Products & Technology

Hacked: Data Security for HME Providers

Cybercrime damages will reach $6 trillion annually by 2021. Is your sensitive data safe?

• By Joseph Duffy
• Feb 01, 2017

While data security can make for hot headline fodder when it comes to Capitol Hill, it is a ever present day concern for American businesses of all sizes. We’d like to think that the world of hacking and data security breaches occurs in the lofty environs of Manhattan high rises, where large corporations fall prey to sophisticated schemes. But the reality of data security is that hacking and malware attacks impact all businesses and industries, including healthcare.

For any company that collects data, does online transactions or uses third-party vendors, data security has become a major concern. According to CSO from IDG (bit.ly/2ila57J):

• Cybercrime damage cost will hit $6 trillion annually by 2021.
• Cybersecurity spending will exceed $1 trillion from 2017 to 2021.
• Up to 200 billion connected devices will need securing by 2020.

More importantly, healthcare business are ripe targets for some forms of data security attacks, because the information they hold — records on patient health — is so precious and so private. More importantly, healthcare business are ripe targets for some forms of data security attacks, because the information they hold — records on patient health — is so precious and so private. For instance, ransomware, which is malicious software designed to block access to a computer system until a sum of money (or ransom) is paid, has hit the healthcare industry harder than other industries. According to Becker’s Health IT & CIO Review (bit.ly/2jB0A5D), approximately 88 percent of all ransomware attacks are against hospitals.

“Healthcare has become one of the top, if not the top, targets for hackers. Healthcare data is rich with information that hackers can profit from,” explains Jeremy Kauten, CIO and senior vice president of IT, VGM Group, Inc. Kauten is a data security expert who has spoken about the topic to various industries around the world. “Each of those personal data points is valuable on the cyber black market.

“While large businesses such as Target, Anthem and major health systems often make the news media after a breach, the majority of breaches exist in small business,” he says. “Small businesses with less than 1,000 employees do not have the resources to fund a sophisticated IT security budget.

“According to the FBI, ransomware payments alone exceeded $1 billion in 2016,” he continues. “Hackers run businesses that compete for employees with full benefits packages, as well as operate as a standalone hacking entity, or under a legitimate business as a front. Ransomware hackers even offer 24/7 tech support to help those who have paid them get their data back.”

(See “How Big of a Challenge Is Ransomware?” to learn more about how ransomware works, as well as the size of the ransomware threat facing HMEs)

Where Does HME Stand

Stats specific to the HME industry are not readily available, but Kauten says there are several large national HME providers who have had multiple reports of breaches. That said it’s a problem shared by all.

“At Medtrade, I was able to meet with several smaller providers who have experienced similar issues,” he says. “If we look at healthcare practices as a whole, whether it is a chiropractic clinic, a dental clinic, or HME provider, they all have similar valuable data and are not immune to a data breach. Specific to HME providers is that they perform much of their work outside the office, which requires more mobility of patient data and could result in a greater risk than other healthcare providers that may not need the same mobility to perform their patient care.”

“The overall status of data breach preparedness and general understanding of what is at stake with a data breach is most likely pretty bleak,” says Kimberly Commito, director of product management for HME management software company Mediware Information Systems Inc. “Most HME providers are more concerned with the tangible challenges their businesses face with reimbursement cuts, audits on the rise and overall cost of business management.”

Commito says data security is “most definitely” an increasingly important concern as more HME businesses seek efficiencies in operations to contend with the cost of doing business challenges they face.

“Providers must be more efficient in sharing patient data amongst care givers, payers for reimbursement and prescribers to move away from pushing paper and to a more electronic way of doing business,” she explains. “As a result they must become well versed in what is appropriate to share, what should be protected at all costs and what the implications are of a loss of PHI or a data breach of some other sort.

“It has been estimated that 60 percent of data attacks have been on small- to medium-sized businesses,” she continues. “So much of the efficiencies gained by an organization are via the Internet and access to claims status, audit status and eligibility information, etc. This opens up an HME organization to the threat of attack via that access. It is hard to say how many HME providers specifically have been subject to a breach; however, when the statistics say that a business unaware of how to protect itself against such threats are 60 percent more likely to get attacked and are furthermore subject to large fines when this happens, they must begin to put forth effort to protect themselves.”

