The HITECH Act requires covered entities to report breaches of unsecured protected health information affecting 500 or more individuals to the U.S. Health and Human Services Office for Civil Rights. 

This includes health plans, group plans and employee benefit plans subject to HIPAA, including self-insured group health, dental, vision, pharmacy benefits, healthcare reimbursement spending accounts, employee assistance programs, health reimbursement arrangements and long-term care plans.

By September, the civil rights office had more than 400 such cases under investigation, with more than 200 reported thus far in 2018. The office lists the types of breaches as hacking/IT incident, unauthorized access/disclosure, theft, loss and improper disclosure. The location of the breached electronic data includes email, network server, desktop computer, electronic medical record, laptop and other portable electronic devices.

Cyber criminals go after the gold. Electronic medical records can contain a vast amount of personal information, including address, phone, email, Social Security number, birth date, banking information, medical visits and diagnoses. Healthcare and employee benefits data, especially electronic health record data, are much more valuable on the black market than credit card numbers. That’s because the data usually contain static information and can be used in fraudulent operations longer than credit card numbers that are invalidated shortly after a breach.

Although the value of breached data can vary widely, in 2017 Forbes claimed Social Security numbers are worth 10 cents and credit card numbers are worth 25 cents, while electronic medical records can bring hundreds or thousands of dollars when sold to cyber criminals. The Forbes article noted that, in 2016, 65% of the 450 breaches of health data that year were not caused by external hackers but by insider actions.

In early September, Marsh & McLennan published a report on cyber risks in the healthcare industry that indicated healthcare was one of the most vulnerable industries for high-profile cyber attacks. The report noted that healthcare “is the only industry that has more internal threat actors behind data breaches than external.”

Even if a hacker has not broken into a system or an insider has not committed an action to disclose personal data, malware attacks can cause equivalent or greater damage. Malware today is sophisticated and can change internal system settings, turn off anti-virus software, allow remote access and export data. These attacks can also trigger breach notification laws, increasing reputational risk. In 2016, Deven McGraw, then the privacy chief at the Office for Civil Rights, noted, “If the breach definition is met, which in many times in a ransomware attack it would be, then the presumption is to notify.”

Cylance’s 2017 Threat Report noted healthcare was the most impacted industry sector by ransomware in both 2016 (34%) and 2017 (58%). It’s vital to note that, although the healthcare industry is in the bullseye, so are all organizations that store and process employee benefit data. Even though some benefit data may not be protected under HIPAA, the data held in an organization’s benefit program can contain a lot of personally identifiable information about employees and their dependents, a rich repository for cyber criminals.

Data Protection

Companies are struggling to keep pace with an increasingly sophisticated threat environment, and gaps in the maturity of their cyber-security programs are easily exploited. The Cylance Threat Report declared that, “many of the attacks we saw in 2017 were initiated by exploiting vulnerabilities that were reported more than nine months before the attack was detected and blocked.”

A steep increase in the sheer amount of malware identified is also a factor. This includes polymorphic malware, which constantly changes its identifiable features to enable it to avoid detection, and single-use malware, which is custom-built for one-time use against a specific organization. In his security blog GData, Ralf Benzmüller noted an average of 959 new malware specimens per hour in 2017, a 63-fold increase since 2007. It is difficult for any organization to hold the line against such an army of malware.

So what can companies do to protect their benefit data from being compromised? The best defense is a strong security program that has integrated controls for privacy compliance requirements. This includes having a data inventory, assigned data ownership, restrictions on access, system monitoring, and policies and procedures for handling, storing, and sharing personally identifiable information, protected health information and benefit data.

Additionally, it is very important to remember that privacy compliance requirements remain a responsibility of the organization that owns them. “The organization is ultimately responsible for its compliance requirements, even if it involves outsourcing the administration of its health benefits plan,” says Philip Gordon, head of Littler Mendelson’s privacy practice. “In the contracting process, the company needs to be sure it is protecting itself in the event the provider has a breach.”

Organizations also have to remember that U.S. privacy laws are fluid. The expansion of privacy laws in several states, including Arizona, Colorado and Oregon, sweeps in some personal data that was not previously within the scope of the law. Under Colorado’s new privacy law, effective Sept. 1, Colorado’s definition of “covered entity” is so broad that it effectively covers every business “that maintains, owns or licenses personal identifying information in the course of the person’s business, vocation, or occupation.”

As Gordon notes, “Employee benefit data outside the scope of HIPAA may qualify as protected data under many of these new laws.”

A company should also ensure that proper cyber governance is in place at the board and executive levels. The Marsh report indicated that 83% of healthcare respondents relegated responsibility for cyber risk management to the IT department. Across industry sectors, only 70% assign cyber risk management to IT, which indicates the sector with the highest risk—healthcare—has the poorest cyber governance practices.

A key component of cyber risk management involves purchasing adequate cyber insurance to transfer risks associated with an attack. Less than half of Marsh healthcare respondents indicated they have cyber insurance coverage, while the industry average is only 34% (by contrast, 52% of the financial industry reports having cyber insurance).

All too often, the risks associated with benefit data are not adequately factored into cyber risk management. Agents and brokers should work with their clients to evaluate the benefit data they have and conduct risk assessments to determine their loss exposure and the types of cyber coverage that will best protect them.

Westby is CEO of Global Cyber Risk. westby@globalcyberrisk.com