
Make Accreditation Part of Your IT Risk Management Strategy
As healthcare continues to see high-profile data breaches, underwriters are looking for third-party accreditation before issuing cyber-security policies.
You never know when an accidental loss of a device, a phishing attack, a data breach or a cyber or ransomware attack will impact your operations.
There were several large-scale healthcare data breaches in 2016, approximately 250 reported cases affected more than 500 individuals this year. Are you prepared to prevent one at your organization? Admittedly, 2016 has been a moderate year for healthcare data breaches and ransomware attacks—unless your company has been hit. The comprehensive total cost of a data breach averages $3.8 million, a
Breaches
Developing an IT risk management strategy as part of a business continuity plan is the bare minimum that health plans can undertake to protect themselves. To increase protection, a company’s risk management plan should be comprehensive, dynamic enough to adapt to changing regulations and conditions, and readily embraced and supported across the organization.
Increasingly, however, underwriters are looking to independent, third-party accreditation as a requisite to issuing cyber security policies. Third-party audits are also a common way that breaches are discovered, allowing fixes to be deployed more quickly.
Health records are highly valued on the black market
During the first 10 months of 2016, breaches totaling more than 14 million individual health records were reported to the HHS Office of Civil Rights, keepers of the so-called “Wall of Shame” where breaches of more than 500 records must be reported. Out of those, 33 breaches totaling more than 320,000 records can be attributed to health plans. Those numbers pale in comparison to 2015, when Anthem, Premera and Excellus were hit with breaches that totaled 99 million records.
Although gauging the value of a healthcare record on the black market can be a moving target, it’s currently worth about
Ransomware attacks are on the increase
In the first three months of 2016, victims of ransomware attacks paid $209 million to free their data. That figure is eight times more than what was paid to
And new threats keep popping up. One of the latest is called “CryPy,” which is allegedly able to encrypt each file on a system that’s infiltrated with a
Each link is a potential vulnerability
The value of an IT risk management plan becomes clear when health plan technology executives consider the potential negative consequences of an incident, breach or attack. The issue comes into sharper focus when they consider how many IT systems are deployed across the enterprise, how many APIs connect those systems, how many mobile apps are in use, and many more connections. That’s not to mention the connections among your systems and those of your partners—providers, billers, coding analysts, revenue cycle specialists, etc.—where you exchange data. One successful phishing expedition, one easily guess password or one unencrypted mobile device could bring the organization to a halt.
A recent report on app security showed that 84% of apps approved by the FDA
It matters who your partners are
In an increasingly interconnected healthcare environment, it’s not just the security of your systems that should concern you. The security and IT risk management protocols of your business associates and other partners can impact your operations.
Although your employees remain the top source of breaches, according to a recent PwC global security reports, nearly one-quarter of incidents can be traced to
Outsiders find most breaches
Despite increased corporate spending on IT security, 80% of all breaches are discovered by
More insurers that offer cyber security policies are requiring independent security audits as a prerequisite for coverage. Companies can do much of the necessary work internally, but a third-party review offers an extra level of independent scrutiny for risk management plans and procedures. Depending on the vendor you choose, the review also can be aligned with key industry performance metrics and industry/government bodies. For example, the Electronic Healthcare Network Accreditation Commission’s (ENHAC) 18 accreditation programs all meet protocols from the Office of Civil Rights.
What to do when an incident occurs
By having a plan, you will know what to do should an incident occur. Responding to the immediate threat is crucial, of course, but many companies ignore the logical next step—finding out how the incident occurred.
Failure to take this step can leave you vulnerable for similar attacks in the future. Perform a root cause analysis quickly and take the necessary steps to plug any security leaks that are uncovered.
The strongest IT risk management plan ever devised isn’t an absolute guarantee against a determined hacker or an inattentive employee. But an independent accreditation as part of a comprehensive risk management strategy can go a long way toward giving health plan executives peace of mind that a risk of a breach or attack has been reduced.
Newsletter
Stay ahead of policy, cost, and value—subscribe to AJMC for expert insights at the intersection of clinical care and health economics.