Managing Risk of Cyber Incidents
By GINA PRUITT, KraftCPAs
Reaching Cybersecurity Maturity in the Healthcare Industry
Cyber threats are here to stay -- and they continue to be one of the topics keeping senior management up at night. With breaches and ransomware attacks still occurring at high rates, the healthcare industry continues to be significantly impacted.
For the 11th year in a row, The Ponemon Institute 2021 Cost of a Data Breach Study commissioned by IBM Security listed the healthcare industry with the highest total cost per breach and the largest increase (29.5 percent from 2020 to 2021) of the 18 industries covered. Approximately 70 percent of records compromised included personally identifiable information (PII).
A company's most important asset is its reputation. That said, management must determine their risk tolerance - or the level of risk the organization is willing to accept. Once risk tolerance is decided, there are several ways to mitigate risk.
There are three key approaches an organization can implement to limit risk:
As with many other industries, there are several common types of data breaches occurring within the healthcare industry. Those include:
Ransomware attacks continue to be on the top of the list for healthcare and most other industries as well.
Medical records are a hacker's dream! Each record is worth at least 10 times the value of a stolen credit card. This is because a medical record contains so much more personally identifiable information. In one record, a hacker can obtain credit card data, Social Security numbers, email addresses, demographic information, employment information, insurance information, and medical history. Any of this information can be used for social engineering or other breach tactics such as using obtaining credit cards, setting up bank accounts, etc. Many types of fraud can easily be committed with just a few pieces of information in one record alone. And hackers often obtain many thousands of records at one time. They can hold companies and individuals at ransom, sell the data on the black market, or steal identities.
Healthcare entities have a responsibility to comply with the privacy and security laws outlined in the Health Insurance Portability and Accountability Act (HIPAA). Risk assessment is the first step to ensure compliance. Once the assessment is complete and the organization has identified key controls and filled any gaps in those control, the risk management process should be a continuous, dynamic process. The same basic tenets of a HIPAA risk assessment can be applied to the process of performing a cybersecurity risk assessment.
Risk is generally assessed by identifying threats and vulnerabilities, then determining the likelihood of occurrence as well as the potential impact of an occurrence in a specific organization. Identifying and implementing controls necessary to mitigate those risks and reduce the likelihood of occurrence and impact is critical. For this process to be successful, it requires leadership within the organization as well as input and commitment throughout the organization to ensure all business components and information assets are identified, and that is an ever-changing inventory.
In order to assess cyber risk, as well as determine its impact and potential cost to manage the risk, the suggested steps of the process should include, but may not be limited to:
It is important to identify and classify sensitive, critical information assets that need to be managed. Information assets include various categories of data (both automated and non-automated), including, but not limited to, data contained in records, files, and databases. Healthcare entities are responsible for protecting the privacy, confidentiality, integrity, and availability of their patient's protected health information (PHI) and personally identifiable information (PII) as well as other information assets.
Generally speaking, information assets are critical systems, third-party interfaces (such as those used for payer processing), automated tools and source code, proprietary systems, and confidential records. Classification is a designation given to the information asset based on sensitivity and criticality to the organization.
A threat can be a person, organization, or even an act of nature that could compromise information security or privacy of PHI or PII. Threats can be malicious, intentional, unintentional, natural disasters, hardware failures, or viruses, among other things. The nature of threats, their capabilities, and resources must be considered to determine the likelihood of their occurrence. For this purpose, assess risk and threats in terms of the probability of an attack or breach. Threat intelligence, such as that provided by The Ponemon Study, plays a key role in developing and maintaining a cybersecurity risk management program.
Vulnerabilities could be weaknesses in a network, a particular system, lack of segregation of duties within an application, inadequate physical security, etc. Weaknesses can potentially be exploited to gain access and impact system and/or data privacy and integrity. Vulnerabilities should be assessed based on the type of weakness and the information asset(s) that would be impacted.
There are inherent risks for any process. Information security and data privacy have more inherent risks and, therefore, requires more controls. Information that healthcare organizations manage is highly sought after by threat actors, hackers, and even unethical employees. There is also the potential for unintentional and accidental breaches to information. Analyzing the risk to information assets based on the impact or criticality to the organization is key.
