Vulnerability of Employee Medical Data More Evident with the Rise of Cybercrime
Healthcare ecosystem under threat
There’s a good chance that anyone with a computer, laptop or mobile device is most likely aware of the major cyber attack that took place in May this year – the WannaCry ransomware. Hitting hospitals, government agencies and other organisations, this attack held 230,000 computers hostage with a ransom demand of US$300-US$600 in bitcoin payments.
Vulnerability of data held
These cyber crimes are neither a myth nor a plot in a Hollywood story. But the lack of protection and the rise in attacks has clearly created more awareness about the potential vulnerabilities faced, among firms, especially in Asia.
Many Asian firms still debate the need for cyber protection or cyber security, and certainly, both insurers and risk management consultants need to constantly engage in dialogue about protection and risk mitigation as well as ensure the necessary insurance protection is afforded.
This therefore makes it very timely, for us to consider, the vulnerability of employee data held. As firms embark on more digitisation of their human resource functions, and as more and more firms outsource these very functions externally, they have to realise the magnitude of exposure of this type of information on a global level and assess the likelihood of potential attack.
A 2014 Reuters report indicated that, in the US, medical records are more valuable than credit card records. Medical records are worth ten to twenty times the value of credit card details. Increasingly, cyber attacks are targeting the healthcare industry.
The entire ecosystem, from insurers, clients, hospitals and clinics, right up to pharmaceutical firms and other medical payors are affected and sadly, many have antiquated computer systems that do not use the latest security features. The report went on to say that, the data for sale includes names, birth dates, policy numbers, diagnosis codes and billing information.
What is the data being used for?
According to experts who have investigated cyber attacks on healthcare organisations, these fraudsters are using the data to create fake IDs in order to buy medical equipment or drugs that can be resold or they combine a patient number with a false provider number and file fabricated claims with insurers.
Medical identity theft
What is particularly terrifying about such medical identity theft, is that often, it is not immediately identifiable by a patient or their provider, thus giving criminals years to milk these credentials. Credit card fraud, on the other hand, is dealt with much quicker – cards tend to be cancelled almost immediately once fraud is detected.
Imagine, for a second, the repercussions of medical data fraud.
Organisations would find their claims costs increasing and premiums paid out would necessarily increase. Worse, employees could sue both insurer and their organisation’s HR department for lack of data protection. It is for this reason that the WannaCry malware targeted a number of players within the healthcare ecosystem.
So what can we do to counter this?
First, being aware of such risks and threats are an important first line of defence. Understand where the data flows, who is using the information and for what purpose such information is used. Standard encryption of these data files is, therefore, important to protect the information.
Second, ensure all parties in your ecosystem are embracing the same. This means the partners who assist in the management of benefits programmes as well as payroll and healthcare partners. This includes insurance companies, brokers and medical third-party providers.
Ask them what level of protection they have, what defence plans they intend on undertaking and do all of this during the proposal process. These issues are – and should be treated as -vital aspects of any partner selection criteria. The commercial aspects of the proposal are no longer sufficient.
Third, conduct regular audits on your vendors, both from a service as well as an IT security perspective. This should be mandatory. With the increasing reliance on cloud storage and cloud-based solutions, the introduction of new technology and apps, as well as the fact that there are outsourced vendors in the healthcare space, far more rigour is needed to ensure data is not only stored well but protected.
Fourth, consider employing cybersecurity consultants to assist you throughout this process. Look for a cyber insurance policy to protect against financial costs and liabilities often associated with a data breach. The consequences of a cyber attack can be debilitating, both in terms of your reputation and your financial standing. Acting early can, therefore, minimise potential exposure to such threats.
Feel free to contact Marsh Malaysia local Cyber Risk Specialist, Devakumaran Palnisamy at [email protected] if you have questions or concerns to raise on the issue of cyber risk.
Marsh is one of the Marsh & McLennan Companies, together with Guy Carpenter, Mercer and Oliver Wyman. This article is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this article and shall have no liability to you or any other party arising out of this article or any matter contained herein.
If you think this post is interesting, please share using the buttons below!
Headline image blue and silver stetoscope by pixabay.com