There’s a good reason why cybersecurity is ranked extremely high on the priority list of Trey White, CPA, and other controllers and chief accounting officers in the healthcare sector.
According to a report from the Identity Theft Resource Center and CyberScout, 376 (34.4%) of the 1,093 data breach incidents reported in 2016 occurred in the healthcare/medical industry. And if that wasn’t bad enough, Becker’s Hospital Review crunched the report’s numbers and came up with these four eye-opening stats:
1. The healthcare sector exposed more Social Security numbers than each of the other four industries [business, education, finance, and government]. In 2016, the healthcare industry exposed a total of 10,486,900 Social Security numbers.
2. The healthcare industry had the highest number of patient records exposed due to employee error or negligence. Throughout 2016, employee error or negligence caused 1,183,893 healthcare records to be exposed.
3. Insider breaches had the biggest impact on the healthcare industry. In 2016, 43 healthcare insider breaches affected 167,263 records.
4. The healthcare industry saw the largest percentage of records exposed due to third party, contractor and business associate-related breaches. Approximately 4,014,923 healthcare records—or 11% of all the industries’ records—were exposed due to third party breaches in 2016.
“Protected health information can be very valuable to a criminal as it includes information such as a person’s Social Security number and address, as well as information about a patient’s recent visits to the doctor, which can be used by criminals to identify themselves as someone else,” said White, vice president, controller, and CAO at BlueCross BlueShield of Tennessee, the state’s largest health benefit plan company.
Five ways to mitigate cyberattacks
While the healthcare industry saw more than its fair share of cyber threats last year, the business sector reported the most data breach incidents in 2016, with 495 (45.3%), according to the ITRC report. In addition, financial losses in the United States due to cyberattacks totaled $1.33 billion in 2016, a 24% increase over the previous year, a report from the FBI’s Internet Crime Complaint Center revealed.
So, what steps have controllers and CAOs taken to prevent the bad guys and gals from winning? In my discussions with three leaders, a handful of key tactics emerged:
1. Have a good relationship with the IT team. The accounting and finance department needs to work closely with IT staff to develop security protocols and initiatives that protect their customers’ and company’s data, according to the controllers I spoke to.
“We rely on our information security team to assist us with security and ensure any and all decisions made from an IT solution standpoint are in compliance with our corporate policies,” White said.
Annette Ramsey, CPA, controller of Intelligent Retinal Imaging Systems, a Pensacola, Fla.-based provider of early detection systems for diabetic eye disease, also stressed the importance of the finance and IT departments being on the same page regarding information security policies.
“That agreement and understanding is the foundation for the right compliance practices to deal with data security and cybersecurity threats,” she said.
It’s also a good idea for controllers to meet with the company’s chief information security officer (CISO) on a regular basis, White recommended.
“The channels used by cybercriminals can change at a rapid pace, so it’s critical for the controller and the CISO to interact in order to ensure that risks are identified and proper security and controls are in place,” he said.
2. Form an enterprise security committee. BCBST’s enterprise security committee (ESC) includes representatives from each of the company’s major lines of business and support functions, according to White.
“The purpose of the ESC is to provide cross-functional oversight and direction of security-related risks,” he said. “The ESC also provides prioritization recommendations to the CISO for security projects and initiatives.”
3. Ongoing employee education is a must. White said his staff is required to complete training sessions on a quarterly basis that focus on IT security, such as common predatory tactics used by attackers and the employee’s role in preventing attacks from being successful.
“Security breaches can be very costly to an organization, so it’s important to ensure that every employee understands the role that they have in the protection of customer data,” White said.
As part of the onboarding process at Litera Microsystems, a Chicago-based document technology provider, new employees are required to read and sign off on IT policies, according to controller Elizabeth Pittelkow, CPA, CITP, CGMA. She also works with outside firms to provide cybersecurity training for her employees, such as live presentations and handouts, and participates in cybersecurity webinars with her team.
She also recommended that controllers and CAOs educate themselves by signing up for email alerts from cybersecurity experts, attending cybersecurity sessions while at conferences, and reading relevant articles.
4. Keep the discussion going internally and externally. How? Perform annual risk reviews, and have weekly conversations with your team about cybersecurity threats, according to Pittelkow.
“Ask vendors what they are doing to protect your data,” she said. “We have discussed cybersecurity with our vendors—banks, insurance company, and audit firm—and they know we care about it and have helped us design anti-fraud controls.”
One anti-fraud control she recommended is verbally confirming outgoing wires with the person who requested them. The FBI estimated that cyber wire fraud, also known as business email compromise and email account compromise, caused $5.3 billion in losses worldwide between October 2013 and December 2016.
“Put a control in place that multiple people need to be involved in approving and transmitting wires,” Pittelkow said.
5. Use technology to your advantage. “Integrate technology solutions, such as positive pay at your bank and phishing detection software at your company, to help prevent fraud and cybersecurity issues,” Pittelkow said. “Hire a firm to perform penetration and vulnerability testing to help identify ways to improve your processes. Also, keep software up-to-date, and install vendor software patches as they come out because they help to reduce vulnerabilities.”
Case in point: Had Equifax installed a patch that was available last March, 143 million people wouldn’t have needed to worry about their personal data being stolen by hackers two months later.
And if all else fails, Pittelkow has one more piece of advice for companies: carry cyber liability insurance.
“No business is immune to cybersecurity threats, but if you implement the right controls and culture in your business, you can significantly reduce your vulnerabilities,” she said.