Hospitals and health systems need good response plans for cybersecurity incidents, and that includes notifying insurers and testing response plans.
Chicago - Scores of hospitals and healthcare organizations have been hit with ransomware attacks in recent years, and cybersecurity experts have stressed the importance of being prepared for breaches.
As many experts say, it’s not if a hospital is going to be hit, but when the attack is going to happen. During a panel at the HIMSS Global Health Conference & Exhibition Monday, experts outlined the needs for having good emergency response plans in place and for engaging with insurers on a regular basis.
More health systems have been investing in cybersecurity insurance in recent years, the Government Accountability Office reports. Nearly hall (47%) of insurance clients opted for cybersecurity insurance in 2020, up from 26% in 2016, the GAO says. As cyberattacks have become more costly, insurance premiums have increased as well.
The experts on the panel all stressed that insurers don’t want to have to play catch up. It’s better to engage them as quickly as possible when trouble arises.
Aleksandra Vold, a partner in the BakerHostetler law firm, leads the healthcare privacy and compliance practice and has handled over 1,000 cybersecurity incidents. She says too many organizations have the wrong perception of insurance companies. Companies shouldn’t relegate insurers to being spectators.
“They should be your partner,” Vold says.
She says clients regularly stress over how much to tell their insurer about a breach, but she says organizations could face more problems by withholding information. “You should tell them a lot,” Vold says.
Erik Decker, chief information security officer at Intermountain Health, says it’s best to open a claim with insurers as soon as suspicious activity is detected, even if it’s not necessarily clear about the extent of the breach.
“They will appreciate the fact that they were there with you while it was happening,” Decker says.
Christopher Scott Martin leads the cybersecurity practice at RCM&D, an independent insurance advisory firm. He says developing relationships with insurers can improve the odds of success when problems emerge.
If the insurer isn’t in the fold during a cybertattack and is just getting up to speed while the hospital is aiming to restore its data, Martin says, “It’s going to be a challenging process.”
The panelists all emphasized the importance of testing exercises to determine weaknesses in cybersecurity and to gauge the organization’s ability to respond to an incident.
Martin pointed out that an IBM analysis determined that organizations which tested incident response plans typically spent 50% less on breaches than those who didn’t engage in such testing. The average cost of a data breach in healthcare organizations topped $10 million last year, the most of any industry, according to IBM’s report.
Vold says such exercises don’t just test responses, but they test the assumptions of the organization.
The plans should cover steps such as how billing is being handled to dealing with phone calls. Part of such planning should involve communications about a cybersecurity incident, including steps such as how much information is being released and who is handling the social media. While she says being too quick in releasing incomplete information is a mistake, Vold adds, “Waiting too long? Also not helpful.”
If patient appointments are being rescheduled and procedures are being postponed due to a data breach or ransomware attack, the general public is going to hear about it soon, even if the health system isn’t disclosing it.
“If people can’t get their cancer treatment … there is an immediate thunderstorm of public discussion about it,” Vold says.
Intermountain conducts incident response tests regularly, and Martin says that he’d like such tests to be so routine that they’re almost boring. So far, he says, that hasn’t happened. But Martin says the point of testing incident response is in finding areas to improve.
“If you’re not learning something from that exercise, you’re doing something wrong,” Martin says.
As organizations test the emergency operations, they develop muscle memory and are more equipped to deal with audibles, he says.
In the event of an attack, Martin says, “It’s less about cyber at that point and more about business resiliency.”
Health systems developing risk mitigation plans shouldn’t think of them as a checklist of tasks to be completed overnight. They are plans that are refined over time.
“Treat it like it’s a living document,” Vold says.