KPMG: Cybersecurity Breaches on the Rise for Healthcare Payers

August 01, 2017 - Healthcare payers are increasingly becoming targets of cybersecurity breaches, both malicious and accidental, according to a new survey from KPMG. 

Cybersecurity incidents resulting in compromised data and HIPAA violations affected 47 percent of providers and health plans participating in the KPMG 2017 Cyber Healthcare & Life Sciences Survey compared to just 37 percent experiencing a security issue in the 2015 edition of the poll.

The negative impact of the ten point bump is compounded by the fact that cybersecurity has decreased as an executive priority over the past two years. 

While 87 percent of board rooms had patient data privacy and security at the top of the agenda in 2015, just 79 percent said it was a high-alert item in 2017.

The number of companies making new investments in cybersecurity has decreased as well, from 88 percent in 2015 to only 66 percent today.

READ MORE: Data Analytics Key for Strengthening Employer-Payer Relationship

"Healthcare payers and providers are on treacherous ground here and some organizations are underestimating cyber-security risks," said Healthcare Advisory Leader Dion Sheidy.

"There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate. The WannaCry ransomware hack in May was a warning shot against our collective ability to protect patient safety and privacy."

Payers have experienced more than a few additional wake-up calls over the past few years.  Chief amongst them was the massive Anthem Health data breach in 2015, which led to the potential exposure of data from 78.8 million members and resulted in a $115 million proposed settlement from plaintiffs.

The breach is suspected to have been an organized attack by a hacker likely representing a foreign power, officials said earlier this year. 

Payers responding to the KPMG survey generally feel ready to combat a similar incursion into their own systems, with 90 percent of participants ranking their readiness at 4 or above on a five-point scale.

READ MORE: Data Sharing Among Payers Advances Population Health Management

Yet 42 percent admitted that someone in their organization fell for a phishing email that resulted in a compromise over the past 12 months, and 18 percent caught an “internal bad actor” accessing off-limits data.

Thirty percent of payers experiencing a compromise ended up with ransomware being introduced to their systems in some capacity, said the full survey data emailed to journalists.  Of those, 40 percent paid to regain access to their data.

The alarm bells – and the fact that 66 percent of incidents occurred due to human error – have resulted in increased technology investments. Close to three-quarters of health plans have bulked up their software, firewalls, and encryption.

Seventy-nine percent of payers said they have also addressed their governance frameworks and data security processes in the past few months, and similar numbers plan to make additional investments in the future.

However, KPMG believes that payers may not be giving adequate attention to ensuring that their staff members are trained in cybersecurity.  Only 45 percent of payers have hired or trained staff in security practices, and just 20 percent plan to do so in the near future.

READ MORE: Why Health Insurance Claims Data Needs Medical Device ID

"A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach," warned Michael Ebert, leader of KPMG's cyber security group in healthcare & life sciences.

"Software can only protect you so far and staff is important when it comes time to respond to a data breach. The respondents that are not emphasizing staff and processes are underestimating the threats or creating a false sense of security among their management and board."

Payers may wish to take a second look at the strength and size of their data security teams, especially as they continue to increase the amount of data moving back and forth between internal and external systems.

Value-based care and population health management have broadened the data sharing environment, which adds more points of vulnerability as information enters and exits various portals, inboxes, and data warehouses.

Sixty-three percent of providers and payers said that data sharing with third-parties is one of their biggest areas of concern, which may indicate a need for more transparent communication both internally and between business partners – especially as 24 percent of respondents said they are in need of a better overarching strategy to address cybersecurity concerns.

As cybersecurity threats continue to evolve, payers should take extra care to be vigilant about safeguarding vulnerable patient data.  Investing in technology, training, and governance will be critical for ensuring that data breaches do not expose insurance companies to regulatory violations, financial repercussions, and reputation-damaging incidents that are difficult to overcome.