Why Health Care Companies Need a Cyber Awareness Plan

Thu, 25 Oct 2018

Written by the following Webster experts: Jordan Arovas, Senior Vice President & Brian Boyd, Senior Associate Counsel & Steven Dow, Senior Vice President

As the industry transitions from paper-based to electronic health records, cybersecurity has never been more critical. HIPPA, the Health Insurance Portability and Accountability Act, sets the standard to protecting sensitive patient data. Any company that deals with protected health information (PHI) is required to follow and comply with outlined standards. Failure to comply with HIPPA regulations can involve substantial civil liabilities and potential criminal charges.

A data breach has massive repercussions, not the least of which is the need to reach out to everyone who might be affected. That can be daunting for a giant health care system—and overwhelming for a small practice.

Today, as practitioners relay test results and other critical patient information to colleagues, the opportunity for even an accidental breach is greater than ever. Hackers can use someone else’s data to obtain coverage or even try to access opioids—let alone the damage they can do with credit card numbers.

The newest weapon: Social engineering

Beside all the high-tech sophisticated ways to attack, they now use social engineering—playing upon your staff’s honest, trusting nature. And they’re armed with real information to fake you out.

Fraudsters now have the ability to infiltrate your computers and lie in wait for months. They can see transactions, personal data—a wide range of details that can make their spoofs seem legitimate.

They may pose as one of the insurance companies you deal with, asking what appears to be a perfectly legitimate request: Please verify this information… They may even present themselves as a contact you often do business with. (They’ve been reading your correspondence, so they know who’s who.)

One click later, you’re in their clutches—along with the patients you serve.

The low-tech solution, of course, is to make a phone call to verify the request before you fulfill it. That’s a precaution. But the bigger issue remains: How to protect your organization with a comprehensive strategy.

What to do. And why you should do it today.

Assume for a moment—a terrifying moment—you experience a data breach. Who will you call?

  • Your IT person, to stop the problem
  • Your attorney, to cover the legal disclosures mandated
  • Your insurance agent to check on your Cyber Liability policy and specific provisions to cover expenses
  • Your accounting professional to reconcile critical financial records
  • Your public relations advisor, to control the damage to your reputation
  • Your banker, to shore up any possible attacks to your accounts

But the time to bring them together is now—to plan and rehearse a Cyber Awareness Plan that lets you move immediately into corrective action.

It’s not only important to have a plan, but to keep practicing it thoroughly with everyone on your team until the most effective response is almost second nature.

3 Ways your bank can help

First, make sure you set up your banking for alerts—event notifications such as text or email alerts that may flag suspicious activity in your accounts.

Implement fraud services for your account with:

  • Check Positive Pay - comparing the checks presented for payment to your data in your bank’s files—by serial number, amount, and payee name.
  • ACH Positive Pay – identifying potentially fraudulent debits presented against your account. It matches incoming ACH debits against your authorization instructions and allows you to make pay/return decisions online.

Above all, be proactive. Don’t wait until the end of the month to review your banking transactions. And have a regular conversation with your banker about emerging new threats and the newest ways to thwart them. The threats keep changing—so your plan has to keep pace with the latest scams targeting the health care industry.

Start with our comprehensive Fraud Awareness Checklist. It goes beyond the usual “Top 5 Steps” and helps you identify a full range of cyber vulnerabilities. Download it here.

The opinions and views in this blog post are those of the authors, and are not intended to provide specific advice or recommendations for any individual. Please consult your tax advisor regarding your individual situation.

All credit facilities are subject to the normal credit approval process. The Webster symbol is a registered trademark in the U.S. Webster Bank, N.A. Member FDIC.

© 2018 Webster Financial Corporation. All rights reserved.