Candid Care: Preparing for a Cybersecurity Incident

Candid Care Ep 11: Preparing for a Cybersecurity Incident

Dive into the latest episode of Candid Care, where we tackle the pressing issues of cybersecurity in healthcare with a fresh perspective. Join M3’s Sara Kekula and Talia Pletcher as they sit down with Sarah Sargent, an attorney specializing in Data Privacy, Cybersecurity, and Technology at Godfrey & Kahn, to explore why no healthcare organization is immune to cyber threats.

From the rise of ransomware to the importance of an airtight incident response plan, this episode is packed with actionable insights to help you stay ahead of the curve. Tune in to learn how to prepare, protect, and future-proof your organization against the evolving landscape of cyber risks. Don’t miss out on the expert strategies that could be your game-changer!

___________________________________________________

Short Description:

Tune in to the latest episode of Candid Care, where M3’s Sara Kekula and Talia Pletcher team up with cybersecurity attorney Sarah Sargent to explore the critical cyber risks facing healthcare. From ransomware to bulletproof incident response plans, get actionable insights to protect and future-proof your organization. Don’t miss these expert strategies!

Podcast Transcript:

Welcome to Candid Care, brought to you by M3. I’m Sara Kekula, M3’s director of senior living and social services practice, along with Talia Pletcher, risk manager at M3, each episode of Candid Care promises to challenge your current thinking about the long-term care industry and introduce concepts to improve your organization and advance the field from executive risks to key strategies. We’ll approach each topic from multiple angles and invite leaders with unique perspectives to join in the conversation.

Please be advised this podcast and the recommendations throughout are not intended as legal advice and should not be used as or relied upon as legal advice. This podcast is for general informational purposes only.

00:45 Talia Pletcher

Today we welcome Sarah Sargent, attorney and member of the Data Privacy, Cybersecurity and Technology practice at Godrey & Kahn. Sarah recently presented on cybersecurity resilience to the attendees of the 11th annual Quality and Risk Summit hosted at our Madison office.

We’ve invited Sarah here today to continue that discussion around cyber security resilience. As we know is very important and press any very pressing topic for all healthcare providers. Thank you, Sara, for joining us.

01:14 Sarah Sargent

Yeah. Thank you for having me.

01:15 Talia Pletcher

Obviously you presented on some wonderful tips, strategies to be resilient, but we also too have seen so many lessons learned from different organizations that have experienced cyber network security, attacks, breaches, incidents, whatever have occurred. So I think that to kind of plays into a little bit of what we’re looking at today and discussing the landscape of where we’re at in healthcare and is it really to cyber network security? So I guess to kind of start off more of a general question, what types of healthcare organizations you see as being the target for cybersecurity or incident attacks, and I guess the question is, is any organization immune to cyber security incidents?

01:57 Sarah Sargent

Yes. So, no organization is immune and I always get this comment or question, well, we’re really small or we don’t have a lot of information or we don’t store a lot on our computers here. So, we’re not a target, right?

And that’s just not true. Anyone can have a cyber security incident, and that’s because cybersecurity incidents can include accidents. You know, you have an employee that emails the wrong thing to the wrong person, or you have an error in software that exposes something that shouldn’t be exposed all of that can be a cyber security incident.

On top of that, you have criminals who they don’t care, really who you are. As long as you’re an organization that might pay money or that they might be able to get money from in some way, they will. They will target you and sometimes the hackers in these cases, they don’t even know whose system they got into until well after the fact, so it can be really any organization of any size, any level of data, really. They’re just looking for how can I get in and how can I make some money here.

03:17 Sara Kekula

It’s kind of concerning, Sara. I think as we talked to a number of industry professionals we can certainly attest to that. We’re hearing there’s an uptick in network security events and incidents is that, I mean, let’s do some, you know, myth busting right now, fact or fiction, is there an uptick in frequency but also maybe the severity of events like ransomware cases, what are you seeing from your chair, what’s coming across your desk?

03:44  Sarah Sargent

Yeah. So I think there is an uptick in ransomware in the last few months especially and there was this downturn of ransomware events, especially when the Ukraine and Russian war broke out because a lot of cyber criminals from those countries were focused on what was happening in their country. There was also some international hacking back and forth between the two countries and so really there was this lull in ransomware, and we saw instead an increase in business e-mail compromise, wire transfer intercept. Things that were a little more simplistic, but now we’re seeing how this bigger push towards ransomware and in addition, we’ve had some federal and international law enforcement agencies going after these groups and we see the FBI has taken down some big groups in the last year or so.

