Future Healthcare Today
  • About
  • Payer
  • Provider
  • Pharma & Life Sciences
Subscribe
No Result
View All Result
  • Digital Transformation
  • Telehealth
  • Cybersecurity
  • Patient Experience
  • Clinicians
  • Resources
    • COVID-19
Future Healthcare Today
  • Digital Transformation
  • Telehealth
  • Cybersecurity
  • Patient Experience
  • Clinicians
  • Resources
    • COVID-19
No Result
View All Result
Future Healthcare Today
No Result
View All Result
Home Cybersecurity

Beazley Breach Response Share Insights into Healthcare Cyber Risks

by Editorial Team
November 28, 2017
in Cybersecurity
Reading Time: 8 mins read
A A
Beazley Breach Response Share Insights into Healthcare Cyber Risks
Share on FacebookShare on Twitter

With the rise of major data breaches like WannaCry impacting healthcare organizations across the world, it begs the question: What do malicious actors have to gain from compromising healthcare networks and data?

To get the answer to that question, Insurance Technology Insider (ITI) sat down with two cyber insurance and cyber risk experts, Brett Anderson, a Breach Response Services Manager, and Frank Quinn, a Breach Response Risk Manager, both at Beazley Breach Response, the cyber insurance division of the specialty insurer with three decades of experience working with clients worldwide.

The company recently released their “US Healthcare Data Breach Insights Report,” which detailed the risks facing American healthcare companies and broke down the kinds of attacks that healthcare companies are facing. A complimentary copy of that report can be downloaded by clicking HERE.

During ITI’s discussion with Brett and Frank, they talked about the report’s findings, why malicious actors attack healthcare companies, what they can do to protect themselves and if they feel that healthcare companies are doing enough to protect themselves against breach – including purchasing cyber insurance.

Here is what they had to say:

Insurance Tech Insider (ITI): What does the threat landscape look like for healthcare organizations? Who would want to compromise healthcare data and why?

 

Frank Quinn is a Risk Manager at Beazley Breach Response, where he helps develop risk-management initiatives to help the company’s customers minimize the frequency and severity of data breaches.

Frank Quinn: The threat landscape is active and full of challenges for healthcare organizations.  A typical patient medical record contains not only sensitive personally identifiable information such as a Social Security numbers and medical account numbers but also information about physical and mental health conditions, treatments, and prescriptions.

These elements taken together constitute protected health information (PHI) which is very attractive to criminals.  PHI is valuable; theft of PHI has lead to identify theft and insurance fraud, and also to extortion demands where healthcare organizations face the threat of external disclosure of PHI.

ITI: How do healthcare organizations rank in terms of priority among malicious actors? Obviously financial services and retail are among the top targets for data thieves…but how do healthcare organizations compare? 

Frank Quinn: Healthcare is often targeted due to the robust nature of PHI and the volume of data maintained by healthcare organizations.  Medical records generally trade on the black market at rates higher than credit card numbers, for example. Of the over 7,000 data incidents managed by Beazley’s Breach Response (BBR) Services team, the vast majority come from the healthcare sector.

ITI: Your report found that unintended disclosure accounted for the largest percentage of healthcare data breach incidents. What does “unintended disclosure” entail and include? Why is it harmful to the company and its patients?

Frank Quinn: Unintended disclosure refers to disclosure of PHI to the wrong recipient. Most often, unintended disclosure involves carelessness, whether it’s an email containing PHI sent to the wrong recipient, discharge instructions given to the wrong patient, or patient records transmitted or faxed to the wrong destination.

The federal Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations to investigate unintended disclosures to determine if there is a HIPAA breach and – if so – to notify affected individuals, which can have operational and reputational costs. Because the healthcare organization must also report breaches to the U.S. Department of Health and Human Services Office for Civil Rights (OCR) – the agency that enforces HIPAA – unintended disclosures may open the door to an expensive investigation of the organization’s overall HIPAA compliance program.

ITI:
How can healthcare organizations fight against unintended disclosure? What processes and technologies can they look at to eliminate the threat of unintended disclosure?

Frank Quinn: The number one control involves workforce training regarding how employees and staff must protect PHI. Organizations should train employees to verify patient identities by confirming at least two pieces of information, such as full name and date of birth or insurance number. Before sending any PHI electronically, employees should double-check the email address or fax number to confirm they’re sending it to the right recipient. Employees should include only the minimum PHI necessary for the communication.

Technologies such as encrypted email, patient portals, and data loss prevention software can also assist, if they’re configured properly and employees are trained how to use them. We live in a world where technology allows us to immediately communicate and we have to train staff to slow down and take their time, given the potentially drastic consequences of mishandling this data.

ITI: What kinds of breach incidents comprised the other 59 percent of breach incidents reported?

Brett Anderson is a Privacy Breach Response Services Manager with Beazley’s Breach Response Services unit, where he supports the company’s clients with data breach investigations, and assists with privacy and security risk management and loss control.

Brett Anderson: Insider incidents – such as an employee intentionally looking at the patient record of a family member or local celebrity without authorization – made up another 15 percent, meaning that more than half of incidents are caused by employee behavior.

Organizations can reduce risks through training, creating a culture that takes reporting and investigation seriously, and auditing access to electronic medical records. External causes of breaches include hacking or malware, theft or loss of portable devices or of paper records, and social engineering.

ITI:
In your opinion, are healthcare companies doing enough to combat and mitigate their risk of data breach?