And these attacks have results beyond the breach, and the negative impact that has on a healthcare business’s reputation and level it trust it has with its patients, referral partners and other business relationships. It can hit the bottom line — hard.

“Breach costs are skyrocketing across all industries, and the fines to companies in certain industries for allowing these breaches are greater than expected,” Kauten explains. “I have seen fines for a breach ranging from $500 to as high as $2,500 (estimated) per record, depending on the multiple governmental agencies involved in the breach related to the fines, fees and notification charges. One provider lost 412 patient records and paid $650,000 in fines alone.

“In addition to fines, there is an expense in alerting patients and the media of the breach. One major expense not often thought about is brand reputation,” he adds. “Imagine trying to get referrals from an Insurance company or health system when it is advertised that they cannot trust your systems. The brand reputation alone and potential lost revenue is likely the most damaging and largest expense to an HME.

Kauten notes that HIPAA and HITECH standards apply to all covered entities, including HME providers, and they are located at 45 CFR 160-164. The HITECH Act requires data breach notification for disclosures of unsecured PHI within 60 days of enactment.

HME Provider Vulnerabilities

So where are providers most open to attack? What about their businesses provides the best opportunities for cyber criminals to get at them? VGM’s Kauten says one of their first problems might be the software services that they are using.

“One of the biggest challenges for companies regarding data security is third-party vendors,” he says. “A recent study says almost 50 percent of data breeches come from a company’s third party vendor.”

That’s a problem for providers, given that so many HME businesses opt to use software as a service (SAAS) offerings to manage segments of their businesses and sometimes their entire busiensses.

“HMEs often use third-party vendors for billing, software, audits, printing, mailings, shipping and for many other outsourced business services,” Kauten says. “So, it is similar to other industries where third-parties will often not hold themselves to the same level of security as the data owner, or they may not be experts in HIPAA requirements and often are a weak link. Specific to HME providers, they are often a third-party as well when an insurance company, health system or other referral source that is sending them patient data.

“When they are third-party they pose a threat to those who send them data,” he adds. “Many referral sources are conducting security audits on HME providers starting with the larger providers and working down to the smaller ones. Providers should start elevating their security systems in order to be prepared for audits by their business partners.”

Kauten also highlights a few other key points of vulnerability: mobility technology, the non-technical side of their businesses, and their people.

The issue of mobile security is creeping up quickly, according to Kauten.

“More and more, work is being performed on a phone, tablet or laptop,” he says. “As technology evolves, remote work is expected to compete in today’s market place and the portability of patient data on these devices is at risk. Many companies have not had time to keep up with technology changes in order to elevate their policies and procedures to handle these devices properly.

“BYOD is a technical acronym for Bring Your Own Device,” he continues. “BYOD is referenced when an employee wants to use their own phone, tablet or computer to conduct work for a company. Many times it is argued that an employee doesn’t want to carry two devices. When this is the case, companies are at risk of what an employee does on a device that the company does not own or maintain security for. This is something that HME providers should address before it happens to them.”

Also, providers need to attend to physical security. We often forget that some of the biggest hacks in recent history began with someone finding useful information after sifting through a dumpster.

“Many companies take time to secure technical items but often overlook the tangible items, such as paper files, access to equipment and the ability for an employee to take pictures of secure software via a smart phone,” Kauten says. “Keep in mind that a data breach doesn’t always mean it took place electronically. Losing patient records during a move or other scenario is just as impactful.”

And in the same way a system can get hacked, so can a person. All it takes is one employee clicking on a shady email attachment to start a whole avalanche of IT trouble.

“Even with all of the proper protection mechanisms, people can be tricked into doing things they shouldn’t do on their computers and phones,” Kauten says, adding that training is critical at his company. “Employee security training is a must. VGM requires all employees to go through security training. We routinely run tests to see if our employees can be tricked into clicking on an email or phone call. When someone is tricked, it normally means they have not completed all of the security training.”

Best Practices for HME Data Security

So how do providers get started when it comes to protecting their data? VGM’s Kauten suggested that providers start with addressing three key aspects of their security: infrastructure, devices and humans.