And what happens is that they take down the big parent organization and then all these small ransomware groups pop up. And so now we’re seeing an influx of these new, smaller groups pop up where, you know, we don’t really know their history. There’s even one group that is rumored to be US based and being young US individuals who comprise of it. Again, this is all very much rumors in the security world, but there is a little bit of an uptick in ransomware right now and business e-mail compromise and other forms of incidents have remained pretty consistent, I would say over the last couple of years, where they’re still trying to get payment sent elsewhere sent to their bank accounts by getting into e-mail accounts doing regular phishing emails to try to get into accounts. All of that has stayed pretty consistent.

05:47 Sara Kekula

Yeah, it’s good to know that the environment hasn’t changed too much, but we are seeing the severity cases coming out maybe more often than we had been in recent months. So if we know we’ve got these emerging little pockets of bad threat actors that are coming, you know, as a consequence of maybe the larger groups being dismantled.

You know, help listeners understand what are some strategies or maybe what are the, what are your top three strategies that you would recommend healthcare organizations consider having in place to mitigate the likelihood of a cybersecurity incident from occurring and of a cybersecurity incident post incident. What can they do to protect themselves as much as possible?

06:32 Sarah Sargent

I think my big take away theme is just prepare, prepare, prepare and within preparing for an incident, there are few things that you can do so having an incident response plan. You know if an incident happens, who is our team? Who is going to be helping us through this both internally and externally, and have those folks identified and have it in your plan on what the steps are.

Then as you have that plan and it’s cemented practice, the plan I always say if you don’t practice your incident response plan, you might as well throw it in the trash or burn it because it’s going to do no good. No one is going to know what to do by the time an incident happens and they go dig out the plane and read it for the first time.

And so the way we practice and it’s no response plans is through tabletop exercises. And you can do that either with a law firm or you can do it internally or you can even do it with a security vendor as well if you want a more technically focused one. But there’s lots of different flavors of tabletop exercises, and those are where you run through a mock or a fake security incident and you discuss as a group how you would handle that incident.

And then I would say another huge piece of specifically for healthcare entities is really making sure you’re doing audits on your cybersecurity program that we all want to have good written security policies. So having that written information security plan or with but then we also want to make sure we’re auditing that so HIPAA requires an annual HIPAA risk assessment, but you should also be layering that in with a third-party audit or a penetration test through a security company. And if you’re a smaller organization, maybe you don’t do a third party audit every single year, but maybe you have a cadence of doing it every other year.

Whereas bigger organizations, maybe they do a third party audit every single year in some form, so you really want to make sure you’re auditing your program so that you know where you need to make improvements, and then you execute on those improvements. And so you’re continually improving your security program.

And I would say those three things, table tops. Auditing and having a good incident response plan are all part of the prepare theme.

09:16 Sara Kekula

On the theme of prepare, because I like that. Prepare, prepare, prepare. I literally wrote that down just for what it’s worth. What about employees? You know, I think with all good intentions, you know, we continue to see at least from our end, from the insurance agent perspective is that oftentimes it was an employee error which led to some sort of breach of information or what have you. So what do you recommend in regards to training and education for employees, what can healthcare organizations consider in that regard as part of their prepare model?

09:48 Sarah Sargent

Yes, so training is key. People are always going to be the weakest link in your security program, even if you’re poor or not and that’s because people make mistakes. People get stressed or tired. We’re trying to do something really fast. And, you know, people accidentally click on things, accidentally approve things they shouldn’t, accidentally e-mail the wrong person.

So as far as training, you certainly should have onboard cyber security training. So when somebody’s onboarding, you should have cyber security training. When they start, you know, introduce them to their your policies, your expectations around security, especially with HIPAA, you want to make sure that if their role involves any access to protected health information or Phi they’re getting trained on that aspect.

Then we want to make sure that you have some kind of regular training going on yearly. And that can be a big training or it can be, you know, little incremental training along the way. So “Know Before” is a really popular cyber security training tool that does little videos. There’s other similar tools out there that you can have employees do little reminder videos throughout the year.

And then I think just creating a culture of cybersecurity and so sometimes Cyber Security Awareness Month the we’ll put up little funny posters around our office or just little reminders if there is a big phishing e-mail that goes through just sending an example sometimes to employees and saying like “oh look, this is a really good phishing example you saw,  make sure you watch out for things like this”. You know where people are talking about security. They’re not afraid to report security events. All really important.

And then the last thing you should certainly be doing is sending the phishing testing emails. So having a program where it sends a fake phishing e-mail, you see who clicks on it. If they click on it, maybe they need to go do one of those extra cyber security trainings. That’s becoming really commonplace and is a great kind of reminder tool and also is a good practical point when you know you can show,  “hey, before our regular training, we had plenty of people click after we did a year’s worth of training. We only had two people click or no one clicked.” That’s a great data point to be able to show everybody, hey, like, good job, for improving on that cybersecurity training.

