How to reduce cybersecurity risk to employees' health data
Data is becoming a key element in the health care experience. Unfortunately, it's incredibly vulnerable to cyber breaches.
Employee health and insurance information may be the most-guarded data in any organization. Unfortunately, it also may be the most vulnerable to security breaches. In fact, HHS recorded a record 44 data breaches affecting 686,953 people during the month of April alone.
“Health information is a significant concern as it often contains the most sensitive personal data, such as medical records and medical diagnoses,” said Matt Cullina, managing director, global markets, for CyberScout in Providence, R.I. His company provides cyber protection solutions for more than 770,000 businesses worldwide.
“When we consider how often employers share, copy and move their employees’ health insurance data, through benefits enrollment as well as to and from other parties and vendors, it becomes clear how vulnerable this information can be,” he said. “It is the employer’s responsibility to ensure employee data is protected wherever it goes, even when it leaves the company.”
Ari Vared, vice president of CyberPolicy in San Francisco, agrees. “Protected health information (PHI) has been some of the most valuable data on the black market for quite some time,” he said. “That means that any company that keeps health data is at a significant risk. An example of a highly common scam centered on PHI is a bad actor using insurance information to impersonate someone else and racks up health bills under their name.”
The HIPAA Breach Report documents cybersecurity attacks both by number of people affected and the most common types. In April 2019:
- Network server breaches affected the personal health information of 483,946 people. This was followed by email breaches, with 92,816 people affected, and electronic medical record breaches affecting 35,000 people.
- Email was the most prevalent type of attack, with 17 breaches. In fact, email has been the most common type of breach for 12 of the past 14 months. The next most common was network servers, with 11 breaches, followed by paper and film with five breaches.
It goes without saying that cybersecurity breaches can a take significant economic toll.
“Cyber risks are perpetually evolving, and the consequences of even the smallest of attacks can be devastating, particularly for growing businesses,” Vared said. “In fact, according to research from the Ponemon Institute in 2017, the average cost of a malware-related attack was $1,027,053 for small and mid-sized businesses. On top of the expenses related to damage or theft of IT assets, SMBs reportedly spent another $1,207,965 due to disruption to normal business operations.”
What may be less obvious is the hit to employee morale and productivity. “Anyone who has experienced identity theft can tell you the resolution process can be extremely time consuming and complex,” Cullina said. ”Without expert support, employees are left scrambling to find resolutions on their own and with little success. Quite frankly, it can be a traumatic experience. As a result, they lose hours upon hours of the business day attempting to resolve matters. Employee productivity is drastically affected, and they can become very unhappy with their employer.”
Search for solutions
What solutions are available to employers? Cullina and Vared offer several practical steps that can make a difference:
Pick the low-hanging fruit. “Many of the best things you and your employees can do to actively protect your business are simple, low cost or even free,” Vared said. “For example, using strong passwords, changing them often and enabling two-factor authentication where available is free but will dramatically improve your cybersecurity.”
Review benefits. Many employers make it a priority to include ID protection services in employee benefit packages, Cullina said. He cites information from the Willis Benefits Study showing that ID protection is the fastest-growing benefit in the United States.
“These services provide expert assistance; ID theft resolution, including resolving medical ID theft and incident response protection; as well as proactive resources, including education and monitoring,” Cullina said. “Monitoring tools include credit monitoring and dark web monitoring, which allow for early detection of fraud and immediately alert the employee of any fraudulent activity against their identity.”
Build the culture. “One of the most affordable ways to protect the health of your business is to foster a company culture around cybersecurity,” Vared said. “There are many digital training tools for your employees that make sure everyone in the organization is familiar with the latest threats and attacker tactics. Most importantly, make sure all employees recognize that cybersecurity best practices should never be a casual afterthought or reserved only for the IT department.”
Explore cyber insurance. “Even with the most robust cybersecurity measures in place, organizations can still get attacked,” Vared said. “To fully protect your business — including your employees’ safety, customer data, operational finances and public reputation — invest in a cyber insurance policy that meets the unique needs of your business. For instance, many plans include incident response support to immediately respond to a breach, in addition to protection from lost income, regulatory fines and lawsuits.”
Educate employees. Just as employees can be the most vulnerable cybersecurity risk, they also can be the first line of defense.
“The greatest vulnerability is the lack of awareness and education around cyber threats,” he said. “Often breaches are the result of a social engineering attack where a bad actor tricks an employee to share confidential information, such as W-2s, or transfer funds.
“It is hard to predict the future, but it is fair to say that as prevention techniques have evolved, so have the creative measures people go through to steal information. Education and awareness will always be the best first step to stay ahead of the curve.”
Consult your broker. “These challenges present an opportunity for brokers large and small to become good stewards in data protection, offering companies and employees best practices for protecting from fraud and security of private data through best practices,” Cullina said.
Build an in-house team. “First and foremost is having total priority and access to an IT team any time there is a security incident,” Vared said. “Also, in-house teams will be deeply familiar with your organization’s unique needs, risks and processes, allowing them to react to potential threats faster and more seamlessly than an external team might.”
Consider hiring an agency. “Hiring an external cybersecurity team, known as a Managed Security Service Provider, can work better for some organizations, as it’s often the more affordable route,” Vared said. “Additionally, working with external agencies allows companies to sidestep the widespread problem of finding and retaining sufficient cybersecurity talent. It’s crucial, however, to take the time to find an external cybersecurity partner who is well-versed in your industry and can help set clear goals that align with your organization’s particular needs.”
Although it is impossible to eliminate all risk, employers have a number of options to protect their business and human assets.
Read more: