What does cyber fraud look like for a hospital or a healthcare group? Where does it happen, and how can organizations protect themselves? As you assess the security of your organization, here are top trends, emerging threats and things to consider.
1. Don’t forget the basics
As complicated as cyber fraud may seem, don’t forget the basics. The scariest headlines for healthcare executives are about fraudsters using ransomware to shut down a system, as happened to the UK’s National Health Service in 2017. But a breach doesn’t require sophistication. “A lot of cyber fraud continues to be perpetrated via good old-fashioned phishing techniques,” says Charles Alston, Market Executive at Bank of America Merrill Lynch. “Fraudsters send an email that gets them into an organization. Then employees, oftentimes even though thoroughly trained, can make an error in judgment by clicking on a link or responding to a fraudulent email. That one action ends up pulling a thread that creates a system wide problem.”
2. Watch for wire fraud
In addition to straightforward check and ACH fraud, “Healthcare is just as susceptible as any other business to wirefraud,” Alston says. In a wirefraud, the fraudster sends an email to a treasury employee that appears to be from a top-level executive in the organization; often it will be sophisticated enough to mimic the executive’s writing style, or arrive when the exec is at a conference or on vacation, and hard to reach. The message asks the recipient to wire funds to an account—again, presenting it as an emergency or time-sensitive situation. The recipient is reluctant to turn down the request, since it’s coming from management. “People ask, ‘Why would a controller or treasury employee respond to an email like that?’” Alston says. “Well, it appears legitimate, and it’s a rare event; no one has likely seen something like that before.
And once that transfer is executed, the money is gone, because employees hadn’t been trained, or regularly reminded about such types of fraud, and there wasn’t a process in place to handle such situations. These are the situations that training can help avoid.”
3. Monitor for ransomware
Criminals’ use of ransomware is a threat that organizations should consider carefully, and will handle best if well prepared. One of the most effective preparation tools is a tabletop exercise that can walk the organization through a simulated ransomware event.
Doing a simulation can help answer the key questions: Would we be able to identify a situation and stop it? Would we be able to trace where it came from? Do we have all the right disciplines at the table? What kind of communications do we need to let people know what’s happening? Can we get the system back up? Many executives may be tempted to invest in cryptocurrency like Bitcoin, so they’re able to quickly pay in the event of a ransom demand, but should carefully consider whether paying a ransom is the best solution. Lynn Wiatrowski, National Treasury Executive at Bank of America Merrill Lynch suggests that healthcare providers, who often train for emergency medical events and natural disasters, can apply those learnings to handle a cyber fraud event.
4. Tighten provider-insurer connections
The connections between healthcare providers and insurance companies can create cracks where cyber fraud can flourish. “The structure of health insurance involves a lot of transactions and a slow process, a complicated architecture. And there is a lot of money fueling the system,” says Roger Boucher, Market Executive at Bank of America Merrill Lynch. “The process of reimbursement creates a back and forth interaction that the patient never sees; it can be weeks or months of submission, denial, resubmission, correction, denial (again), before the bills are processed. That lag creates a vulnerability. With so much data traveling back and forth, and such delays in payment, crooks find a way to insert themselves in the gap.” He says healthcare providers need to assess, and continually re-assess, the reimbursement process to double check that insurance companies are sending payments to the correct entity
5. Protect patient data
Patient data needs to be protected in as many ways as possible. Not only do healthcare providers need to be cognizant of patient privacy and HIPAA rules, they need to continually remind themselves that patient data is currency for criminals. As patient records are migrated from paper to digital forms, organizations need to be vigilant in keeping track of older records and how they are handled, stored or disposed of. Policies need to be in place to ensure safety, for instance, when employees handle patient data while working at home. Similarly, to keep records safe and up to date, providers need to regularly back up the data contained in their computer systems. Organizations will complain that backing up the database for the entire system is too time-consuming, or creates too much downtime. A solution is to break the data into smaller pieces, backing up a department or a piece at a time.
6. Keep tabs on third-parties
Whether it’s insurance companies, labs, doctors’ offices or other partners, an organization is only as protected as the third parties it works with and shares its computer connections and its data with. “A healthcare organization should be asking, ‘Where is all my data going, and who is keeping an eye on it?” Boucher says.
A strong vendor management program should include regularly checking the data protection policies and cybersecurity procedures of vendors, third-party services and strategic partners to make sure everyone is on the same page. “When contracts are reviewed, there should be an opportunity to build on a security element as well as outline liability of loss, if those items do not already exist,” Alston says.
7. Secure new equipment
The industry has been buzzing about how new products in the internet of things and medical devices are offering new entry points into a healthcare system. “When a hospital is introducing the newest, most sophisticated piece of medical equipment, thoughts are on the difference this new technology will make in patients’ lives, rather than considering that the new technology may also be introducing a cyberthreat,” Wiatrowski says. “It is not second nature to think about who is on the other end of those pieces of equipment, and what entry points may be introduced.”
8. Stay alert for new threats
Finally, remember that the threat environment will continue to evolve. Stay updated on the newest forms of cyberattacks by reading trade publications, attending conferences and webinars to share information with your peers, and comparing notes with your own strategic partners about what they are seeing. Says Alston, “There is a lot more ground to protect if you are in a healthcare organization, and a lot more opportunity for fraud to occur. And it’s hard to stop something if you have never seen it before. That’s why ongoing education and training are so important.”