Every day your organization is at risk when it comes to cybersecurity, but vulnerability isn’t confined within your walls. Third parties associated with hospitals account for 30-40 percent of all data breaches, and identity theft can easily be committed by simply securing an individual’s birth date, gender and zip code. As these basic Protected Health Information (PHI) identifying factors are easily accessible through third-party outlets, your patients’ medical records, drug histories and clinical trials are available to a potential hacker.  

PHI theft is becoming more common and is often linked to benefits and treatment fraud. For example, in 2014, a Missouri child’s social security number and medical records were stolen, resulting in his mother spending months trying to prove her son was never treated for a leg injury from the hospital that had billed her insurance company for treatment.  

In addition to knowing how hackers can breach your system, it is important to understand the liability for those affected by a potential cyberattack. Potential liabilities can include, but are not limited to, the following:
   

• Privacy injury liability results from unauthorized disclosure of sensitive or non-public information. One notable case includes Premera Blue Cross. In March 2015, social security numbers, bank account information, birth dates, addresses, email addresses, phone numbers, and claims and clinical information. Premera is offering the affected individuals two years of credit monitoring, but lawsuits are seeking lifetime credit monitoring as a result of the system hack.  It should also be noted that disclosure of claim and clinical information involves protected health information and therefore, implicates HIPAA violations.
     
• Network security liability results from the inability to access or use computer or information systems, damaging, or even losing, others’ information.
    
• Content liability results from publishing printed materials to an online location. Content liability exposure can relate to disparaging materials, copyright infringement, plagiarism, erroneous advice and even negative Yelp reviews, which result in reputational harm to the organization.
    

Healthcare exposures such as these are not limited to patients, customers and personnel. Your organization’s internal operations are also vulnerable.
   

• You may suffer a loss of business income. The costs to contain damage, stop attacks, implement workarounds, reestablish reputation and pay HIPAA fines could jeopardize your company’s assets.
    
• You could become a victim of electronic theft. Your intangible resources or physical devices, such as laptops and hard drives, are also at risk.
    
• You may be placed under the significant burden of extortion. CryptoLocker is a cyber-extortion malware that demands payment to unencrypt hacked files. Hacktivism, hacking for a politically or socially motivated purpose, recently occurred with Sony Pictures and its film, The Interview. In 2013, North Korea hacked into the sony Pictures system and threatened to erase all valuable information (i.e., scripts, movie clips, etc.) if the film was released.
     

Please visit www.cna.com/healthcare or contact a CNA representative to pinpoint your risk areas that are becoming more and more vulnerable in the context of today’s emerging technologies.