Insuring business continuity after a cyber attack

Cyber attacks now occur consistently and typically in detectable forms and are concentrated in particular industries: health care, technology, biotechnology, finance, and legal. (1)

Cyber criminals target health care because they want to steal patient health information. A breach of protected health information (PHI) is a daily business risk. And a simple misstep can lead to an expensive breach incident that includes the loss of business income due to a suspension in operations and extra expenses incurred to remediate the breach.

Accordingly, medical practices need strong cyber security, a tested incident response plan, and comprehensive cyber liability insurance. These strategies can help to mitigate an embarrassing and costly data breach.

Business interruption coverage
Ransomware can cause a business interruption. If a practice cannot access its EMR/EHR because the database was illicitly encrypted, and if they are unable to regain access or do not have a data backup and recovery protocol, the resulting downtime could become costly due to lost productivity and extra expenses to replace the corrupted data.

Some cyber liability insurance policies include coverage for a business interruption loss. So if a practice is partially or totally interrupted by a “covered cause of loss” to its “digital assets” (computer programs or systems), the insurer will pay the projected loss of net income, after a specified “waiting period” and for a specified period of time, plus the continuing expenses to maintain business operations and the extra expenses to help the practice avoid or minimize the suspension. Covered causes of loss typically include accidental damage or destruction, administrative or operational mistakes, and computer crime and computer attacks that cause harm to the practice’s digital assets.

Extra expenses can include overtime pay to staff to restore lost or damaged records and to respond to an Office for Civil Rights (OCR) breach investigation and an extensive Data Request. (If the breach involved over 500 records, the practice must report the breach incident within 60 days to the OCR and to the local media, as required under HIPAA.) In some cases, these extra-ordinary expenses can be greater than the revenue lost from the business interruption.

It is not unusual after a breach notification for a practice to experience a reduction in income due to a drop-off in patient appointments. In most cases, this reduction stops and returns to its pre-loss levels.

Contingent business interruption coverage
More and more practices use cloud computing technology to host their patient and billing data. A practice that is entirely dependent upon a cloud service provider (CSP) to store and access patient information can also suffer an unexpected suspension of operations. If the CSP’s on-demand access is down due to a hardware failure or denial of service attack, this downtime could result in a simultaneous business interruption for the practice too.

Some cyber liability policies also provide coverage for Contingent Business Interruption and Extra Expense to pay the loss of business income plus continuing expenses to maintain business operations and extra expenses due to a suspension in operations caused by a covered cause of loss to a third-party vendor’s operations on whom the practice is dependent upon for its own operations. For example, this coverage may be triggered due to “cloud failure,” defined in one policy, in part, as:

“Cloud failure’ means any unannounced and unplanned failure of a ‘cloud service provider’, located anywhere in the world, to provide you access to the computing resources described in a ‘vendor agreement’ within the parameters described in such ‘vendor agreement.’” (3)

Business continuity coverage
A medical practice’s failure to properly safeguard its PHI from unauthorized disclosure may also result in lasting harm to the practice’s reputation. As one commentator noted, “You can back up your data, but you can’t back up your brand.” (2)

Some cyber liability policies also provide business continuity coverage for reputational harm resulting from a negative media report or notification to affected patients following a security or privacy breach. This would pay the projected loss of revenue or what the practice would have expected to earn. This is additional coverage, beyond the insurer just paying the costs for crisis management, such as public relation expenses to mitigate damage to a practice’s reputation.

It is advisable to check with your medical professional liability carrier or with your insurance broker — prior to experiencing a business-altering cyber attack — to determine if your existing cyber liability policy or business insurance includes coverage for business interruption, contingent business interruption, and business continuity. This financial protection may make the difference in keeping your practice doors open in the event of a security breach.

Sources

  1. eSentire. 2017 Q2 Quarterly Threat Report. Available at https://www.esentire.com/resources/knowledge/2017-q2-quarterly-threat-report/. Accessed October 30, 2017.
  2. Sanger M. Protecting your firm from vendor risks. ALM Law Journal. August 2017.
  3. The Hartford. Business income extension for cloud service interruption. (Form 22 41 84 03 16)

HIPAA and the opioid crisis

by Cathy Bryant

On October 27, the HHS Office for Civil Rights issued guidance on how HIPAA allows information sharing to respond to the opioid crisis.

This guidance explains how health care professionals have broad ability to share health information with patients’ family members during certain crisis situations without violating HIPAA privacy regulations.

Current HIPAA regulations allow health care professionals to share information with a patient’s loved ones in emergency or dangerous situations, such as when that patient may be incapacitated due to an opioid overdose. This includes informing those in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety.

