Bob Gregg is CEO of ID Experts of Portland, OR.
Tell me about yourself and the company.
This is company number five for me in my career. Six if you count my early days as a CPA. Basically I’m a serial entrepreneur that loves to find companies like this that have huge market opportunities and grow them into significant companies that are making a difference.
I love ID Experts because we’re helping out not only the victims of data breaches that are at serious risk of identity theft, but also the companies themselves that are victims of data breaches of all kinds. We’re helping both sides of the equation. We’re helping the corporate entities that had the breach and we’re helping the individuals, whether it’s their patients, their customers, or who knows who they are. We take very good care of them.
How many breaches has the company managed and what findings have you observed from them?
I couldn’t count them. It’s measured in the upper hundreds at this point, possibly over a thousand. We’ve been doing this since 2006.
I guess the biggest change we’ve seen over the years is that a breach two or three years ago involved stolen laptops, thumb drives, those types of things. Now it’s much more serious. We’re seeing everything from organized crime to state-sponsored hacking with massive data breaches, particularly in the healthcare sector.
In the healthcare sector, one out of every two Americans has been breached in the last year and a half, which is pretty stunning. We just did not see breaches of this size and the number of breaches even two to three years ago. We didn’t see anything like it. Now we’re seeing these massive data breaches.
Unfortunately, in the healthcare arena, it’s pretty clear that healthcare is under attack right now from outside hackers.
What can hospitals do to make post-breach digital forensics easier?
The first thing I tell them is, don’t count on not having a breach. Just expect you’re going to have a breach in the near future. Get in place a master services agreement with somebody who is all prepared to take care of it. When you find the breach, you do not want to be scrambling, deciding who you’re going to hire, and how you’re going to approach it. You need to do all of that ahead of time.
Assuming you’ve done that, as soon as that breach information comes to your desk, you get hold of that group. They can get their forensics people in there quick as possible and they can get to that information. What you don’t want to do is over-notify or under-notify. You’ll want to get exactly who the victims of the breach are, then notify as quickly as possible once you have that information.
How hard is it to sift through the electronic trails to determine how many patients were affected?
Unfortunately, there’s no simple answer to that, because every single breach is a customized situation. I can’t think of any two breaches that are even almost comparable. It depends on the nature of their systems and how buttoned up they are.
Some breaches we can get in there pretty quickly, determine exactly which individuals were involved in the breach, and notify within a few days. Other ones are just very difficult because record-keeping isn’t quite what we would like it to be or the nature of the breach is such that there are multiple vectors of how the systems were penetrated. So, there’s no easy answer to that. Every one is in and of itself going to be different.
We have to be a little sympathetic to the provider when they have a breach. We don’t want to leap to our first conclusion. When we get the forensics people in there, we want to button up that process and know exactly who was breached before we notify. That can take some time in many cases.
What trends are you seeing in the technical nature of how breaches occur?
We do a survey every year for healthcare with the Ponemon Institute. We just last year published our fifth annual benchmark study on privacy and security of healthcare data. The big findings of that study were that, for the first time in the five years that we’ve done this, outside intrusion — criminal hacks — were the reason for the breach. That was never the case in prior years. It was lost data, lost hard drives. All kinds of inadvertent things that happened one way or the other.
Now we’re seeing absolute criminal attacks and hacking being the number one cause., which is a huge development. Because as we coach people, if you lose your laptop on a subway, chances of that laptop being used for nefarious purposes and going after the victim is, in our experience, really very small. If it’s criminally hacked with the purpose of getting that data, the chances that data is going to be used somehow in creating some kind of identity theft or fraud is pretty high. It’s a whole different situation when you get hacked.
What did you think when you heard about the hospital that lost access to its system for weeks due to a ransomware attack?
It’s an emerging threat, no question about it. We’re seeing more and more of it. We always counsel people to immediately get law enforcement involved. Don’t try to manage this yourself, for goodness sake. Get the professionals involved. Make a very thorough evaluation of the risk and the situation that you’re in.
