RCM and the Cyber-Security Landscape for Anesthesiology Practices
By Ned Campbell
It seems any more it’s every day there is news of another major data security breach in our country – and it’s clear the healthcare industry is one of the favored targets of cyber-criminals. Over 16 million patient records were breached in 2016. HHS-OCR HIPAA breach settlements totaled a record-high $24 million in 2016. According to predictions by credit reporting firm Experian, the healthcare industry will be a target for cyber attackers in 2017 while “personal medical information remains one of the most valuable types of data for attackers to steal.” (1)
While most data security attacks have focused on large healthcare systems, it does not mean anesthesiology practices are immune from these cyber-security threats. Anesthesiology practices manage a complex data environment with many systems and entities where protected health information (PHI) is transmitted and stored: Electronic Health Records, networked medical devices, mobile devices, Emails, SMS messaging, cloud storage, patient portals and Revenue Cycle Management (RCM) systems.
Each of these pose their own unique set of data security challenges and provide a wide attack surface to guard and secure against cyber-security attacks. As these systems and processes are often provided by a third-party vendor or outsourced completely to a service organization, a anesthesiology practice’s data security environment almost always extends to a complex variety of business associates.
The Threats Are Real
The healthcare cybersecurity threat landscape has an ever-expanding attack surface, with motivated and well-funded cyber-criminals who can carry out creative, sophisticated attacks on private and often protected healthcare information from anesthesiology practices and their business associates. These include but aren’t limited to:
- Social engineering and phishing attack campaigns that targets individual users
- Malware, zero-day and botnets that target systems and medical devices to exploit default administrative credentials and known software vulnerabilities
- Ransomware attacks that target network and application infrastructure
- Targeted hacking of mobile devices via unsecured wireless networks, operating system flaws and downloaded malicious applications
- Interception of unencrypted PHI data transmissions
- SQL injections to exploit insecure internet-facing applications
- Stolen or lost devices containing unencrypted PHI
If these outside threats are not enough, employees still pose one of the greatest risks to healthcare organizations and their business associates. According to a 2016 Data Security Incident Response Report from Baker Hostetler, 24% of healthcare data breaches resulted from employee errors. (2) Social engineering, phishing and spear phishing campaigns targeting individual users are on a sharp increase with increasing sophistication across all industries.
Data Breach Impacts Can Be Significant
2016 was another bad year for healthcare data breaches. Although the largest healthcare data breaches of 2016 were nowhere near the scale of those seen in 2015 (e.g. Anthem, Premera, Excellus), over 16 million patient records were compromised involving breaches involving more than 500 patients in 2016. Of these major beach incidents, 275 were reported by providers and 20 were reported by business associates
The potential impact to healthcare providers of a single data breach are significant in terms of cost, disruption and reputational impact:
- HHS-OCR (Office of Civil Rights) HIPAA breach settlements and civil money penalties are escalating in both frequency and magnitude. One HHS-OCR settlement affecting only 6,800 individuals amounted to $4.8 million in 2016.
- For breaches affecting more than 500 patients, both the HHS-OCR and local media outlets must be notified within 60 days of discovery of the breach.
- Regardless of the number of patients involved, breach notification letters must be submitted within 60 days by first class postage to all affected patients.
- Post-breach identity protection must often be provided for affected patients for 1-2 years with an estimated cost of $10 per individual per month.
- Lost business reputation can create a patient churn rate of 5-6% following a data breach
- Class action lawsuits may often arise, with average claimed damages of $1,000 per victim, not counting negligence claims
- Other miscellaneous costs can include organizational disruption, PR/crisis communications, technical investigations and increased cost to raise debt (3)
Data Security as a Strategic Priority
Given both the growing number of healthcare cyber-security threats and the potentially significant impacts from a data breach, anesthesiology practices need to consider data security a critical business priority for their own practice and their business associates.
