“The number one issue on the minds of many CEOs and boards is cyberattacks and data breaches,” said Hogan Lovells partner Marcy Wilder. In this hoganlovells.com interview, Wilder discusses three key things health sector clients must do to protect against and prepare for a possible cyberattack.
What is the top cybersecurity concern for the healthcare sector?
Wilder: We know that the health sector is a prime target for cyberattackers, and that cyberattacks are taking primarily two forms. The first is an attack where hackers are looking for data to exfiltrate and sell or use for commercial or political purposes. The second is ransomware attacks, where the attackers find a way into a system, wrap the health information — be it electronic health records or otherwise — in an encryption bubble and require the payment of a ransom in order to provide the decryption tool.
Why is the healthcare sector such an attractive target for cyber attackers?
Wilder: The information itself has a higher value on the black market than user names and passwords or credit card information, which can lose its value quickly once someone realizes that it has been stolen. But health data and health records — if you are looking for medical identity, commercialization, theft, or even blackmail — can be more valuable.
It is also the case that attackers know the health sector is behind on hardening their systems against attacks. There are a lot of older legacy systems in use that don’t have sufficient protections in place, so the health sector is seen as a soft target.
What are the three most important things healthcare companies can do today to protect against and prepare for a cyberattack?
Wilder: The first is to invest in your security framework — that means both in terms of governance and IT tools and capabilities.
The second is to prepare an enterprise-wide breach response plan. By that, I don’t mean an IT recovery plan or a communications plan. I mean an enterprise-wide breach response plan that includes IT and communications but goes beyond that. In a real cyberattack situation, senior executives are going to be involved in making decisions. And the lawyers, human resources, government relations, and the customer-facing team will all have important roles to play. There needs to be a plan in place that takes account of that so the team members know that they are part of the team, what their role will be, and how to contact each other. Two very practical tips: make sure that contact information is up to date and that team members have hard copies of the plan. Depending on the nature of the attack, you may not have access to plans stored on electronic systems.
The third is a tabletop or simulation exercise — in other words — practice. It can be difficult to get the team to commit a half day or a full day to run through a simulation exercise. But the value of practice cannot be overstated. Simulations have a big payoff both in terms of improving preparedness plans and the ability to respond in real time when a cyberattack hits.
Businesses and institutions have a lot of competing priorities and cyberattack preparedness is not first on the list of things to do on a day-to-day basis. It takes leadership to actually explain to the team why this is important.
If a company has not properly prepared, what can it expect following a cyberattack? What are the costs to the organization?
Wilder: The cost to a company that does not prepare and does not respond appropriately can be very significant. A poorly executed response can seriously impair customer trust and brand reputation in addition to the damage it does to the company’s ability to respond to lawsuits and government investigations.
In the health sector, the Health Insurance Portability and Accountability Act (HIPAA) is a driving force and governing statute. The U.S. Department of Health and Human Services (HHS) has been issuing million-dollar-plus fines for failing to comply with the HIPAA privacy and security regulations. Monetary costs come from HIPAA (HHS Office for Civil Rights), attorney general (AG), and Federal Trade Commission (FTC) investigations as well as fines imposed by myriad state agencies including insurance commissioners, public health, and consumer protection agencies. There are also significant costs associated with the filing of lawsuits and class actions stemming from breaches. And beyond these monetary costs, there are reputational costs that are significant, although difficult to quantify.
What is the best approach to developing a tabletop or simulation exercise?
Wilder: For a tabletop or simulation exercise, having the right people in the room is essential, including senior executives. That makes a big difference. Setting up the exercise appropriately is important. For many clients we suggest a specific tabletop for the information security team prior to the enterprise-wide simulation. We’ve found that the enterprise-wide tabletop is more useful after IT has already been through it and taken account of some of the learning.
At Hogan Lovells, we work with the client to understand the business and who needs to be involved in the tabletop or simulation exercise. We do that usually through first helping them prepare their enterprise-wide breach response plan. Leveraging that knowledge, we then draft a cyberattack scenario customized for their institution — complete with roles and questions for each of the team members. We go onsite with the team and walk them through the simulation. After the simulation, we have a debrief session with lessons learned and then provide them with a write-up of those lessons learned for them to implement.
Clients that have been hit with a cyberattack and didn’t practice say they wish they had. Clients that have experienced a cyberattack and invested in a simulation exercise universally say they are glad they did.