In August of 2021, T-Mobile, one of the largest phone carriers in the US, experienced a massive data breach. Hackers stole Social Security numbers, names, addresses, dates of birth, driver’s license information, and more from current and past customers. The breach generated significant news coverage and likely hurt T-Mobile’s brand.
There have also been several high-profile ransomware attacks on health care systems. In late 2020 the University of Vermont Medical Center was hit by a ransomware attack. The center didn’t pay the hacker’s fee. However, estimates indicate the hack cost as much as $50 million in lost revenue because the medical center couldn’t access electronic health records, payroll programs, and other systems for an extended period. Many patients had to go to other medical centers for treatment.
Is a health insurer the next big company to be the subject of a significant data breach? The odds are likely. According to a 2016 Accenture analysis, the typical insurer faces 113 targeted breach attempts every year, a third of which will be successful. Because of the valuable data a health insurer collects and stores, hackers find them an enticing target.
The key to not seeing your organization in the news for a significant data breach is developing a health insurance cybersecurity policy that helps prevent attacks. Here are some tips to help:
First, analyze where you are vulnerable to cyber threats. Examples may vary from systems to third-party providers to people. It’s also important to identify past cybersecurity threats that were identified and unsuccessful. For example, you may have found a threat present in a firewall log or your email filter found potential malware. Whatever the case, it’s important to create a list of potential vulnerabilities.
Next, identify which vulnerabilities are the most susceptible to attack and create a prioritized action plan to address them. For example, if you determine your employees are susceptible to attack, develop a training plan to teach them about common attacks. Develop training detailing how they can identify and avoid those common attacks. Or, you may determine your development process gives too much data access to specific individuals. As a result, you’ll identify ways to limit data access to only those that require access.
After an analysis, you should have a prioritized list of threats. You’ll also know what actions you will take to address them.
Documentation is the key to a successful health insurance cybersecurity plan and policy. There are likely several disparate documents you’ll need to create/review to be prepared for an attack. Below are some of the core documents to create:
- Information Security Policy — This policy generally outlines how your staff can acceptably use your business networks and applications. Generally, organizations write these policies to outline how to control access to confidential data, how to maintain the accuracy of that data, and how the organization accesses that data.
- Business Continuity Plan — As the University of Vermont Medical Center discovered the hard way, a cyber attack can lead to unplanned service disruptions. Your business continuity plan outlines what your organization will do to continue to operate should unplanned disruptions occur.
- Security Awareness Training Plan — During your analysis of assets and threats, you’ll likely identify several employee training opportunities. Record that training plan for both existing employees, new employees, and any requirements you may have for contractors or third-party partners.
- Incident Response Policy — The University of Vermont Medical Center’s incident response policy may have saved further damage. As soon as they detected the ransomware, they shut down their technology systems. Instead of paying the ransom, they worked to eradicate the ransomware from all internal systems. Then, used data backups to restore them. It took time, but it probably prevented even more damage. So have an incidence response policy that outlines the steps you’ll take to identify and react to any incidents.
- Data Backup Policy — The University of Vermont was also likely to eventually get back up and running because of their data backup policy. That policy should outline what backups are performed when they’re performed, where the backup data is stored, who can access those backups, and how to restore them.
- Remote Access Policy — COVID-19 changed how a vast segment of the population worked. Work from home became the norm, which forced many unprepared businesses to scramble to put a remote access policy together. The policy should outline how employees and others can connect to an internal network and what connection types are acceptable.
In the summer of 2021, Google released a Chrome OS update that essentially locked users out of their devices. A single character in the code — which is automatically downloaded and updated — caused the issue.
In the software development world, a critical part of developing software is testing code before release. Though the typo itself caused the problem, testing the software should have caught and corrected that typo.
Like Google’s failure to properly test their software before release, failing to test your cybersecurity plan could cause significant issues down the line. Some tests to consider:
- Network Penetration Testing — Though T-Mobile likely conducts network penetration testing, it’s obvious that testing may not have been adequate. Network penetration testing essentially simulates what a hacker would do to gain access to your critical systems or launch some type of attack on your technology infrastructure.
- Web Application Testing — Web application testing should have discovered the typo that Google’s Chrome OS update introduced. Web application testing enables you to find bugs and that the application is working as intended.
- Social Engineering Testing — The University of Vermont Medical Center ransomware attack may have started because someone at the center unknowingly downloaded malware to their computer or network. Social engineering testing focuses on people and processes. Things like phishing, where emails or identities are faked to get personal information, USB drops, where USB devices are left for an employee to connect to their computer, passing a malware payload in the process, or other types of impersonation can be tested. Any failures can then be used as a teaching moment.
- Mobile Penetration Testing – Most health insurers have developed a mobile application for use by some or all members of their health plan. Mobile penetration testing simulates an attack against that mobile app to find any security weaknesses.
The NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) created a cybersecurity framework that delivers best practices, standards, and recommendations that help organizations improve cybersecurity measures. For private organizations, there isn’t any legal or regulatory requirement that you use the NIST Cybersecurity Framework, but it can serve as a useful guide to help you implement cybersecurity policies.
At a high level the framework consists of:
- The Framework Core — The NIST Framework organizes this common set of critical infrastructure cybersecurity activities and desired outcomes into five functions — Identify, Protect, Detect, Respond and Recover. Within each of those functions are categories and subcategories. For example, in the Identify function, there’s could be an asset management category, a governance category, and supply chain risk management.
- Framework Profiles — Earlier we discussed how analyzing your existing cybersecurity assets and threats and then creating a prioritized list of items to address is a good approach to building a cybersecurity program. Think of NIST cybersecurity framework profiles as your before and after view of your cybersecurity policies and procedures. Profiles help you understand the difference between your current cybersecurity posture and your desired future state.
- Framework Implementation Tiers — The framework has 4 tiers: partial, risk-informed, repeatable, and adaptive. Those tiers help organizations understand where they are in their cybersecurity approach and where they need to go. Think of it as a roadmap to your cybersecurity journey.
You can learn more about NIST’s Cybersecurity Framework at https://www.nist.gov/cyberframework.
Certifi’s health insurance premium billing and payment solutions help healthcare payers improve member satisfaction while reducing administrative costs.