HACKED: Health Care Held Hostage - Arming Your Business to Defend Against Cyberattacks – Part 1

Posted on in Process Improvements, Cybersecurity

Note: This is the first of a two-part series about the current state of affairs in cybersecurity, how to determine levels of risk to your company and patient data, and best practices to help protect your business from hackers.     

By Jeremy Kauten, CIO and Sr. VP of IT, VGM Group, Inc.

The health care industry has become one of the top, if not THE top target for hackers. Health care data is rich with information hackers can exploit to make money. Health care records typically contain very sensitive information including patient name, current address, SSN, DOB, insurance/Medicare ID, cell phone number and credit card or checking account number. Each of those personal data points is valuable on the cyber black market and, aggregated, are even more valuable.

The costs of a breach are skyrocketing across all industries, and breach-related fines from the government are greater than expected. Fines for data breaches have ranged from $500 to $2,500 (estimated) per record, depending on the government agencies involved, fees, and patient notification expenses. One health care provider lost 412 patient records and paid $650,000 in fines alone. In fact, insurance experts estimate that 60 percent of small businesses will go out of business within a year of having a major data breach.

Nearly Half of Company Data Loss Caused by Employees

Businesses in the health care industry are typically some of the larger employers in the community. Training a staff with a wide-range of technological experience is challenging, but it should be a priority.

According to McAfee, 43 percent of all company data loss or breaches are caused by employees. How many of your employees have access to email? Opening something as routine as an email attachment can expose your network to hackers.        

Protect Your Business From Hackers

Hackers work full time, searching for ways to penetrate a business’s infrastructure to capture company and patient data. They will do anything they can to gain financially from IT oversight.

Don’t risk it all. Arm yourself with these tools and practices to protect your business from online threats.

  • Invest time and resources into developing and regularly updating IT policies. Technology changes in a blink of an eye, and your policies should reflect those changes.
  • Hire third-party security experts to expose known threats through penetration testing.
  • Train your staff to be your strongest line of defense against hackers.
  • Purchase cyber liability Insurance to cover your liability for a data breach. 

Current Environment of Cyber Threats

While data breaches at large businesses such as Target, Anthem, Yahoo, and major health systems often make the headlines, the majority of data breaches affect small businesses throughout the U.S. Typically, small businesses do not have the resources to organize and fund a sophisticated IT security program. Hackers know this, which gives them an advantage when targeting a business to attack.

Over the years, hackers have become more business savvy. They operate as a stand-along hacking entity or under a legitimate business as a front. Some even offer their employees full benefit packages.

One of the latest forms of cyberattacks is known as ransomware. This attack involves hackers encrypting data (meaning it is locked) and then requesting a ransom payment to unlock the files/data. According to the FBI, ransomware payments alone exceeded $1 billion in 2016. Ransomware hackers often offer 24/7 tech support to help their victims get up and running again. They don’t want to “tarnish their industry” by not delivering once the ransom has been paid. 

HIPAA and Protecting Your Brand

In the event of a security breach, health care providers can expect an added expense to comply with HIPAA Privacy Rules (45 CFR 160-164) and HITECH (Health Information Technology for Economic and Clinical Health) standards. Note: The HITECH Act requires data breach notification for disclosures of unsecured PHI (protected health information) within 60 days of enactment.

In addition to fines, there are tangible and intangible expenses attached to alerting patients and the media of the breach.

One major expense that is not often considered is brand reputation. Imagine trying to get referrals from an insurance company or health system when it is public information that a provider’s system had been compromised. The negative effect on brand reputation alone and associated lost revenue is likely the most damaging to a business.

Next Week in Part 2

In next week’s Connect, we'll identify your greatest cyber risk and provide best practices to protect your business from cyberattacks.

About the Author

Jeremy Kauten serves as chief information officer and senior vice president of Information Technology for VGM Group, Inc. His responsibilities include leading VGM’s corporate Information Technologies department, coordinating optimization of technology, strategizing on how to accelerate success across VGM’s 28 business units, and spearheading the technology message to share with the membership groups.

Jeremy’s energy, leadership, and ability to bring people together augment the development of systems and technology across VGM. He has developed and implemented thorough internal and external training programs to educate management, staff, and customers alike to ensure company and customer data remain secure and protected from hackers and other online threats. Jeremy has presented at various health care tradeshows and state association meetings throughout the U.S.  

Contact Information

Jeremy Kauten
CIO and Sr. VP of IT, VGM Group, Inc.
1111 West San Marnan Drive
Waterloo, Iowa 50701
[email protected]