Misunderstandings about HIPAA can create obstacles to family support, which is crucial for the proper care and treatment of people in a crisis situation, such as an opioid overdose.

Read the HHS guidance

Cyber security: Back to basics

by Cathy Bryant

It seems ironic that we have a Cyber Security Awareness Month. Every day must be cyber security awareness day given today’s threat environment. But, we do and it is in October. And it is a great opportunity to have cyber security awareness conversations with your staff.

Without a doubt, our electronic health information is more at risk than ever. All covered entities and business associates must meet the HIPAA Security Rule to ensure confidentiality, integrity, and availability of electronic protected health information (ePHI).

In the risk assessments we conduct at TMLT, we find that practices are failing to meet the basic requirements of HIPAA security. A recent study found that 73% of medical professionals report having shared their password to allow someone access to the EHR. The Health and Human Services Office for Civil Rights (OCR) offers the following tips for getting back to basics. (1)

Basic cyber security tips

Have a strong password. Make sure you use a strong password (i.e. usually 10 characters or more and includes upper case and lower case letters, numbers, and special characters like #$&*). Recent research suggests users could also consider using “passphrases,” which are sentences that may be easier to remember than a very complex password (e.g. “I got a pony for my 8th birthday!”). (2) Do not use passwords or phrases that would be easy to guess, such as a pet’s name or your birthdate. (3)

Training. Train your staff regularly on important cyber security issues, such as how to spot phishing e-mails and when/who to report possible cyber incidents to in your practice.

Multi-factor authentication. A username and password may not be adequate to protect sensitive information, privileged accounts, or information accessed remotely. As part of its risk analysis, an entity should determine what authentication practices to use to protect its systems and sensitive information. Multi-factor authentication typically includes a password and additional security measures, such as a thumbprint or key card.

Updates and patching. You should update and patch your systems and applications regularly, because updates and patches often fix critical security vulnerabilities.

Lock devices. Limit physical access to devices and lock devices when not in use.

Portable devices. Be cautious plugging a phone, USB, or other portable device into a secure computer or network. Portable storage devices may not be as secure and may contain malicious software that could corrupt your secure network. If the device is needed, be sure to follow your organization’s policies on the use of such devices, which could include prohibitions on the use of personal devices or having IT personnel review such devices to ensure they do not contain malicious software.

Do not wait. Do not wait to report possible cyber security threats to the right people in your organization. Time is often critical during a cyber incident. If you suspect a cyber threat, report it right away.

Cyber security and ePHI

Be aware. Be aware of your responsibilities as a covered entity or business associate under HIPAA. See 45 C.F.R. Parts160 and164. Also, be aware of current threats and trends in cyber security, so you can take action and update security measures as needed.

Plan. Covered entities and business associates are required to have security incident procedures and response plans in place, as well as contingency plans to ensure effective, concentrated, and coordinated means to respond to and recover from security incidents. These policies, procedures, and plans should provide a roadmap for response and recovery activities, be approved by management, and be reviewed and tested regularly.

Respond. Once a security incident is detected, immediately take steps to analyze the incident, contain its impact and propagation, eradicate the incident, remediate vulnerabilities that permitted the incident, recover from the incident, and conduct post-incident activities. (4) You should also take steps to mitigate any impermissible disclosure of protected health information.

Report. Breaches of e-PHI affecting more than 500 individuals must be reported to the OCR, affected individuals, and the media as soon as possible, but no later than 60 days after the discovery of the breach.

Breaches affecting fewer than 500 individuals must be reported to the affected individuals as soon as possible, but no later than 60 days after the discovery of the breach, and to OCR no later than 60 days following the calendar year the breach was discovered. Entities may delay its reporting of a breach if such a delay is requested by a law enforcement official.

The OCR encourages entities to report all cyber threat indicators to federal information sharing and analysis organizations (ISAOs), such as those maintained by the Department of Homeland Security and HHS Assistant Secretary for Preparedness and Response, as well as to private sector cyber threat ISAOs. Do not include PHI in these reports. OCR does not receive such reports from its federal or HHS partners.

Sources

1. U.S. Department of Health and Human Services Office of Civil Rights. Back to basics (Basic cyber security tips. Cybersecurity Newsletter. September 2017.

2. For more information, please see Appendix A-Strength of Memorized Secrets from NIST Special Publication 800-63B Digital Identity Guidelines. Available at: https://pages.nist.gov/800-63-3/sp800-63b.html. Accessed October 3, 2017.

3. For additional tips on creating strong passwords visit: https://www.stopthinkconnect.org/tips-advice/general-tips-and-advice.

