It’s no secret that recovering from a data breach can get very expensive, very fast.
In addition to lawsuits and legal costs, companies often end up hiring crisis PR firms, setting up call centers to notify affected victims, dealing with insurance costs and taking a big hit to their reputation. After all that, they usually still need to pay for all of the enhanced protections and capabilities that most security experts recommend in the first place.
“Even as we’re talking about a $2.3 million fine and class action lawsuit, the long-term impact is going to be much more costly,” said Catherine Lyle, head of claims for cybersecurity insurer Coalition.
She was specifically referring to an agreement reached between the Department of Health and Human Services and CHSPSC around a 2014 data breach. CHSPSC provides legal, compliance, accounting, operations, human resources, information technology and health information management services for hospitals and clinics across the country on behalf of its parent organization, Community Health Systems. On April 10, 2014, a hacking group later determined to be affiliated with the Chinese government stole user credentials from employees and used it to access company systems through the virtual private network and plant malware.
Ultimately, the group made off with HIPAA-protected personal information for more than 6.1 million individuals across 237 hospitals, clinics and other entities served by CHSPSC. It was one of a string of successful mass compromises of U.S. data carried out by Chinese hackers between 2014 and 2015, who would later go on to pilfer personal data from large health care providers like Anthem as well as government agencies like the Office of Personnel Management later that same year.
The corrective plan with HHS, reached in March but released publicly this week, represents the public sector side of the legal fallout from the 2014 hack. CHSPSC was also hit with multiple civil lawsuits from affected patients that were eventually rolled up into a class action settled in February 2019.
Piling costs
To avoid harsher penalties, CHSPSC had to pay the $2.3 million fine and agree to dozens of specific action items designed to shore up their IT security practices around HIPAA personal data and prevent future breaches. It also needed to submit a new plan for monitoring their networks for review and approval by HHS, and conduct an enterprisewide analysis of security risks and vulnerabilities in any hardware and software that contain, store or transmit HIPAA-related personal information. CHSPSC must also inventory any relevant equipment or applications and conduct annual security assessments to spot new weaknesses.
But there's more.
Within seven months of the effective date, the company had to “review and revise” access controls in place to restrict authorized access to HIPAA-protected data that is “limited to the minimum amount necessary and to prevent impermissible access and disclosure.” Similar reviews and updates were also required for their security auditing process, incident response plans, password management policies and employee training materials.
The company also needs to create an internal reporting mechanism for employees to flag any potential violations of the agreement and promptly investigate reported incidents.
If any of those plans or policies do not meet the government’s criteria or standards, HHS can require specific revisions to ensure they are following best security practices.
The penalties are in part due to a gap of two or three months where the company seemingly failed to take action. The plan states that CHSPSC was in violation of at least five areas of covered conduct, including failure to respond to a known security incident; mitigate, to the extent practicable, harmful effects; and document the security incident and its outcome. The other violations include failing to protect electronic information under HIPAA, to thoroughly assess the risks and vulnerabilities of their systems, do sufficient security auditing and implement robust access controls for their systems.
In a note to the media still up on CHS’ website, Senior Vice President and Corporate Compliance and Privacy Officer Andi Bosshar said the company had instituted a number of new security measures, including “additional audit and surveillance technology to detect unauthorized intrusions, adopting advanced encryption technologies, and requiring users to change their access passwords.”
Email and phone messages seeking comment with media affairs for parent company Community Health Systems were not returned.
Pay now, or pay more later
The fines, civil suits and corrective plan underscore how expensive it can be to recover from a data breach, particularly when compared to upfront investments in cybersecurity that could potentially prevent the breach in the first place.
According to annual research done by the Ponemon Institute and IBM, the global average cost of a data breach in 2020 exceeds $3.8 million. Those averages are even higher within the United States health care sector, where the average cost of response and recovery tops out at $8.6 million.
“The key with a lot of these agreements is you are now consistently in the line of sight of HHS. You’re being audited, you’re being reviewed and if you violate again, you will be hit doubly hard,” Lyle said.
Cyber insurers and research from organization’s like Ponemon consider a number of factors in weighing a company’s risk profile, like how involved the board of directors is involved in breach response planning, whether the organization has a CISO, whether they’ve red teamed defenses, how extensive their data encryption policies are and if they have incident response teams already in place. Other human-centered risks like poor security hygiene, lax password management or access controls, the lack of two-factor authentication or email spoofing protections also impact an organization’s risk.
While the savings can vary across industries and regions, Ponemon’s research indicates that firms with an incident response team were able to save hundreds of thousands or even millions of dollars in total costs recovering from an incident.
“One key area in planning for breach response is to have multiple [incident response] vendors set up in advance, so you aren't scrambling to onboard a new provider when you find out a breach has occurred,” said Rick Holland, chief information security officer and vice president of strategy at risk protection firm Digital Shadows.
The CHSPSC breach pre-dates a concerted push by industry and government to better share information around cyber threats, but Lyle said even today, many companies still don’t know who to call or what to do when the FBI or someone else notifies them of a breach.
“The person that’s receiving the call, the head of IT or the CFO, [typically] have no experience with the FBI, and they have no experience with a cyber incident,” said Lyle. “It can be that it went to the wrong person and they’re not sending it higher up.”