Organizations with significant amounts of personal data, like skilled nursing and other long term and post-acute care (LT/PAC) centers, are appealing targets for cyber-criminals. This puts them at risk for actual damages, government fines, and private legal actions. It also puts them at risk for damage to their reputations. Who wants to admit themselves or a loved one into a center that has proven to not keep its patients’ health or personal information safe?

The good news is that there are steps that even the smallest community can take to help mitigate cyber risks and better weather the fallout.

Assessing Cyber Risk

Reputable risk management advisors will say the first thing a provider should do is assess its risk. Don’t let scare tactics alone dictate the center’s course of action. Investing time and resources into understanding how at-risk the organization is can save dollars later by focusing other resources into those areas in which the center is most exposed or likely to incur the most damage.

This is an area where engaging a professional will likely yield the best results. There are numerous professionals who offer penetration testing and overall information technology (IT) security analysis. It is best to go beyond IT issues, though, because data risk is not limited to the IT department: It is also a cultural and people issue.

If an employee opens a phishing email or falls victim to a spear-phishing scam, IT won’t be aware of it until it’s too late. The center’s risk level will include how aware its teams are of the potential dangers and their ability to identify potentially harmful activity.

Not only does a center need to understand what data it has (this can be in electronic or paper form), but also all the possible ways that data are and could be accessed.

A trained professional can help analyze a center’s IT security. Are password updates required regularly? Do employees use two-step verification processes when logging into IT systems? How difficult is it to hack the center’s systems?

Noncompliance Costly

Another significant risk to assess is the possibility of noncompliance fines from state and federal agencies.
According to an article posted July 5, 2016, in Healthcare IT News, after a Philadelphia nursing center operator paid a fine of $650,000 to the U.S. government, the Health and Human Services Department’s Office of Civil Rights (OCR), which investigates Health Insurance Portability and Accountability Act (HIPAA) violations, cited the operator’s lack of required risk analysis and risk management plan.

Preparing for an Attack

Few, if any, LT/PAC facilities would consider operating without an evacuation plan. Yet, many operate without a post-data breach plan, which helps the community be prepared if and, more likely, when a cyber-attack occurs. The post-data breach plan—a critical component of the center’s risk management plan—is designed to ensure the company makes it through the incident, especially given that the average cost of a breach within the health care industry is $12.47 million, according to a 2017 report titled, “The Cost of Cyber Crime Study” conducted by Ponemon Institute and jointly developed by Accenture.

Insurance, specifically cyber liability insurance, is often considered to be the solution. However, there is a lot to understand about insurance coverage, limits, and other options to ensure that it will provide the protection the center wants and needs. Second, there are a lot of things that basic insurance policies won’t cover that should be included in any recovery plan.

Choosing the Right Insurance

Following the risk assessment, there will be a more detailed understanding of the actual and specific risks the center faces, but it doesn’t stop there. Most LT/PAC organizations should consider at least three areas of coverage. They need to make sure their cyber insurance program provides coverage for losses related to 1.) HIPAA data; 2.) spear-phishing—the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information; and 3.) the associated business interruption that is likely to result following a data breach.

It is important to work with an insurance broker or agent experienced in not only the LT/PAC industry, but also this unique type of coverage. They can help staff understand and find products with the appropriate limits, deductibles, and coverage. This is a relatively new set of insurance products, with new providers, new customers, and new risk coming into play all the time.

Insurance carriers are becoming more sophisticated with their risk assessments and premium pricing, while new competition and new customers are keeping prices in check (for now, at least). It’s typically recommended that a center’s cyber insurance program be evaluated annually.

The best cyber data insurance program is really a data breach recovery program with the financial backing to help make the center whole again. Not all policies are created equally, and it’s important to identify the best policy that provides the right options to protect the organization.

Safeguarding the Future

Part of preparing for an attack should also be minimizing its likelihood of occurring. Besides having a solid insurance program in place, there are other measures that can help.

A nonexhaustive list of low- and no-cost options to consider include ongoing employee awareness training; implementing enhanced password protection protocols; locking up computers; eliminating old, nonrequired records (paper and electronic); limiting employees’ access to data; verifying all information/data requests keeping software up to date; and maintaining security on all mobile devices.

After an Incident

In the event of a cyber or data incident, it’s critical that a center act quickly and decisively. Without a plan in place, this becomes extremely difficult.

Given that resources are often scarce, having a fully developed plan is unlikely, but, fortunately, many cyber liability insurance policies essentially contain a disaster plan and road map for what to do immediately following an incident in addition to the financial backing to remunerate and help make the center whole again.

Better policies will provide a “cyber coach” who, in the event of an incident, will share additional resources (typically provided for no additional cost) to help manage the situation. Following an event, the response is to call this coach to help navigate and access a variety of professional and expert resources to mitigate and contain the damages. These resources typically include a public relations firm to help protect the center’s reputation; a breach notification firm to help ensure compliance with each state’s unique set of requirements for notifying those affected; an IT forensic expert to identify the source of the breach, understand what data have been compromised, how it happened, and stop it from occurring again; and a cyber law attorney to help with any legal matters, whether civil, regulatory, or criminal.

David Hosack
The cyber and data breach experts referenced above can help a center arrive at the correct level of transparency that will keep it compliant, minimize additional damages, and mitigate any reputational damage that can result following an event.
David Hosack is an insurance and risk management professional with Marsh & McLennan Agency and specializes in helping long term care and other health care organizations.