“The HME provider infrastructure, which comprises computer systems and computer networks, must be protected by proper firewalls, anti-virus software, web filtering, email filtering, access levels and software used to store patient data,” he says. “Normally this is managed by an internal IT department or external IT consultant. Software systems, such as billing software or patient management software, is another element of risk. Most providers use cloud or hosted software and rely on their software vendor for security, which is great, but don’t let it stop there. Your network needs to be able to protect files locally as well as access to your software that is hosted elsewhere.”

Next, each device that connects to a provider’s network is another possible opening, so providers must ensure those devices are secure.

“Phones, tablets, computers and laptops all typically access the infrastructure and at some point contain patient data or access patient data,” Kauten says. “Software updates and proper protection on devices are crucial to protecting data. Many small businesses do not have proper protection on mobile devices, including laptops.”

Next, a provider must focus on its people. Sometimes the issue can simply be bad security habits, other times the issue can be more troubling.

“Unfortunately, the horror stories of data breaches often include employees,” Kautent says. “By simply clicking on an attachment or link in a malicious email, your employees can inadvertently open your business up to a significant financial loss. Another aspect of employees is the temptation to steal or sell valuable data. Background checks, policies and procedures with access levels are necessary to defend against getting breeched from within your own organization.”

Kimberly, director of product management for Information Systems Inc., agrees on the importance of networks being secured by firewalls and encryption.

In addition to ensure assets such as firewalls are secure, or that the right training is implace, Mediware’s Commito says a review of partnerships and BAA agreements should be performed to address any concerns about the handling and sharing of PHI and appropriate compliance with HIPAA regulations.

She offers several bullet points in that regard:

• Make sure you do regular assessments on your networks
• Make sure you educate staff on sensitive data handling, HIPAA and PCI compliance standards
• Ensure that you have a policy in place to address your response to any breach that occurs that includes:
  • Timeframes that are acceptable by which you report the breach
  • Timeframes that are acceptable by which you inform those affected
  • Procedures you will take to address the breach and remediate the problem
  • How you will address continued education of staff in contact with this type of data

“Finally, continuous risk assessment providers are available for the continuous monitoring for breaches and other suspect network activity,” she explains. “One such company, BitSight (www.bitsighttech.com), uses security ratings to monitor events, diligence and user behavior in real-time, so threats and warnings to your network are immediate. You can continuously monitor third-party vendors and even open up portal access to prospective vendors, enabling them to remediate any security issues before connecting them to your network.”

Ongoing Assessment & Training

In addition to reviewing partners’ level of risk Kauten adds that providers should be continuously assessing themselves for potential data security problems.

“HME providers should be creating and updating policies to address newer technologies and the increasing cyber security threats,” he says. “Hiring third-party security experts to expose known threats and best practices is a must for healthcare companies. Companies specialize in ongoing penetration tests where a white hat hacker (an ethical for-hire hacker) will attempt to breach your systems and give you a report of vulnerabilities.

And as new challenges crop up, providers will need to undertake new procedures and train IT staff employees accordingly.

“Training technology staff as well as front line staff is a must,” Kauten says. “Employees who know how to handle situations can protect a company by creating a secure culture. If we compare this to TSA, they are working to educate Americans flying to help keep an eye out for suspicious behavior; employees should be protecting your HME store from suspicious activity as well.”

And then that staff can pass their knowledge, policies and procedures along to the rest of the team to ensure the entire enterprise is secure.

“Our IT Department, along with VGM Education, works to ensure that our employees receive IT security awareness training. We also offer specially tailored training for HME providers,” Kauten says. “The training program includes professionally designed videos that are three to four minutes in length and provide cybersecurity training based off actual security breaches and real-life situations. Each episode is designed to reinforce security awareness and upon completion, each employee takes a quiz.”

Ultimately, how HME providers protect their business and patient data will be an ongoing work in progress. As technology evolves, so will the threats, and so will the responses to those threat. What is clear is that providers must make data security a top priority and start shaping their data security strategies and programs now — before a breach can take place.

This article originally appeared in the February 2017 issue of HME Business.