For healthcare companies, data security is a critical test

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.beckershospitalreview.com/healthcare-information-technology/for-healthcare-companies-data-security-is-a-critical-test.html

If there was a single day in which healthcare executives, technology
professionals and consumers came to understand the full extent of the
industry's cybersecurity vulnerability, it was January 29, 2015.

That day, Indiana-based insurer Anthem, Inc., discovered it was the victim
of a sophisticated cyberattack allowing hackers to access as many as 80
million names, addresses and Social Security numbers. Simultaneously, 2,200
miles northwest, Washington-based Premera Blue Cross found a similar attack
syphoned up to 11 million of its customers' records, including credit card
numbers, Social Security numbers and information about individual medical
problems.

These data breaches reflect an alarming trend that presents two critical
challenges for healthcare companies to solve. From a technical perspective,
the industry must equip itself with tools and strategies that more reliably
protect patient data from these cyberattacks. At the same time, companies
must develop a more nuanced understanding of how consumers respond to data
breaches in order to build a strategy to address consumers' concerns and
retain as many customers as possible.

A recent TransUnion survey measuring the attitudes of more than 1,200 U.S.
consumers who received medical care at a doctor's office, clinic or
hospital in the past two years offers a window into how consumers expect
companies to respond after a breach. The survey also provided insights on
how companies can expect their customers to react after a data breach.

Perhaps most concerning for victims of cyberattacks, the survey found
nearly seven in 10 consumers would avoid a healthcare provider that has
experienced a data breach. Given that a growing number of companies have
experienced a data breach –– and consumers often face a limited number of
options when selecting providers and insurers –– the ability to avoid
companies that were hacked will not always be feasible. But the share of
individuals who say they would actively seek alternatives based on data
breaches should be a caution to healthcare executives.

The impact of cyberattacks on consumer attitudes appears even more
worrisome when separated by age group. TransUnion's survey found that 73
percent of patients ages 18 to 34 are likely to switch providers following
a data breach. Millennials' notoriously weak brand loyalty and their
apparent impatience regarding privacy intrusions are major considerations
given the value of young people in the healthcare industry.

According to U.S. Census data, more than 80 million millennials recently
entered the healthcare marketplace, and their influence in picking industry
winners and losers goes far beyond volume. Insurers need enough younger and
healthier adults to offset the significant costs of treating older adults.
A Kaiser Family Foundation report found the cost of treating 18-24 year
olds averaged $1,834 per person annually, compared to $2,739 for people
ages 25 to 44 and $5,511 for those ages 45-64. For some healthcare
companies, losing any meaningful number of young consumers could disrupt
the delicate equilibrium that keeps them competitive and solvent.

The survey findings are also instructive for developing a cyberattack
response plan. From the moment a breach is discovered, consumers say they
expect company officials to provide several different forms of support. To
start, individuals in every age group have high expectations for how
quickly companies inform the public of a data breach. Roughly half expect a
response or notification within one day, and more than three in four
surveyed anticipate a response or notification within one to three days.

In the wake of a cyberattack, roughly six in 10 individuals believe the
company should setup a dedicated phone hotline for questions, and a
majority expects a dedicated website to provide consumers with details and
answer their questions. For more lasting support, 72 percent expect
companies to offer at least one year of free credit monitoring after data
is stolen.

These steps are the minimum for responding to a data breach in a way that
maintains relationships and salvages goodwill with customers. Companies
should be prepared to fold the basic customer service elements into a more
comprehensive plan that takes patients through the process of identifying
if their information has been compromised to preventing any corresponding
fraud.

TransUnion's Data Breach Services, which we have built by working directly
with clients and consumers over several years, provides one model for how
these response programs can work. Our three-step system includes a personal
review of each patient's credit file to identify fraud, and the development
of a personalized report and supporting educational materials for patients.
Using TransUnion ID verification, hospitals and health systems can validate
patient information at the point-of-service by comparing patient-reported
data to TransUnion's extensive databases of consumer contact and financial
information. This powerful solution identifies discrepancies in
demographics, enables hospitals to correct patient information and detects
potential fraud or medical identity theft. TransUnion provides templates
and established processes each step of the way, which is particularly
useful in the chaos that follows a major breach.

Perhaps most importantly, based on the survey findings, the service can be
up and running within 48 hours.
With a growing number of privacy-sensitive consumers entering the
healthcare market, and increasingly sophisticated hackers seeking to steal
information, healthcare companies must have a proper plan in place to
protect and recover data in a timely manner. Without a clear cybersecurity
strategy, companies run the risk of losing valuable customers and
experiencing severe reputational damages.

TransUnion's survey provides a broad framework for preventing these
business and public relations disruptions. We are continuing to assess the
success of healthcare companies in protecting and supporting consumers, and
we're eager to develop the next generation of innovative approaches to keep
pace with a challenging new environment.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!