Brett Anderson: Healthcare organizations are hit from all sides in terms of regulations that require operational changes, so it is no surprise that healthcare organizations are challenged and playing catch-up regarding privacy and security best practices.

Healthcare, in general, seems to have moved forward in terms of awareness but we still hear too many CISOs not able to get the budget they need to hire skilled information security staff or even to implement basic security controls such as full-disk or full-device encryption.  In fact, today having multi-factor authentication is becoming a best practice, and most healthcare organizations will be in catch-up mode on this.

ITI: Just based on your own experience, what percentage of healthcare organizations would you say have implemented a cyber security or data breach insurance policy? Is this in line with other markets and industries? Do you anticipate that number increasing in the near future?

Brett Anderson: In general, only about one-third of businesses have purchased a cyber liability policy but healthcare is slightly higher.  We do expect a large increase of buyers in the next 3-5 years.

ITI: What services is Beazley offering healthcare and other companies against cyber risks and data breaches?

Brett Anderson: Beazley has been underwriting cyber insurance to the healthcare sector and other sectors for almost two decades. Our Beazley Breach Response (BBR) product provides turn-key incident investigation and breach response services managed by our BBR Services team.

Through our interaction with thousands of the nation’s healthcare organizations, we know that many organizations need help before an incident arises, that is, help to prevent a breach.  Our services portfolio contains, in addition to our breach response services, many pre-breach and post-breach risk management services and resources available to our policyholders. Beazley offers an array of proactive technical services pre-incident, a comprehensive breach response service during the cyber incident, and an advisory service after a breach to shore up security.

ITI: How do these services benefit customers both before and after they fall victim to a breach?

Brett Anderson: Beazley recognizes that preparing for and preventing breaches have become inseparable from insuring against data breaches. With the increasing need for pre-breach and cyber security services, Beazley established Lodestone Security LLC, a wholly owned subsidiary of Beazley plc, to offer both strategic and tactical services and expertise so that small and mid-sized organizations can enhance their cyber defenses before an incident occurs.

On our risk management information portal, BeazleyBreachSolutions.com, insureds benefit from resources to create and test their incident response plan, develop policies, and train their employees.

We also provide live webinars and other educational materials on emerging cyber threats, information security controls, and regulatory developments. And if an insured does experience a suspected data breach, our BBR Services team assists with the legal, forensic, and other services needed to investigate the incident, notify affected individuals if necessary, and resolve any regulatory inquiries or litigation.

To learn more about the cyber risks facing healthcare companies, click HERE to download Beazley’s “US Healthcare Data Breach Insights Report.” To learn more about the company’s cyber insurance solutions click HERE to go to their corporate Website.

Tags: AnthemBeazleyBeazley Breach ResponseBrett AndersonCitigroupCyber InsurancecybersecurityCybersecurity InsuranceDepartment of Health and Human Services Office for Civil RightsEquifaxFrank QuinnHealth Insurance Portability and Accountability ActHHSHHS OCRHIPAAnetwork security
Advertisement Banner

RELATED POSTS

Contributed Articles

How to Implement Secure File-Sharing Solutions in the Healthcare Industry

February 28, 2023
man in scrubs and with a stethoscope is holding a chart to represent healthcare administration
Digital Transformation

Healthcare Modernization: How the U.S. Department of Health and Human Services Is Preparing for the Future

January 26, 2023
Small and Mid-Size Healthcare Companies Can Combat Cybersecurity Threats with a vCISO
Cybersecurity

Small and Mid-Size Healthcare Companies Can Combat Cybersecurity Threats with a vCISO

October 26, 2022

TRENDING NOW

  • Redefining the Patient Experience with Artificial Intelligence

    Invest in Your ‘Copier Center’ for the Future of your Health System’s Mission

    504 shares
    Share 202 Tweet 126
  • With Worker Shortage, Here’s How Healthcare Facilities Can Attract New Talent

    504 shares
    Share 202 Tweet 126
  • AI Solutions Can Improve Hospital Operations and Physician Well-being

    499 shares
    Share 200 Tweet 125
  • How Healthcare Organizations Can Manage Data in a Scalable, Secure, and Auditable Way

    531 shares
    Share 212 Tweet 133
  • HOW NON-TRADITIONAL PLAYERS AND NEW TECHNOLOGIES ARE DISRUPTING HEALTHCARE

    626 shares
    Share 250 Tweet 157

CONNECT WITH US

Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Advertisement Banner Advertisement Banner

BECOME AN INSIDER

Get Future Healthcare Today Insider news and updates in your inbox.

Strategic Communications Group is a digital media company that helps business-to-business marketers drive customer demand through content marketing, content syndication, and lead identification.

Related Communities

Financial Technology Today
Government Technology Insider
Modern Marketing Today
Retail Technology Insider
Today’s Modern Educator

Quick Links

  • Home – 2021
  • About
  • Contact Us

Become a Sponsor

Future Healthcare Today offers content and advertising sponsorships to leading healthcare solution and service providers. Interested in becoming a sponsor? Contact us!

© 2023 Strategic Communications Group, Inc.
Privacy Policy      |      Terms of Service

No Result
View All Result
  • Home
  • About
  • Payer
  • Provider
  • Pharma & Life Sciences
  • Categories
    • Digital Transformation
    • Telehealth
    • Cybersecurity
    • Patient Experience
    • Clinicians
  • Contact Us