The explosive growth of data integration and e-commerce has resulted in new and emerging threats to every service provider, including healthcare professionals. As more procedures and services are integrated with technology, these threats will continue to become more sophisticated and common. Healthcare professionals appear especially vulnerable to these risks as fraudsters presume they have higher incomes, are more focused on patient care than data and e-commerce risks, and have access to large amounts of confidential data. This article provides guidance to healthcare professionals on identifying, avoiding and reacting to these challenges.
Internet Frauds
The 2016 Internet Crime Report published by the FBI’s Internet Crime Complaint Center (IC3) reported the receipt of 298,728 internet crime complaints, with reported losses in excess of $1.3 billion. While these numbers are staggering, the report estimates that only 15 percent of the nation’s fraud victims report their crimes.1 While internet crimes vary widely – including non-payment/non-delivery and lottery/sweepstakes schemes, investment frauds, government impersonations, “hacktivist” activities and ransomware – there are certain internet-based frauds that frequently target healthcare professions.
Phishing/Vishing/Smishing/Pharming
Cyber criminals, who run the gamut from individual mischief-makers to sophisticated state-sponsored entities, most commonly break into networks to gain access to sensitive data, or, in some cases, data on a victim’s computer is locked, typically by encryption, and payment is demanded before the ransomed data is decrypted and access returned to the victim. Professional service providers, including healthcare organizations, are increasingly targeted as hackers attempt to exploit providers’ fiduciary responsibility to protect sensitive data and the consequences for failing to do so.
Phishing
This is defined as the fraudulent practice of sending emails purportedly from reputable companies to induce the receiver to reveal protected and/or private information. According to Alan Paller, director of research at the SANS Institute, 95 percent of all attacks on enterprise networks gained entry through “spear phishing,”2 sophisticated phishing attacks that are carefully targeted to give the appearance of being sent by an acquaintance. Because the fraudster must understand the departmental and leadership structures of victim companies, these attacks may indicate an existing compromise of a company email account.
Spear phishing attacks are difficult to detect because the fraudulent email appears to be from a trusted sender and is designed to induce the receiver to respond in an otherwise appropriate way. Phishing attacks commonly attempt to induce the receiver to click on a hyperlink that, if clicked, downloads a Trojan virus designed to bypass security software and allow access into networks. They may also seek to induce the recipients to provide passwords or other sensitive information, or to induce the transfer of funds. These sorts of attacks often lead to ransomware or extortion demands.
Vishing
Similar to phishing, vishing involves the fraudulent practice of making phone calls or leaving voicemail messages purporting to be from reputable companies in an effort to induce individuals to reveal protected information or take other actions compromising the security of their personal information and accounts. Instead of exploiting a victim’s lack of data security awareness, these fraudsters will utilize social engineering techniques to gain the trust of victims to induce their desired actions.
“There are only two types of companies: those that have been hacked and those that will be.”
–Robert Mueller, former FBI director
Smishing
Also known as SMS phishing, this type of attack targets mobile phone text messaging. Like email phishing attacks, these text messages often contain hyperlinks designed to download a Trojan virus that can bypass mobile phone security settings.
Pharming
This is defined as the fraudulent practice of directing internet users to illicit websites that mimic the appearance of legitimate websites in order to obtain protected and private information. Healthcare professionals must be vigilant to ensure they are using legitimate third-party websites before transferring confidential and protected information.
Data Breaches
The question is not if your medical practice will experience a data breach as a result of cyber-criminal activities, but when. Thus, it is crucial that your practice be alert to possible intrusions and prepared when they inevitably occur.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that healthcare providers, and their business associates, secure Protected Health Information (PHI) from unauthorized use and disclosure by implementing reasonable and appropriate physical, technical, and administrative safeguards. In today’s digital world, this is challenging. In 2016, more than 16.4 million patient records were exposed in the 329 healthcare data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).3 In contrast, 18 breaches and 134,773 compromised records were reported in 2009, when OCR first began collecting data.
Human error, primarily carelessness, on the part of office employees and other insiders is estimated to be responsible for nearly 60 percent of breaches. Laptop computers containing patient information are left in cars and stolen; documents are sent to the wrong recipients. Employees also commonly unlock the data-security door by clicking on phishing emails.
