Health care organizations, including hospices, are the top target for cyber-criminals eager to obtain protected health information, insurance information, and patient identifiers. As technology is increasingly pervasive in hospice care, providers are seeking stronger methods to protect themselves and their patients, cyber security experts told Hospice News.
A number of hospices have experienced serious data breaches in recent years. Maryland-based Frederick Regional Health System in March sent letters to their hospice patients informing them of a phishing attack that accessed patients’ protected health information, according to media reports. A similar incident took place in April involving Bend, Ore., hospice provider Partners in Care.
In May 2018, CarePartners Hospice and Palliative Care notified patients of a data security incident that compromised patients’ personal and protected health information, also pertaining to email.
“Health care information is widely known to be worth the most money in the black market, so health care organizations are frequently targeted,” said David Finn, executive vice president for strategic innovation at cybersecurity consulting firm CynergisTek. “Since about 2009 we have actually seen some breaches shut down health care organizations. Some of them were never able to regain their financial footing, which had a very significant impact on their communities.”
Hospices are information rich. Nurses and staff arrive in patient homes with laptops, cell phones, and tablets; all of which could contain sensitive information, and hospices are increasingly investing in telehealth systems and emerging technologies such as virtual reality.
“Any time you use any technology there is always the possibility of vulnerability,” said Joseph Bach, chief information officer for the Buffalo, N.Y.-based Center for Hospice and Palliative Care. “You have to be careful to make sure the right encryption and protection systems are in place to protect data not only at rest but in transit.”
Electronic medical records and other files contain patient health information, addresses, social security numbers, insurance information, dates of birth and other identifiers that cyber-criminals can use to create fraudulent identification, use to obtain prescriptions for controlled substances, or sell to parties engaging in identity theft.
Nearly three years ago the center, which cares for 450 hospice patients and 500 palliative care patients daily, began enhancing its cyber security program, Bach told Hospice News.
The center’s objective was to align its information security policies and activities with the National Institute for Standards and Technology’s (NIST) Cyber Security Framework, and ensuring that the hospice’s policies were copacetic with HIPAA security rules. The NIST framework includes provisions for encryption, remote access, media destruction, passwords, and other security concerns.
A central component of the center’s work was education, not only of staff but of the organization’s leaders and board of directors.
“Information security training and awareness reminders are probably the most important things that you can focus on in a security program; the smarter that end users can become around identifying security risks the better off your organization will be,” Bach said. “And it’s really important to get leadership buy-in and to get your board on board.”
The center trains new staff on cyber security policies during their orientations, and all staff participate in mandatory annual training as well as ongoing digital training and awareness reminders throughout the year.
A key component of the training is how to identify suspicious emails, which are the most common method of cyber attacks, including ransomware and phishing scams.
“In health care the most feared attack is ransomware; they literally hold the data for ransom and if you can’t get to the patient’s information,” Finn said. “If you can’t get to their prescription list or don’t know the treatments they have been receiving, it can impair patient safety and slow or stop the organization’s ability to provide care.”
The center’s training program includes practices to help prevent staff from clicking on potentially dangerous links. Some of these include hovering the cursor over a link and looking carefully at the URL, watching for domain names similar to your own, or misspelled email addresses.
The center also contracts with local cybersecurity companies to do mock phishing attacks, see which links employees click on, and incorporate lessons learned into their training programs.
“We do technical assessments including quarterly network vulnerability scans; these scans are monthly for the top 75 devices on our network,” Bach added. “We also do penetration testing, where someone tries to break into your network and identify where your vulnerabilities are.”
The center contracts with a security company that monitors the hospice’s top 75 devices on its network on a 24-hour basis.
Even with all these measures in place, a hospice’s security concerns do not begin and end with it’s own systems, according to Bach. The center also does security assessments for any vendors that will have access to sensitive data.
The costs of cyber security can run high. Though pricing often is tiered for different levels of protection, smaller hospices with limited resources can often struggle to pay for advanced cyber security testing or systems.
“It’s hard to build a return-on-investment model on security. There are costs, time, and effort associated with it, but I can tell you that it is a fraction of what it will cost after you have had to shut down due to a ransomware attack,” Finn explained. “That includes what follows in the aftermath of a data breach, which can include a damaged reputation, possibly fines, class action lawsuits, as well as credit coverage you may have to provide to patients whose privacy was compromised.”