAC organizations could pay 6-figure government fines and endure increased government oversight if a breach is tied to their lack of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA establishes national health information privacy and security standards, and requires that most health care organizations, including many LeadingAge members, implement specific safeguards to protect sensitive information.

Add in the price of hiring attorneys and cybersecurity experts in an emergency, and the costs of offering reparations to those who have been personally affected by a breach, and it’s clear that some organizations might have trouble surviving a serious cyberattack.

As expensive as a breach might be, however, the damage from financial losses would pale in comparison with the harm that a compromised digital network could do to an organization’s reputation.

“If you’re going to be in the news, you want to be in the news for a good reason,” says DiMaggio. “When a consumer is working with an organization that was hacked, the likelihood that they will go back to that organization is greatly diminished.”

Cybersecurity: What Do You Need to Do?

There’s no way to completely protect your organization from a cyber threat, warns DiMaggio. But implementing prevention strategies in 3 core areas can certainly help:

Technology: Organizations can make their electronic networks more secure by installing multiple layers of tools designed to monitor network traffic and system security. Pay attention to the threats those tools uncover, and fix what you can, says DiMaggio. Back up your data regularly, and test your back-up recovery, so ransomware, if it occurs, becomes a non-issue.

“With a good backup, you can snap your fingers and bring your data back in a matter of hours,” he says.

In addition, says DiMaggio, be sure to apply the latest software patches and updates, which can include fixes to known vulnerabilities.

"Some of the latest cyberattacks exploited vulnerabilities that had been patched months earlier," he says.

Policies and procedures: The most effective and least expensive approach to cybersecurity involves developing policies and procedures aimed at preventing and managing a security breach. These documents will outline the regular steps your organization and its employees will take to keep your systems safe. Policies and procedures can also help you plan how you will respond if your systems are compromised.

“Having this figured out before something bad happens is better than trying to figure it out during a crisis,” says DiMaggio.

The human factor: An organization’s most serious cybersecurity threats may be the humans who sit at its computers, says DiMaggio. These individuals may mistakenly click on a link in an email, or unwittingly provide credentials to a stranger intent on stealing the organization’s data.

Because cybercriminals are smart, and employees are generally unsuspecting, it’s important to adopt strategies—including education, training and sanctions—to ensure that team members don’t put your data at risk, says DiMaggio. Do testing to ensure that education and training were effective.

5 Steps to Greater Security

It’s natural to be a bit overwhelmed by the complexity of cybersecurity, but that’s no excuse for inaction, warns DiMaggio. He suggests 5 “baby steps” that every organization should take to begin the process of making its systems more secure.

  • Assess: Perform a thorough assessment to evaluate your security controls and identify your system’s vulnerabilities. Your IT department can conduct this assessment, or it can hire an outside expert to do it for you. “If you don’t know where your risks are, there’s really no way to move forward,” says DiMaggio. "Regular assessments are also required by HIPAA regulations."
  • Plan: Create a security plan outlining how you will manage your risk. “Don’t do a risk analysis and put it on the shelf,” says DiMaggio. “Instead, build an action plan, prioritize it, and manage it.”
  • Repeat: “There are so many things that change out there,” says DiMaggio. “Your organization might go into the hospice business, acquire another location, or implement a new system. Maybe there is a new system out there to protect information. There could be new risks. So, you have to stay with it, constantly assessing and planning and fixing.”
  • Involve: “Some managers assume their IT guy has this covered,” says DiMaggio. “But cybersecurity is not an IT problem. It’s a risk management problem for the whole organization.” That’s why it’s so important to involve and educate your executive team, board of directors, and every department—from IT to HR—as you design and implement your cybersecurity strategy, says DiMaggio. He also advises checking in with your IT vendors, especially if they host your electronic records. "The security of their network will affect the security of your network," says DiMaggio.
  • Insure: Purchasing cybersecurity insurance is a good risk management strategy, but be sure you understand the limitations of your policy, which may not cover all breach-related expenses. Your policy’s cost and coverage exclusions will often depend on several factors, including whether your insurance company believes you’re doing enough to prevent a cyberattack. “Insurance is not a substitute for prevention,” says DiMaggio. “It’s not a good strategy to say, ‘I am going to use insurance to solve my cybersecurity problem.’”

Take a Deeper Dive

For more in-depth information about cybersecurity, check out CAST’s Cybersecurity White Paper and Benchmarking Questionnaire, which are designed to help LeadingAge members and other aging services organizations understand what cybersecurity threats are, how to mitigate risks, and how to respond if attacked. The Benchmarking Questionnaire will help providers understand where their organizations may be at risk, so they can use best practices to plug those vulnerabilities.

In addition, check out "You Can Fight Back Against Cybercriminals," the second article in this cybersecurity series.