Traditionally, hackers sought to steal personal patient data that could be sold to identity thieves. This data was used to file fraudulent medical claims and prescriptions, or used to create spear phishing attacks. However, the criminal activity has evolved due to a severe decrease in the monetary value of medical records on the black market. In 2012, the World Privacy Forum estimated the value of a single medical record on the black market to be near $50. In its most recent healthcare cyber breach report, TrapX Security estimated the current value of a medical record to be as low as $10.4 Ironically, this decrease in value is thought to be due to an increase in availability of medical records since the 2012 study. As personal identifying data has become widely available on the “dark web,” hackers have changed their focus from stealing individual identities to targeting businesses to exploit the fiduciary duty of healthcare entities to protect patients’ health information. After gaining access to a computer server, the hackers use intrusive ransomware designed to seize control of data and encrypt it, denying access to the rightful users. Alternatively, the hackers download files and threaten to publish the data unless a ransom is paid, usually in untraceable bitcoin.
Be Prepared
The best defense against data breaches is a good offense. There is nothing to gain – and much to lose – by ignoring the risks until after a breach is detected.
It is important to realize that data security is not purely an IT function, and that data breaches do not necessarily result from attacks stemming from outside the organization. Because employee ignorance and negligence are a primary cause of breaches, education is critical in safeguarding your data.
Employees should be trained to be suspicious of phishing emails, to always ask questions, and to be aware of the hazards involved in using, storing and transferring sensitive data. Additionally, employees should be advised that the use of social media can cause complications and lead to accidental disclosure of PHI. Employee social media policies should be reviewed, revised and clearly posted to avoid having employees accidentally disclose PHI, and other sensitive data, through photos and live streams (i.e., Facebook Live and Periscope). Corporate compliance programs must include regular data risk assessments from hardware, software, employees and backup services; proactive data security education of employees; behavior monitoring systems; and data breach response plans.
If your practice doesn’t already have a data security policy in place, enlist aid to draft one. Review and update the policy frequently, and encourage team members to refer to it often.
It is also important to assess existing security risks. Start by evaluating your computer system. It may be vulnerable to hacker “bots” that roam the internet, looking for servers that are running with outdated software or on unregistered operating systems that do not receive security updates. Because it is inexpensive to add digital storage, organizations may add new storage without disconnecting older insecure servers, allowing hackers to access data still stored there. Other areas of vulnerability include unused websites and patient portals, unencrypted mobile devices and the data disposal process.
What Qualifies as a Breach?
Physicians are required to report data breaches to state and federal authorities. However, not every inadvertent disclosure of PHI is legally a data breach. Under HIPAA, a breach is, generally, an impermissible use or disclosure that compromises the security or privacy of the PHI. An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors:
The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
The unauthorized person who used the PHI or to whom the disclosure was made;
Whether the PHI was actually acquired or viewed; and
The extent to which the risk to the PHI has been mitigated.5
Covered entities and business associates, where applicable, have discretion to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.
Although any ransomware attack is presumed to be a reportable breach, other incidents may not be so clear-cut. If an employee accidentally sends an email to the wrong person, a forensic investigation may determine the file was never opened or copied; hence, no breach occurred.
The definition of data breach varies by state. Missouri law describes a breach as the unauthorized access to personal information maintained in electronic form that compromises the security and integrity of the data.6 Determining whether your incident satisfies this test is a decision best made with the assistance of legal counsel, as the penalties for a misstep can be severe.
Missouri law specifically forbids a private right of action;7 however, hefty fines may be leveled by the OCR and by state governments for improper breach response. These fines may add up to hundreds of thousands of dollars.8 Additionally, the Secretary of Health and Human Services is required to post a listing of breaches that affect 500 or more individuals on its website,9 and the resulting media reports can lead to uncomplimentary PR. Irate patients and the cost of supplying free credit monitoring to those whose information has been compromised are other possible negative impacts of a reported breach.
It should be noted that although HIPAA and Missouri data breach laws do not provide a private right of action, using HIPAA as the standard of care in a negligence claim and private causes of action under state consumer protection laws have been successfully used to sue offending entities. For example, the Supreme Court of Connecticut has ruled that a patient may sue a provider for negligence using HIPAA as the standard of care. The court asserted that “neither HIPAA nor its implementing regulations were intended to preempt tort actions under state law arising out of the unauthorized release of a plaintiff ’s medical records.”10
Similarly, two federal District Courts in Missouri have held that HIPAA may be used to establish a standard of care against which to judge a defendant’s actions and a legal duty of care in a Missouri “negligence per se” claim. In both instances, the District Court was determining whether the federal or state courts had jurisdiction because, if the cases were tried in federal court, HIPAA’s lack of a private right of action would take precedence.11 Similar claims have been brought to state courts in Indiana, North Carolina, Utah and West Virginia. Healthcare entities should review state case law and court decisions to see whether there is precedent in their jurisdiction for allowing HIPAA to be used as a standard of care in tort and negligence cases where PHI is involved.
