By Phil Fasano, CEO, Bay Advisors LLC
Just about every cybersecurity report today paints a grim picture of the healthcare industry. According to a recent study published in JAMA, healthcare data breaches increased by nearly 73 percent between 2010 and 2017, while the HIPAA Journal reports that these incidents are occurring at a rate of more than one per day in the U.S. alone. Costing an organization $408 per record (the most of any industry), data breaches are becoming a seemingly incurable epidemic.
Sadly, this isn’t surprising in the least. I’ve been in the healthcare industry, holding various roles, from CIO to consultant, for more than 10 years, and in that time, there’s been little progress made in addressing this issue. This is due in part to healthcare providers’ reluctance to upgrade legacy systems that reside on non-segmented networks. By exploiting these vulnerable “entry points,” cybercriminals can easily move from one area of the network to another, stealing protected health information (PHI) stored in electronic health records (EHRs) and other data repositories.
The second part of the risk equation involves people. In fact, 58 percent of healthcare data breaches are caused by individuals inside the organization – essentially, anyone with access to patient data can pose a risk. While some of these incidents are due to malicious activity, such as an IT team member capturing data through a Remote Access Trojan, or a contact center agent copying down payment card data, others occur due to innocent mistakes. For example, a patient service representative (PSR) may download a piece of malware in a phishing email, which could spread across the entire organization. Or, an overly curious employee may look up the PHI of a celebrity or neighbor. While this seems harmless, it is a clear HIPAA violation and can open the door for further temptation.
As if the everyday outside and inside threats weren’t enough, healthcare organizations must also comply with a wide range of data security and privacy regulations – not only HIPAA (in the U.S.), but also the EU General Data Protection Regulation (GDPR) (if you are handling data pertaining to EU citizens), the Payment Card Industry Data Security Standard (PCI DSS), and a host of varying state laws. I remember how one of my previous employers spent millions of dollars a year on maintaining PCI DSS compliance – so it’s not just HIPAA that takes its toll on these healthcare organizations.
The Vulnerable Healthcare Contact Center
So, where does a healthcare provider, pharmacy chain, insurer, collections agency or other highly regulated entity begin when looking to mitigate this data security epidemic? I suggest starting with your call and contact centers. After all, these customer (or patient) interaction hubs have a wealth of personally identifiable information (PII) flowing through them – from medical records to social security numbers to payment card data. This information is pure gold to cybercriminals and fraudsters, who can rake in thousands of dollars for medical records alone on the Dark Web.
Moreover, enterprise contact centers employ thousands of agents and PSRs. It takes just one “bad actor” to slip through the cracks, expose or steal PII, and land the organization on the front page of the news for a massive data breach. Plus, contact centers tend to employ temporary or seasonal agents – many of whom may not be familiar with their company’s security and compliance policies – and therefore, have a greater tendency to “go rogue” due to a lack of loyalty to their employer. When I worked at Kaiser Permanente, we had up to 80,000 temporary staff members, including contact center workers, custodians and administrative staff – on any given day. Odds are that not all of these employees were looking to play by the rules.
Additionally, many contact centers are still using outdated processes for collecting PII. For example, 70 percent of global agents say they still require customers to read their payment card numbers aloud over the phone. This practice increases the likelihood of fraud, as an agent could easily copy down those numbers for fraudulent use. Or, the numbers may be captured on a call recording system and stored in a vulnerable server or desktop application.
Curing & Securing the Healthcare Contact Center
With legacy systems, non-segmented networks, outdated data capture practices and the occasional overly curious employee, healthcare contact centers have their work cut out for them when it comes to security. I do, however, have a few pieces of advice to alleviate these pain points.
- Vet Your Staff: I cannot stress enough the importance of conducting thorough background checks on all employees. You must also educate staff – especially temporary or seasonal agents – on security policies and best practices.
- Break the Glass: I suggest implementing “Break the Glass” solutions to raise the alarm if an employee unnecessarily views sensitive patient data. Since we successfully implemented these solutions at Kaiser, I can certainly attest to their viability. Some of these solutions use sophisticated pattern recognition to automatically alert managers of suspicious activity, such as if an employee views thousands of patient records a week, in comparison to others who only view a few hundred. It is also a good idea to enforce the principle of least privilege user access (LUA) on all computer systems – agents and other employees should have only the minimum level of access to patient data necessary to do their jobs.
- Segment Your Networks: It will be far less easy for a cybercriminal to migrate from one area of the business to another, and you’ll also be able to ease the burden of PCI DSS compliance. For example, accepting payments on dedicated terminals that are separate from standard business activities, like email, allows you to reduce the scope of compliance for both PCI DSS and HIPAA.
- Remove PII from Your Environment: My final recommendation falls in line with Semafone’s mantra: No one can hack the data you don’t hold. That being said, I urge healthcare contact centers to remove as much sensitive data from their environment as possible. Consider dual-tone multi-frequency (DTMF) masking solutions to shield payment card and other numerical data from agents and call recordings, and route this data directly to a compliant third party (like a payment processor). These functionalities will keep the data out of the hands of cybercriminals and fraudulent individuals, both inside and outside your organization – helping you maintain patient trust and a healthy brand reputation.
While the healthcare industry has a long way to go in addressing its data security pandemic, practitioners can get started today by addressing risks in their contact centers. Once these patient interaction hubs are secure, you can apply similar techniques and best practices to other areas of the business.
Need more guidance? I recommend taking a look at Semafone’s eBook, “Faces of Healthcare Fraud.” Download it here.
Phil Fasano is a Fortune 500 Board Level Advisor, C-Suite Corporate Executive and IT Visionary with more than 20 years of experience in the healthcare, financial services, technology and insurance industries. Currently CEO at Bay Advisors LLC, a strategic advisory firm he founded, Fasano is an influential voice in the push to evolve how companies create, market and use transformative technologies. Previously, Fasano served as the first Global CIO responsible for technology operations at American International Group (AIG), where he worked as a part of the Executive Leadership Team and served as Chairman of the Board of Directors for the Technology Services company at AIG. Prior, he served as CIO and EVP at Kaiser Permanente where he drove the turnaround of technology capabilities and oversaw all central operations.