Risk for a given asset can generally be determined using the following equation:
Likelihood of a threat occurring against the asset x Value of the asset = Risk
Based on this equation, the higher the likelihood of occurrence and the higher the value of the asset to the organization, so is the higher the risk level - and the cost of a successful breach.
Cybersecurity touches almost all aspects of the organization. Once the organization has prepared the cybersecurity risk assessment, you must implement a cybersecurity program with this risk assessment process being continually performed and the program being further refined. Cyber risk management requires organizations to address those threats identified in the risk assessment as well as new threats identified or caused by ongoing changes in hardware, software, third parties, etc. Redefining the controls, tools, and other mitigating factors affecting the processes and programs within the organization should become second nature. Other critical areas a cybersecurity program ties to and may require periodic changes include the organization's:
A cybersecurity program should be weaved throughout these and other key areas of the organization. Specifically, it is important to ensure that the following are addressed:
By no means is this an exhaustive list, but it is a set of crucial items to be considered and documented. In addition, identifying and communicating with all the players and documenting their responsibilities is key.
Traditionally, we think of insurance as a means to transfer risk to a third party. Cybersecurity risk is somewhat different. We must portion and partition off pieces of risk. Cyber insurance is one element of transferring risk. Other elements may include utilizing third party vendors (as long as the organization performs adequate due diligence in selecting vendors, clearly outlines expectations and responsibilities of the vendor, and has a consistent and thorough vendor management program) and obtaining other insurance policies related to physical structures, equipment, and so on.
As for cyber liability insurance coverage, there are approximately 50 major insurance providers that provide some level of liability policy. But these policies vary widely from provider to provider. Policies tend to need to be custom designed, and companies are not sure what their policy should cover. There will often still be coverage gaps, so coordination of coverage is important. In some cases where the cyber liability policy does not cover an area, professional liability insurance, which should include directors and officers (D&O) and errors and omissions (E&O), may address the risk. Finally, a fidelity bond, which protects the company against acts of individual employees, whether intentional or negligent, may cover certain aspects of a cyber incident.
Four main types of cyber liability coverage include:
Regardless of type, the better your organization has implemented risk management processes and procedures, the lower the premiums should be. Insurance companies will need to see these processes and procedures in action, including the identified mitigation plans and third-party vendor management documentation.
Policies will include clauses that limit or waive coverage if certain controls and procedures are not in place and limit liability for breaches or losses caused by third parties. There will also be a large deductible. Consider the Target breach from several years ago. Although Target had approximately $100 million in cyber liability coverage with a $10 million deductible, the estimated cost of the breach was $1 billion. Several of the largest healthcare breaches have been estimated at a cost well over half a billion dollars. In 2021, the average cost of a healthcare breach was $9.23 million, per The Ponemon Study.
Some of us are natural risk takers; others avoid risk at all cost. Avoiding risk in business is important, but there must be balance. The discernment required for risk management is developed over time, which is why most organizations limit critical decision making to experienced management personnel. Even then, the most critical and potentially costly decisions are made by multiple parties. Regardless of how decision making is handled in your organization, risk management should become an integral part of making business decisions.
In the cyber world we live in, continuous vigilance, monitoring, and training are critical. Leading by example at the senior management level and sharing how employees can help the organization avoid and limit risk will ingrain these concepts (for instance, maybe it is the basis of a reward system or part of organizational bonus criteria). Finally, employee training, education, and knowledge sharing, especially addressing patient data and information assets, is a must. Getting employee buy-in and involvement as well as encouraging them to identify risks will help make them an extension of your risk avoidance model.
In the end, we cannot completely manage risk out of the business or the business will be stifled. But developing a continuous cybersecurity risk assessment process and cybersecurity program that includes a risk avoidance model which is maturing each year will significantly help manage and mitigate the risk of cyber-related incidents.
For more results of The Ponemon Institute 2021 Cost of a Data Breach Study, go to ponemon.org.
Gina Pruitt, CPA, CITP, CGMA, CRISC, CHFP, CCSFP, CISA, is the member-in-charge of the risk assurance & advisory service at KraftCPAs and a member of the firm's healthcare industry team. Contact her at (615) 782-4207 or email@example.com. To learn more, visit kraftcpas.com.