Furthermore, audit controls are absolutely mandatory. The lack of these controls can set a covered entity back millions of dollars.12
There’s Been a Breach … Now what?
When PHI is compromised or lost, the response must be immediate and synchronized to minimize the confusion and cost that can occur in rapidly unfolding data breaches.
Compliant incident response should include:
Incident Investigation
Forensics experts look for digital “fingerprints” in computer hardware and software. The collection and preservation of forensic evidence must comply with evidentiary standards and regulatory and contractual mandates.
Coordination with Law Enforcement
Although initial reactions to a breach include outrage and a desire to see justice served, notifying law enforcement may not be in the organization’s best interests. Healthcare entities must consider what an FBI investigation could mean for their practice. Some hackers threaten to retaliate if the breach is reported to third parties. Whether, when and how to report the breach to law enforcement is a business decision that must be made with care with the advice of counsel.
Collaboration with Public Relations Professionals
A PR plan can help contain damage to an organization’s reputation that may result from large breaches.
Assessment of Liabilities
Service providers, vendors and other business partners may bear partial responsibility for the breach. Their roles must be analyzed and quantified.
Insurance Coverage
Traditional insurance policies are unlikely to cover data breaches. When they are in place, cyber liability policies may carry multiple exclusions and stipulations, so should be reviewed carefully for adequate and necessary coverage.
Breach Notifications
Federal and state regulations mandate that affected patients and government agencies be notified if information has been compromised. Depending on the number of individuals involved, this can be an onerous and expensive task. Generally, Missouri requires that each affected individual be provided with a written account of the nature of the event, the type of information that is at risk, a telephone number for further information, and contact information for consumer reporting agencies.13
Litigation Defense
In the wake of a breach, healthcare providers may be hit with subpoenas and investigatory demands, or, depending on the geographic reach of your practice, out-of-state class action or individual lawsuits. Such claims can strain the resources of a practice of any size.
The best time to think about your organization’s response to a data breach is before the breach occurs, not after. A compliance audit can be invaluable in helping establish security controls that help prevent breaches, as well as determining your legal obligations and next steps when a breach occurs.
E-commerce
Healthcare professionals can become targets of credit card fraud, as either credit card account holders or when accepting credit cards as payment for services provided. The risks associated with credit and debit cards vary, depending on whether you are the account holder or the merchant.
Liabilities for Credit and Debit Card Account Holders
Generally, federal laws and individual bank policies limit an account holder’s liability for unauthorized charges. However, these limitations vary depending on the type of card used, whether the card was stolen, whether the account number was used by phone or internet, and the timeliness of notification to the card issuer.
Credit Cards -
Federal law limits the liability of holders of credit cards to not more than $50 for unauthorized use only if; a) the card is an accepted credit card, b) the issuer gives adequate notice of the cardholder of the potential liability, c) the card issuer has provided the cardholder with a description of a means by which the card issuer may be notified of loss or theft of the card, d) the unauthorized use occurs before the card issuer has been notified that an unauthorized use of the credit card has occurred or may occur, and e) the card issuer has provided a method whereby the user of such card can be identified as the person authorized to use it. This limit of liability requires the account holder to notify, or at least attempt to notify, the card issuer of the loss or theft of the card once the holder becomes aware of the loss or theft. If your credit card account number is used fraudulently by phone or internet, you have no liability14 Often banks and card issuers have policies and agreements under which this $50 liability risk is waived. It is important to understand the card agreement and comply with the issuer’s conditions.
Debit Cards –
With ATM and debit cards, you must act quickly to avoid full liability for unauthorized charges when your card is lost or stolen. The Electronic Fund Transfer Act limits your liability to $0 if you report the loss or theft of the card immediately and the card has not been used. Your liability can increase to $50 if you notify the bank within two business days after you realize the card is missing. Failure to notify the bank within two business days increases your liability to $500. Failure to notify the bank within 60 days after your bank statement is mailed to you will eliminate any cap on your liability.15 Again, individual bank policies and agreements may eliminate some or all of these liabilities, but it is important to comply with the established conditions.
Merchant Liability for Credit and Debit Card Fraud
October 1, 2015, and the nationwide adoption of EMV (Europay, Mastercard and Visa) chip cards and the accompanying processing technology introduced a major shift in who must shoulder the cost of credit and debit card fraud. Liabilities for unauthorized transactions have generally shifted to whomever has the lowest level of security. Merchant liability largely depends on whether an unauthorized transaction was tied to the use of an EMV chip card or non-EMV chip card, if the card number was used online, or if an EMV chip card was swiped by a merchant not EMV compliant. If all parties involved have upgraded security, then the card issuer would likely reimburse the consumer and the merchant would shoulder no liability. It is perhaps best explained using specific scenarios.
