From the 11 million Premera members to the 80 million Anthem consumers effected by a cyber attack, security breaches are on the rise in healthcare and insurers are just as prime a target as hospitals and physician offices.
According to a 2017 Accenture survey of 2,000 U.S. consumers, one in four have had their personal medical information stolen from technology systems, with 21% citing their health insurer as the location of the breach. Half had to pay approximately $2,500 in out-of-pocket costs per incident, as victims of medical identity theft often have no automatic right to recover their losses.
“Health systems need to recognize that many patients will suffer personal financial loss from cyberattacks of their medical information,” said Reza Chapman, managing director of cybersecurity in Accenture’s health practice. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.”
While upfront, consumers are typically trusting of health insurers with their private data, all it takes is one mismanaged security incident for them to lose trust and switch plans. Of Accenture’s surveyed data-breach victims, 21% took action by changing their insurance plan.
“Now is the time to strengthen cybersecurity capabilities, improve defenses, build resilience and better manage breaches so that consumers have confidence that their data is in trusted hands,” Chapman said. “When a breach occurs, healthcare organizations should be able to ask ‘How is our plan working’ instead of ‘What’s our plan?”
For healthcare organizations looking to do just that, Accenture advises they focus on the following five key efforts:
1. Improving Response Capabilities: In conjunction with improving detection, handle breaches quickly and efficiently, in a way that limits damage.
2. Validating Downtime Procedures: Strive to reduce recovery time to minimize impact on patient care and business operations.
3. Sharing Threat Information: Act on learnings and share them with others. Communicate to consumers the actions you have taken.
4. Re-booting Your Approach: Embrace an end-to-end cyber defense that recognizes a spectrum of threats, minimizes exposure, and identifies and protects high-priority assets.
5. Manage Your Risks: Make targeted cybersecurity investments that will deliver measurable returns and help you build digital trust with healthcare consumers, who are increasingly security-aware.
Improving cybersecurity and response preparedness is the first step to building digital trust, but these cybersecurity improvements and enhanced organizational practices must then be communicated to members early-on in the enrollment cycle, from the inclusion of privacy practice and use of personal information notices in enrollment materials, to sharing digital security security investment news via press releases and newsletter inclusion, to outlining secure electronic delivery security practices when requesting e-delivery opt, then demonstrating with CMS and HIPAA-compliant practices. Such communication, followed by demonstration, will let consumers know that data security is a critical corporate initiative and that added login and identity validation layers are not to add unnecessary complexity, but additional security, with enhancement measures continuously being made to keep pace with emerging threats.
But, as a healthcare communications management company, we know that the protection of member data isn’t just limited to the safeguards within the insurance organization itself—such practices must extend across every player of the member communications management supply chain to create end-to-end cyber defense control.
As an ISO 27001 Certified supplier, we are mandated to conduct weekly change manage and data security audits across all departments of the organization while evidencing continuous improvement and effective issue remediation to the official ISO audit team, who annually evaluates and re-certifies our secure information management practices and technology systems. In implementing the stringent practices of the only internationally recognized and annually-audited information security management system, data security has become like the oxygen we breathe at Cierant, and has allowed us to identify vulnerabilities across the agencies and print providers that we collaborate with in managing our insurance clients’ member communications programs. In noticing such vulnerabilities, our IT teams aggressively work to put new measures in place for the way data is managed, exchanged and accessed across every partner, from the agency to ourselves to production and on to distribution, in order to create a standardized approach to digital data security that is implemented across all players of the communications management cycle. This has made for a stronger insurance organization in having a watchdog constantly assess and enhance the security of their files and the high-level data contained within across reporting databases, network servers, FTPs and more.
That is why, as health insurers work to strengthen internal cybersecurity capabilities, it is critical that they, at the same time, assess and vet those of the partners they work with to create end-to-end supply chain data security guided by shared practices and objectives.