At Zotec Partners, the largest national provider of revenue cycle management services to anesthesiologists, we consider data security a mission-critical strategic priority utilizing a three-part strategy: Organizational Commitment, Technology and Processes, and External Certification. In developing their own data security controls and evaluating their business associates’ data security standards and controls, an anesthesiology practice may consider a similar approach.
Data security requires a true organizational commitment by a company’s executive team and shareholders as effective data security requires time, resources and investments. Companies that invest in a dedicated Information Security department of certified information security professionals with separate operating / capital expense budgets to execute on strategic information security projects can keep pace with the evolving data security threats in order to implement security best practices.
New employee onboarding and ongoing security awareness and education of all employees is one of the most important investments a practice can make in data security. Providing security training above and beyond the “annual HIPAA education requirements” and communicating security reminders frequently are two effective means of building a workforce that is sensitized and responsive to data security threats. As an example, in order to sensitize employees to phishing attacks and to provide additional training to employees as needed, companies might deploy customized employee phishing campaigns periodically throughout the year.
Technology and Processes
There are many data security technology solutions available in the market today that healthcare organizations can use to prevent, monitor and respond to potential data security risks and threats. Technology tools, when coupled with prevention, monitoring and detection processes executed by an information security team, can create a multi-layered network of defense against cyber-security threats. These technology and processes might include:
- Intrusion detection and prevention tools
- Endpoint and mobile device protection tools
- Data transmission encryption tools
- Security incident and event/log management systems
- Internal threat detection and intelligence tools
- Robust patch and software update programs
In a recent Modern Healthcare special report on how to build a better cyber-security defense, only 31 percent of healthcare systems use threat-intelligence software to protect their network and 27 percent of provider executives say they’d like to implement cybersecurity tools that use artificial intelligence, machine learning or predictable analytics to better protect critical data. (4)
External third-party examination and certification of its own security practices and that of its business associates are a third way for anesthesiology practices to enhance data security. In the past two years, Zotec Partners has completed two such data security certifications that help give our clients peace of mind in understanding how we are securing their patients’ confidential data.
SOC-2 Security Certification
The SOC-2 certification is established by the American Institute of Certified Public Accountants (AICPA) in accordance with the SSAE 16 professional standards, and it focuses on a service organization's controls related to the security, availability, integrity, confidentiality, and privacy of information and systems. The SOC-2 Security certification is designed to give a company’s clients and stakeholders insight and assurances into the security controls of a service organization.
PCI DSS 3.2 Compliance
PCI DSS 3.2 is a comprehensive card security standard regulated by the world’s leading credit card companies, including American Express, Discover, JCB, MasterCard and Visa. The standard evaluates data security of credit card payment applications and service providers by assessing a business’s network architecture, technology platforms, security policies and data protection procedures, and is a critical certification for any organization who stores, processes or transmits credit card data.
It’s critical for anesthesiology practices to be aware of the growing breadth and depth of healthcare cyber-security threats and to ensure their data security controls and methods are evolving to provide adequate protection to their patients’ valuable data. Organizational commitment, technology and processes, and external certification may be important steps to consider for a practice. The resources, expertise, and data security practices are also important factors for anesthesiology practices to consider with their RCM partners and other business associates to which they entrust their patient data.
- Fourth Annual 2017 Data Breach Industry Forecast. http://www.experian.com/data-breach/2017-data-breach-industry-forecast.html
- “Is your organization Compromise Ready”? 2016 Data Incident Response Report. Baker Hostetler - http://f.datasrvr.com/fr1/516/11618/BakerHostetler_2016_Data_Security_Incident_Response_Report.pdf
- HIPAA Journal - http://www.hipaajournal.com/wp-content/uploads/2015/05/hipaajournal-cost-hipaa-data-breach.png
- Conn, Joseph and Rubenfire, Adam. “Building a Better Cyberdefense.” Modern Healthcare. http://www.modernhealthcare.com/reports/cybersecurity/?utm_source=MHEmail&utm_campaign=MHCyberReport&utm_medium=Email#!/