Small practices often have the weakest security, experts say, leaving physician vulnerable to considerable threats.
After more than $27,000 goes missing from his business account, a Texas physician learns that cyber criminals initiated a wire transfer using a fake domain name and an email almost identical to his own. Another physician returns from an international trip to find that criminals hacked his email and used it to transfer more than $30,000 from his medical group’s account to an unknown bank in Hong Kong.
In both cases-taken from the files of a cyber liability insurance underwriter associated with Austin, Texas-based Medical Liability Trust (TMLT)-the victims’ banks were not liable for the losses because an authorized account holder approved the transfers, says John Southrey, CIC, CRM, manager of consulting services at TMLT, which provides medical professional liability insurance to Texas Medical Association members.
“Cyber fraud is the most underestimated and underappreciated risk faced by small businesses, particularly in healthcare,” says Southrey. “Most physicians are not budgeting enough for computer data security because they think their practices are too small to attract the attention of cyber criminals. However, losses incurred as a result of a data breach can be worse than a direct tangible property loss such as from a fire or tornado … Many cyber-criminals consider physician practices to be low-hanging fruit because they have not kept up with technology.”
Sara Hempfling, vice president of treasury management at St. Peters, Missouri-based Enterprise Bank and Trust, recommends that all of her clients purchase cyber liability insurance. Large companies may pay about $2,500 per month for $1 million in coverage, but smaller business often pay much less and some coverage is often included in standard professional liability policies, says Hempfling, who works with the bank’s medical clients.
TMLT added cyber liability coverage in 2011. Since then it has handled more than 250 incidents, with more coming in nearly every week, Southrey says. The majority of cases involve data breaches of personal health information (PHI), which can take a financial toll on a practice, exceeding the base cyber liability coverage limit.
Criminal attacks are the leading cause of healthcare data breaches, ahead of employee negligence and lost or stolen devices, according to the Ponemon Institute, a nonprofit research group based in Traverse City, Michigan. Criminal attacks have risen by 125% over the past five years as cyber criminals increasingly recognize the vulnerability of medical organizations that store a trove of potentially lucrative personal data, according to the institute’s 2015 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data.
More than 90% of the healthcare organizations included in the study reported experiencing a data breach, with 40% reporting more than five over the past two years, the report says. At the same time, only half of survey respondents reported feeling confident that they had the resources or processes and technology in place to detect loss or theft of patient data.
Theft of electronic PHI (ePHI) has substantial financial implications, because victims are responsible for the costs of investigating the breach, notifying customers, paying any government fines, and other crisis-management activities.
It can take months or years to recover from the financial damage of a data breach, Southrey says. Under the Health Insurance Portability and Accountability Act (HIPAA), for example, practices can be fined for failing to conduct a comprehensive risk analysis of their policies and procedures and not having appropriate safeguards in place to protect ePHI.
As a case in point, Phoenix Cardiac Surgery in Phoenix, Arizona, agreed to pay the U.S. Department of Health and Human Services (HHS) $100,000 and implement new security measures in 2012 after an Office of Civil Rights (OCR) investigation found that it had violated HIPAA rules, according to HHS. In the OCR investigation, which lasted more than three years, investigators found that the practice had been posting surgical appointments on a publicly accessible Web-based calendar and had not taken appropriate measures to protect the information.
In addition to potential fines under federal and state privacy laws, practices must take steps to mitigate the effects of the breach, Southrey says. These can include notifying patients, providing credit-monitoring services, hiring a public relations firm, working with an attorney, and contracting with a forensics specialist to trace the source of the breach and recover unduplicated data.
“That’s not to mention the potential lost revenue due to an interruption in business or staff overtime to reconstruct files and recover data,” he says. “And you may lose patients if they come to view your practice as a security risk.”
Many of those costs are covered by cyber insurance up to certain limits (see sidebar), he says. For example, one physician insured with TMLT filed a cyber extortion claim involving more than 6,000 patient records after a hacker demanded several thousand dollars to decrypt his files. After reporting the breach to HHS, the physician received notice of an OCR investigation and a request to provide extensive documentation on his security practices.
“He blew through his $50,000 limit in cyber liability coverage in less than two months,” Southrey says, noting that TMLT now offers up to $1 million or higher in coverage limits. “And he had to continue to pay other out-of-pocket costs, such as installing a new server.”
In many cases small practices are particularly vulnerable to fraud because they do not implement procedures that might prevent errors, says Hempfling. In addition, they lack the resources to dedicate one computer exclusively to banking.
“In smaller offices, one office manager might have full control over online banking and there is no system set up to have a second person authorize big transactions,” she says. “From a banking standpoint, that’s a risk.”
While your employees might be fully deserving of that trust, mistakes can happen, she adds. For example, many cyber crimes involve tricking someone into disclosing financial information.
One of her manufacturing clients fell victim to a fraudulent wire transfer. The client received a phone call from someone they believed to be an employee of a vendor notifying the client that the vendor’s bank account had changed. Hempfling’s client requested a bank verification letter, which was immediately provided and looked legitimate. Trusting that the contact was who they said they were, the finance manager then changed the vendor’s bank account information on the company’s computer system.
“Our bank called the owner and warned him to double check the transaction before verifying it because it might be fraud,” Hempfling says. “But he was in a hurry and OK’d it anyway, trusting that his staff had already done their due diligence.”
Employee training is a critical part of protecting your practice from cyber fraud, says Rebecca Busch, RN, president and CEO of Westmont, Illinois-based Medical Business Associates and a faculty member of the Association of Certified Fraud Examiners. Employees should learn how to recognize spam emails that appear to be from a payroll company, for example, and not to open or download programs from unknown sources that could be malicious software giving criminals access to the practice’s records.
Cyber criminals might also install “ransomware” on your computer, which prevents you from accessing your data unless you pay a fee to unlock it. Such incidents led TMLT to add cyber extortion coverage to its medical malpractice policies.
“Cyber extortion can be devastating from a revenue perspective,” Southrey says. “If you can’t access your data, how do you do your billing or conduct your patient exams?”
Notifications about changes to your bank account should be verified “100% of the time,” Hempfling says. Remember, as soon as the business owner verifies a wire transaction, the money is sent and it is very difficult to reverse the process.
“Consumers always get reimbursed but banks have discretion over whether or not to cover business losses,” she says. Banks are governed by very specific rules relating to check fraud, she adds. For example, the bank is exempt from liability if the business uses a signature stamp to sign a check instead of the account holder’s actual signature.
Mitigation and awareness are critical to protecting your practice from fraud, Busch says. Physicians should inventory where their financial information is stored and have constant access to their financial accounts.
“Your inventory should include any data that has a connection to your banking accounts,” she says. “You need to know when those accounts are accessed and how, and constantly monitor those channels.”
The Texas Medical Liability Trust created the following checklist to help medical practice administrators assess their readiness to combat cyber crime:
Source: Texas Medical Liability Trust