The proverbial question, “What keeps you up at night?” takes on new meaning when it comes to cybersecurity.
While developments in technology provide new opportunities for productivity and efficiency that would have been difficult to imagine even a few years ago, they also open new avenues for hackers to access computer systems and improperly obtain businesses’ data.
The first three months of 2018 have seen 77 healthcare data breaches reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Those breaches have impacted more than 1 million patients and health plan members.
“It’s surprising that management can sleep at all,” says Karen Painter Randall of the Connell Foley law firm. “A data breach can be devastating for any enterprise. Consequences may include not only the loss of sensitive personal identity and health information, and corporate trade secrets, but also the legal, regulatory, operational, and reputation damages that follow.
“Small businesses that fall prey to a cyberattack usually go out of business within six months,” remarked Randall.
Randall, a member of the ABA’s Cybersecurity Legal Task Force, will be one of the panelists at NJBIA’s Internet of Things cybersecurity summit on Friday. Recently, she shared information on three threats that small and medium-sized businesses in particular should be wary of.
- Social engineering.
Hackers have figured out that it’s easier to target people than it is sophisticated security systems. Instead of trying to figure out how to break in to a business’s database, they instead try to get one of the company’s employees to give them access.
“Ninety-one percent of targeted cyberattacks begin with a phishing email and 43 percent are successful due to human error,” Randall said.
Spear phishing emails look like they come from a co-worker, client or vendor and trick an employee into giving them access by, for example, asking the recipient to click on a link to verify information. The link either infects the system with malware such as ransomwareallowing hackers to encrypt or lock down data, or lets them spy on your computer usage to steal passwords and other sensitive information.
“People are still unknowingly clicking on suspicious links without thinking, and putting their organization at risk,” Randall said.
Security awareness training is the only way to combat such attacks, but don’t think you can just do it once and be covered.
“A lot of businesses forget to repeat the security awareness training during the year,” Randall said. “They think that offering security awareness training once is sufficient. Cybersecurity is a process not a project. It is crucial to conduct security awareness training at least twice a year and then to test the people via pen testing to make sure they are actually following through on what they were taught.
“Accountability is also the key to success in changing bad and risky behavior,” she said
- Third-party vendor management
In 2013, the Target store chain had a suffered one of the largest data security breaches in history with the loss of millions of customers’ personally identifiable information. But the hackers didn’t focus on Target; they hacked Target’s system thru a relatively small HVAC subcontractor company that had user access privileges.
“Third-party vendor management is extremely important,” Randall warned. “Enterprises today are using different business partners, and there’s a growing use of external service providers. While this is good, it also presents new and difficult challenges for organizations.”
Knowing whom you’re trusting with your data is critical, and something that’s easily overlooked. Thus, it is important to conduct due diligence of the third party vendor’s security protocol and negotiate contracts to ensure that you are protected not only from a breach within your organization, but one caused by a third-party handling your clients’ and/or employees’ personally identifiable information.
“This includes analyzing agreements for indemnity clauses, limitations on liability, insurance requirements, and, overall, guidance on which party will be expected to pay response costs in the event of breach,” said Randall.
In fact, some companies have started using information security questionnaires to vet the third party vendors that they do business with.
In short, if there is a breach, you want to be able to transfer the cost of a response to the third-party vendor if they’re the ones responsible.
- GDPR and Healthcare Breach Fines and penalties
Which brings up threat No. 3: Last month the European Union’s General Data Protection Regulations went into effect, and they bring some hefty penalties with them: 4 percent of the company’s annual global turnover or $23 million, whichever is greater—a figure which for some could mean even billions of dollars.
But American companies should not have to worry about it because it just applies to Europe. Right?
No! GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. Thus, with the use of cloud computing and external service providers it extremely important to know where your data is being stored.
“When negotiating with a cloud service provider, make sure your data is collected and stored in U.S. Data Centers,” Randall said.
There is an increasing amount of healthcare data being stored and accessed, via the “Internet of Things.”
“The global healthcare sector will pour approximately $410 billion into the Internet of Things devices by 2022,” Randall said.
The cost of a healthcare data breach is enormous. On average, a company can expect to pay $610,000 just for the forensics to determine what happened, $560,000 to notify those affected, $880,000 for the cost of lawsuits, and a $1.1 million in remediation costs. The bottom line, a company who has allowed the unauthorized access to protected health information could lose an average of $3.7 million in revenue.
“With the use of internet of things devices comes improved treatment and outcomes, improved management of drugs and diseases and enhanced experience by patients, but you do have risks to address too,” said Randall.