A self-care resource for health care professionals

by Roxanna Maiberger

Hurricane Harvey’s impact has been catastrophic; historic rainfall has resulted in mass flooding and destruction. (1) Thousands have been displaced from their homes and forced to seek the services of emergency relief providers, including those of health care professionals. Throughout Texas and the nation, images of suffering and despair have evoked feelings of helplessness, guilt, and a sense of being called to action for those watching.

Many health care professionals have been providing care under extraordinary measures to patients in need. It is critical for those providers to take proactive measures in self-care techniques in order to continue providing quality care to patients. This article outlines the concept of self-compassion and lists practical self-care techniques to encourage sustainability for emergency health care service providers.

Self-compassion is a concept researched by Kristin Neff, an associate professor at The University of Texas at Austin. (2) Her research on self-compassion consists of a three-pronged theory involving:

  1. Self-kindness;
  2. Common humanity; and
  3. Mindfulness.

Self-kindness
Health care providers should take an active role in their own self-preservation and sustainability, in order to effectively care for others. Self-kindness is not synonymous with self-indulgence, self-pity, or self-esteem. Rather, it is a concept based on reducing isolation by increasing awareness of the suffering associated with situations that you and others around you may be facing. Positive self-talk is an important aspect of self-kindness.

Common humanity
Common humanity encompasses our collective human experience, and it interconnects the human race. During challenging times, all people face emotional states involving a range of traumatization, suffering, and stress. Acknowledging these various states of mind, as well as our common experience, allows communities to unite, move forward, and begin to heal. The concepts of self-compassion and common humanity provide a foundation for acknowledging and encouraging human connection, a critical aspect of quality patient care.

Mindfulness
Mindfulness includes evaluating the reality of a situation and being aware of any associated emotional and physical impacts. Being mindful, or engaged with the present moment, can create a foundation for effectively navigating difficult situations.

The severity of the damage from Hurricane Harvey is still unfolding. It has been a life-changing event for many. It is important to remember that patients will be prone to mental health concerns (e.g. PTSD, shock, anxiety), physical health ailments, non-compliance with medication due to pharmacy closures, and more. These circumstances will remain an ongoing reality for patients affected by Hurricane Harvey. Maintaining compassionate care for both self and others contributes to patients receiving the care they need, and health care providers effectively engaging in emergency response efforts.

During these difficult times along the Texas coastline and the Houston metropolitan area, many health care providers are being pushed to their limits emotionally and physically. Some self-care tips to encourage sustainability include: (3)

  1. Acknowledge moments of suffering;
  2. Remain empathetic to yourself, as this fosters empathy with others; and
  3. Practice self-compassion as a means to promote quality health care.

Below are additional self-care tips, recommended by the Centers for Disease Control and Prevention that can be used during natural disaster emergency response events. (4)

  1. Know the signs of compassion fatigue and burnout;
  2. Develop a support network/use the buddy system;
  3. Debrief about experiences;
  4. Know that it is not selfish to say ‘no’;
  5. Take breaks and do not exceed working more than 12 consecutive hours;
  6. Have adequate water and food intake.

We appreciate the efforts of our policyholders in providing exceptional care to patients, especially during times of crisis. The well-being of our policyholders and Texas patients is of utmost importance to TMLT.

 

Sources

  1. Chokshi N, Astor M. Hurricane Harvey: The devastation and what comes next. The New York Times. August 28, 2017. Available at https://www.nytimes.com/2017/08/28/us/hurricane-harvey-texas.html?mcubz=3. Accessed September 8, 2017.
  2. Neff K. Definition of self-compassion. Available at http://self-compassion.org/the-three-elements-of-self-compassion-2/. Accessed September 8, 2017.
  3. Neff K. Self-Compassion: The Proven Power of Being Kind to Yourself. William Morrow. 2011. Available in print.
  4. Centers for Disease Control and Prevention. Emergency preparedness and response. April 15, 2016. Available at https://emergency.cdc.gov/coping/responders.asp. Accessed September 8, 2017.
  5. For information on the symptoms of burnout, here is a helpful article http://www.compassionfatigue.org/pages/healthprogress.pdf.

FDA warns of risk associated with liquid-filled intragastric balloon systems to treat obesity

The U.S. Food & Drug Administration (FDA) has issued a risk alert after receiving five reports of unanticipated deaths in patients with liquid-filled intragastric balloon systems used to treat obesity.

All five reports indicate that patient deaths occurred within a month or less of balloon placement. In three reports, death occurred as soon as one to three days after balloon placement.

At this time, the deaths have also not been directly attributed to the devices or the insertion procedures for these devices.

The FDA recommends that health care providers closely monitor patients treated with these devices for complications and that you promptly report any adverse events related to intragastric balloon systems.

More information, including how to report an adverse event, is available on the FDA website.