12:40 Sara Kekula

Very helpful. Thank you.

12:42 Talia Pletcher

So obviously you know e-mail phishing games seem to be a big way that threat actors enter an organization, but also to depending on, you know, there’s a lot of employees within organizations that maybe don’t have access to e-mail, but they have passwords that access EHR systems to the electronic health record systems or other platforms within the organization that they may be using to do their day-to-day work, which kind of goes into our HIPAA breach discussion. But if something were to happen, which leads to a HIPAA breach, what should realization do? If they’ve identified that HIPAA protected information has been compromised?

13:20 Sarah Sargent

So the first thing you should do is make sure you’re talking to legal counsel, so there’s specific requirements under HIPAA where you know you think that there might be a breach, and there’s certain exceptions for when you have to provide notice to both regulators, HHS, or to the individual, so a lawyer can help you navigate all of that.

While you’re calling your lawyer, you also want to be making sure that you’re doing any remediation steps. You know if you need to cut off access to something if you need to. You know if somebody accidentally emailed something they shouldn’t have. Asking the recipient to delete it. Those are all immediate steps you can take as you’re doing that, you want to also be reaching out to your attorney and to your other players who might be helping with your with the incident. So that could be obviously your insurance to report a claim that can also be, you know, your chosen security forensic provider if it’s a major issue that you think you might need help with. If you’re seeing signs of ransomware or somebody in an e-mail account.

But those it’s a lot to do all at once, but you really want to get your incident response team in place and start working through that incident response process. And those are kind of the few cute, the key people right away that you want to be pulling in.

14:55 Sara Kekula

And Sara, I think this is so important to mention because you brought this up at the summit, but where should people house their IRP so that they can access it if they don’t have access to their computer system?

15:09 Sarah Sargent

Yes, they should have it printed. They should have a printed copy and the why I have. I have a printed copy of every client I work with. Their incident response plan just printed and in a drawer in my office because you never know. And sometimes that might mean you have it in your work office and in your Home Office. If your role is very key on the incident response plan. But yeah very much don’t just rely on electronic copies.

15:44 Sara Kekula

Yeah, yeah, counterintuitive in this day and age. So yes, that’s really that was insightful advice that you shared. But, you know, one of the things and this is perhaps one of my last questions for you is I always like to take it to the future.

So if you were to look into your crystal ball specifically at the legal and regulatory environment, take us to the future, Sara, like what do you see and what should healthcare organizations, the C-Suite, the boards, et cetera? What do leaders need to be aware of or start thinking about today for the future of network security resilience?

16:24 Sarah Sargent

If I was looking at my crystal ball, I think we’re just going to see more regulation and more legal issues in this area. And I think that’s because we’re seeing these big huge incidents like Change Healthcare that have really impacted the level of care that patients get right, and that’s ultimately as healthcare organizations, we always want to make sure you’re giving that level of care right. And if your systems are down, we’re becoming such an electronic world that it’s difficult to do that care.

So I think the regulators are going to really be focusing in on are we doing enough in the cyber security arena? Are we doing enough to protect patients information and to continue providing care even if a critical vendor is down and we have guidance from HHS that is including more and more information as protected health information like for example, even the fact that I might visit a website of a healthcare organization and look at specific healthcare instructions on that website can be protected health information. For example, the fact that I visited that page so there’s more and more information we need to protect under our healthcare umbrella. So I think we’re going to continue seeing that from the regulatory side.

And then we’re also going to unfortunately I think continue to see lawsuits when there has been major data breaches. You know, I think even here in Wisconsin, we’re seeing a really big uptake in data breach class actions that are being filed locally by a few plaintiffs’ firms almost weeks within a notice. So you give out a notice and then the bam, there’s the class action following and they’re doing that because there’s money to be had and you know they have really cookie cutter complaints that are very easy to file and it doesn’t take that much money to do so.

And they just basically, attach the data breach notice letter and off to court they go. So I think really from an executive and a leadership level really thinking through your cybersecurity risk is both thinking through the regulatory piece of it and also you know the litigation aspect of it.

19:06 Sara Kekula

Sara, I’m so grateful for your time this afternoon. I sincerely appreciate it. I know Talia does as well for sharing your insights and just considerations specific to network security. So thank you again for joining us and we look forward to the next conversation.

19:21 Sarah Sargent

Yeah. Thank you for having me and for raising awareness on cyber security, we can never have enough. So I really appreciate it.

19:31 Sara Kekula

Sara, it’s our love language. We love risk management, especially when it comes to risk management and network security strategy. So thank you.

For listening to candid care brought to you by M3, connect with us at M3 inns.com for access to more resources, more insight and to join the conversation.