Cybersecurity: What is it and What to do about it
INTRODUCTION
This is a joint health alert with Fortium Partners[1]. Fortium is engaged in assisting companies to solve cybersecurity and other business challenges. They are a national company with partners in many cities in the United States. Many of these partners are former CIOs.
ISSUES
In the wake of major attacks on universities, hospitals and businesses, the risk of ransomware, phishing, and other cyberattacks has never been greater. In fact, cybercrime is big business. American companies lose approximately $250 billion a year due to intellectual property theft and $114 billion directly due to cybercrime. In describing the costs, the National Security Agency (NSA) has declared this to be the greatest transfer of wealth in history. Healthcare organizations can be particular targets for such attacks – they can be a source of financial and personal information, and because they are subject to strict privacy and security regulations the costs in addressing those attacks and potential penalties are significant. For breaches of health care records, the cost per compromised record is higher than other businesses at $398 per record.
The prevalence of these attacks is beyond question. One in two U.S. companies have reported being a victim of a cyberattack. 62% of cyberattack victims are small to mid-size businesses and 34,529 known attack instances occur every day. Just being connected to the internet makes a company a target of cybercriminals.
Remaining current and understanding trends is critical to minimize risk. Top cybersecurity trends include:
Ransomware:
Ransomware works by locking your computer or servers and preventing you from access until you pay a ransom. This spring, a new strain of crypto-ransomware was designed with the goal of attacking targets in the healthcare industry. Hollywood Presbyterian; Methodist Hospital of Henderson, Kentucky; and MedStar’s Union Memorial Hospital have all been hit with malware that shuts down critical systems and drives.
Attacks on Third Party and Cloud Based Services
As organizations outsource data hosting and more services reside in the cloud, it is easier to lose the ability to maintain control over the protection of data. Massachusetts General Hospital recently notified over 4,300 dental patients that their personal identifying information may have been accessed after an unauthorized individual accessed the systems of a third-party software vendor.
Phishing Attacks
Phishing attacks vary from the traditional “Nigerian Prince” email to the current CEO fraud schemes. The newest trend involves the cybercriminal taking the time to understand the target organization’s structure, relationships and activities before sending targeted phishing emails. Kentucky State University reported an attack from an email posing as members of the university’s executive leadership team, resulting in the release of employee W-2 data and personal information. This same scam hit The Grand Ole Opry and plagues many organizations, nationwide.
Tackling these increasing threats requires an understanding of the privacy and security landscape that sets the tone for a holistic preventative response.
Some Current Laws, Regulations and Initiatives
- Current regulations include the Cybersecurity Act of 2015. The goal of the legislation was to create a framework for exchanging information regarding cybersecurity threats. Additionally, industry professionals would be able to conduct discussions via a network to better exchange information regarding potential threats.
- The Commission on Enhancing National Cybersecurity was also launched and is supported by the National Institute of Standards and Technology (NIST). The Commission is to make recommendations to enhance cybersecurity awareness and protections throughout the private sector and all levels of government.
- The Office of Civil Rights (OCR) created a crosswalk to help organizations understand the connection between HIPAA Regulations and the NIST Framework.
- On June 27, 2016 Congressmen Hurd and Lieu wrote to the Deputy Director for Health Information Privacy of the OCR regarding cybersecurity breaches specifically regarding ransomware cyberattacks. The letter suggests that contacting patients only makes sense where the ransomware attack results in denial of access to medical records and/or loss of functionality necessary to provide medical services. The letter also recommends a requirement that government agencies share cyber response resources. The letter recommends guidelines that aggressively require the reporting of ransomware attacks to HHS and appropriate health care related ISAOs. The letter finally urges OCR to establish clear guidance related to data modification from ransomware or malware attacks including deletion of servers or drives that constitute a breach under HITECH.
Recommended Practices/CONCLUSION
- Train your employees on the risks of cybersecurity.
- Conduct regular reviews of your entire data security approach and strategy.
- Perform a Cybersecurity Risk Assessment that harnesses the NIST framework and reviews insider threats as well as threat vectors from vendors.
- Involve management and the board of directors to address increasing threats.
- Develop a practical, common sense response that balances risk, cost and business reality.
- Size your security solutions to deter.
- Focus on the areas of highest risk and vulnerability.
For any additional questions please contact your Butzel Long attorney, the author of this Alert or any member of Butzel Long’s Health Care Industry Group.
[1] Fortium Partners is not related to Butzel Long and Butzel Long is not endorsing any particular vendor and those interested in the topic of this Health Alert who contact Fortium Partners should conduct their own due diligence.
Robert H. Schwartz
248.258.2611
schwartzrh@butzel.com
Jennifer Dukarski
734.213.3427
dukarski@butzel.com
Mark R. Lezotte
313.225.7058
lezotte@butzel.com