Make Accreditation Part of Your IT Risk Management Strategy

You never know when an accidental loss of a device, a phishing attack, a data breach or a cyber or ransomware attack will impact your operations.

There were several large-scale healthcare data breaches in 2016, approximately 250 reported cases affected more than 500 individuals this year. Are you prepared to prevent one at your organization? Admittedly, 2016 has been a moderate year for healthcare data breaches and ransomware attacks—unless your company has been hit. The comprehensive total cost of a data breach averages $3.8 million, a 23% increase between 2013 and 2015, so the potential cost of a breach is quite high.

Breaches rose sharply in the third quarter of 2016, increasing by 55% over the half-year average, so even if you think you’re protected, the cyber attackers aren’t going anywhere anytime soon.

Developing an IT risk management strategy as part of a business continuity plan is the bare minimum that health plans can undertake to protect themselves. To increase protection, a company’s risk management plan should be comprehensive, dynamic enough to adapt to changing regulations and conditions, and readily embraced and supported across the organization.

Increasingly, however, underwriters are looking to independent, third-party accreditation as a requisite to issuing cyber security policies. Third-party audits are also a common way that breaches are discovered, allowing fixes to be deployed more quickly.

Health records are highly valued on the black market

During the first 10 months of 2016, breaches totaling more than 14 million individual health records were reported to the HHS Office of Civil Rights, keepers of the so-called “Wall of Shame” where breaches of more than 500 records must be reported. Out of those, 33 breaches totaling more than 320,000 records can be attributed to health plans. Those numbers pale in comparison to 2015, when Anthem, Premera and Excellus were hit with breaches that totaled 99 million records.

Although gauging the value of a healthcare record on the black market can be a moving target, it’s currently worth about $355 per record, twice as valuable as education records, the second-most valuable. At those prices, total reported breaches are valued at $5 billion, with health plan breaches worth $114 million of that total.

Ransomware attacks are on the increase

In the first three months of 2016, victims of ransomware attacks paid $209 million to free their data. That figure is eight times more than what was paid to data pirates during the previous year, according to the FBI.

And new threats keep popping up. One of the latest is called “CryPy,” which is allegedly able to encrypt each file on a system that’s infiltrated with a unique key. If that’s not sufficiently scary, the ransomware begins deleting files after just six hours, mirroring the short time window of more recent attacks.

Each link is a potential vulnerability

The value of an IT risk management plan becomes clear when health plan technology executives consider the potential negative consequences of an incident, breach or attack. The issue comes into sharper focus when they consider how many IT systems are deployed across the enterprise, how many APIs connect those systems, how many mobile apps are in use, and many more connections. That’s not to mention the connections among your systems and those of your partners—providers, billers, coding analysts, revenue cycle specialists, etc.—where you exchange data. One successful phishing expedition, one easily guess password or one unencrypted mobile device could bring the organization to a halt.

A recent report on app security showed that 84% of apps approved by the FDA failed to address at least two of the Open Web Application Security Project’s (OWASP) top 10 mobile risks. What’s more, nearly all lacked binary protection, which leaves the app vulnerable to unauthorized access, data theft and fraud, not the mention to the potential loss of intellectual property, revenue and reputation for allowing the breach to occur.

It matters who your partners are

In an increasingly interconnected healthcare environment, it’s not just the security of your systems that should concern you. The security and IT risk management protocols of your business associates and other partners can impact your operations.

Although your employees remain the top source of breaches, according to a recent PwC global security reports, nearly one-quarter of incidents can be traced to partner companies. That’s why many US healthcare payers have instituted strong certifications or attestations for their key vendors.

Outsiders find most breaches

Despite increased corporate spending on IT security, 80% of all breaches are discovered by outside groups or through audits, a figure that has been holding steady, according to McAfee. However, threat discovery by internal corporate security teams has been trending downward for a decade and currently stands at 10%. It’s no wonder that health plans increasingly are requiring third-party accreditation for its business partners.

More insurers that offer cyber security policies are requiring independent security audits as a prerequisite for coverage. Companies can do much of the necessary work internally, but a third-party review offers an extra level of independent scrutiny for risk management plans and procedures. Depending on the vendor you choose, the review also can be aligned with key industry performance metrics and industry/government bodies. For example, the Electronic Healthcare Network Accreditation Commission’s (ENHAC) 18 accreditation programs all meet protocols from the Office of Civil Rights.

What to do when an incident occurs

By having a plan, you will know what to do should an incident occur. Responding to the immediate threat is crucial, of course, but many companies ignore the logical next step—finding out how the incident occurred.

Failure to take this step can leave you vulnerable for similar attacks in the future. Perform a root cause analysis quickly and take the necessary steps to plug any security leaks that are uncovered.

The strongest IT risk management plan ever devised isn’t an absolute guarantee against a determined hacker or an inattentive employee. But an independent accreditation as part of a comprehensive risk management strategy can go a long way toward giving health plan executives peace of mind that a risk of a breach or attack has been reduced.