Stolen or lost EMV chip card is fraudulently used at a merchant not EMV chip compliant –
In this scenario, the merchant would likely be determined the party with the lowest level of security and would shoulder the liability for fraudulent use.
Magnetic strip data is copied from an EMV chip card onto a counterfeit card and used at a merchant not EMV chip compliant –
Again, in this scenario the merchant would likely be determined to have the lowest level of security and would likely shoulder the liability for fraudulent use.
Stolen or lost EMV chip card is fraudulently used at a merchant EMV chip compliant –
The card issuer is likely to shoulder the liability for the fraudulent use.
Stolen or lost EMV chip card or magnetic strip card is fraudulently used by phone or internet –
The card issuer is likely to shoulder the liability for the fraudulent use.
As with credit and debit card account holders, merchants should review and understand the agreements they have with their payment processing company to ensure they understand their liability risks.
Conclusion
As complex technology plays a more vital role in healthcare facility operations, a data breach becomes increasingly likely, either through user error or third-party cyber attacks. These attacks against hospitals and medical organizations are still driven by the potential monetary rewards through the sale of the medical records or imposing a ransom on locked data. It is vitally important for healthcare organizations, no matter their size and complexity, to take a proactive approach to data security. This includes the implementation of technological, physical and administrative safeguards. Most importantly, all employees and contractors should go through data security training appropriate to their individual role, with refresher courses taking place on an annual basis. Technology can be beneficial to the efficiency of an organization, but it can also create certain risks. It is crucial that these risks are identified and prepared for as early as possible.
Biography
This article was written by former FBI Special Agent and firm special investigator Christopher A. Budke, (left), in the Kansas City office and associate John A. Ferguson, (right), in the Dallas office of Husch Blackwell. The information contained in this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and readers are urged to consult their own attorney concerning their specific situation and specific legal questions.
Contact: Christopher.Budke@huschblackwell.com; John.Ferguson@huschblackwell.com
References
- 1.2016 Internet Crime Report. Federal Bureau of Investigation Internet Crime Complaint Center; [accessed October 8, 2017]. found at: https://pdf.ic3.gov/2016_IC3Report.pdf. [Google Scholar]
- 2.10 Facts You Need to Know about Data Breaches, by Deborah Galea. Sep 11, 2015. [accessed October 8, 2017]. found at: http://www.techspective.net/2015/09/11/10-facts-you-need-to-know-about-data-breaches/
- 3.Largest Healthcare Data Breaches of 2016. HIPAA Journal. Jan 4, 2017. [accessed October 8, 2017]. found at: https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2016-8631/
- 4.Health Care Cyber Breach Report for 2016. TrapX Security. Dec, 2016. [accessed October 8, 2017]. found at: http://trapx.com/wp-content/uploads/2017/08/Research_Paper_TrapX_Health_Care.pdf.
- 5.45CFR 164402 [Google Scholar]
- 6.Mo. Rev. Stat. § 407.1500.1(1)
- 7.Mo. Rev. Stat. § 407.1500.4
- 8.Overlooking Risks Leads to Breach, $400,000 Settlement. U.S. Department of Health & Human Services; Apr 12, 2017. [accessed October 8, 2017]. found at: https://www.hhs.gov/about/news/2017/04/12/overlooking-risks-leads-to-breach-settlement.html?language=es. [Google Scholar]
- 9.42 U.S.C. § 17932(e)(4)
- 10.Emily Byrne v. Avery Center for Obstetrics and Gynecology, P.C. 314 Conn. 433 (Supreme Court of Connecticut, Nov. 11, 2014)
- 11.IS v Washington University E.D. Mo., 201; see also K.V. v. Women’s Healthcare Network, LLC, W.D. Mo 2007
- 12.$5.5 Million HIPAA Settlement Shines Light on the Importance of Audit Controls. U.S. Department of Health & Human Services; Feb 16, 2017. [accessed October 8, 2017]. found at: https://www.hhs.gov/about/news/2017/02/16/hipaa-settlement-shines-light-onthe-importance-of-audit-controls.html. [Google Scholar]
- 13.Mo. Rev. Stat. § 407.1500.2
- 14.15 U.S. Code § 1643
- 15.15 U.S. Code § 1693g