Unfortunately, I have to predict that this isn’t an isolated incident or a few isolated incidents that we’ve seen here. We’re going to see more of these. Again, more and more reasons why you try to button up your systems. But as I said earlier, you have to assume that you’re going to get penetrated or hacked. Some kind of a breach is going to occur and you’d just better be prepared for it when it happens.
Should the average hospital or health system buy cyber insurance? How would that work for them?
I do, but with the caveat that if they do choose to buy insurance, get data breach professionals involved. Companies like ourselves, and there’s many others in the industry. Have one of them involved because every one of these insurance policies that I’ve seen are very custom with all kinds of sub-limits and exclusions.
You could very easily find yourself thinking you’re insured for a particular situation and finding out when you actually read the fine print that this policy excludes that type of situation. Unless you have a lot of experience in the data breach world in how these breaches can occur and what kind of exclusions the insurance companies will put into their policies, you could easily find yourself thinking you’re insured for something that happens, but you’re actually not.
Assuming you do that, I do highly recommend cyber security insurance. You will be hacked or you will lose data and it’s always nice to have some insurance to help pay for that.
Does cyber insurance cover the cost of remediating the breach? Does it cover lawsuits or fines?
There’s different types of policies. You can pretty much get your liability covered up to a certain limits. They’re all going to have limits. That’s classic insurance. It’s a tradeoff of how high you want to make the limits verse how much risk you want to take as an individual entity.
There’s policies available to cover the remediation of the breach, any loses occurred by the breach, even the lawsuit cost, which unfortunately too often happens as a result of these breaches, and the class action lawsuits. We have found that the actual cost of the lawsuits generally far outstrips the remediation, the notification, all those costs. You definitely want to be insured against the legal costs should those occur.
What trends are you seeing with health systems sharing threat information?
What we recommend to people is to watch what’s happening in the financial services world over the last five to 10 years. They follow the track of a lot of what we’re seeing right now in healthcare with criminal hacks and healthcare systems — the actual use of that data for identity theft and fraud and truly having identity victims from these.
These happened a lot in financial services five, six, seven years ago. They did just that. They started coming together and talking to each other. Sharing data on data breaches and the way people got in. They got law enforcement involved. They’ve done a reasonably good job of buttoning up their systems.
Frankly and unfortunately in the healthcare community, the bad guys turned their guns away from financial services and towards healthcare, thinking they are a lot more vulnerable. They haven’t done all the things necessary to protect the data. It’s a lot easier to get data out of a healthcare provider than it is out of a bank or insurance company today. That’s the unfortunate fact. Our recommendation is pay attention to what financial services is doing and follow their lead.
What healthcare IT security issues will be important in the next handful of years?
It’s got to the board level now. We’ve had enough breaches and they’ve been high profile with enough victims involved that virtually every board of directors of a healthcare payer or provider, when they get together, they are now talking about cyber security and their breach risk. Just a few years ago, that was not the case.
The fact that it’s made it to the board room and people are paying attention … we’re seeing a lot more activity. Healthcare entities want to have that cyber security insurance. They want to a master services agreement with a data breach mediation company on the shelf and completely negotiated and worked out before the breach happens. A lot more systems protection. The CIOs and CISOs at these entities … their whole stature’s being raised up because of the risk that’s involved here.
Good things are happening. Just like it happened in financial services, once the amount of the attacks and the fraud got to the point where it was intolerable, things started happening to fix it. They’ve come a long way. I think the same thing will happen in healthcare.
Unfortunately, I think it will take a number of years before it gets a whole lot better. In those interim years, we’re going to see a lot of data breaches. A lot more remediation that has to be done. I think we’re headed in the right direction. That’s the good news, but it’s going to take some time.
Do you have any final thoughts?
The whole reason ID Experts is in the data breach business is because we were founded on the premise that we want to fix identity theft victims from bad things happening to them. We have a 100 percent track record of doing that. Because of that, that just launched us into the data breach world and launched us into what we call the MyIDCare product, which is all of the things that we do to help people understand and remediate bad things from a victim’s standpoint.
One of reasons we chose healthcare as a primary market is that healthcare companies care about their customers and their patients. We see that every day. We get excited about that, because when a data breach happens, they step up. Unlike, unfortunately, the credit card companies and the banks sometimes.
These guys really care about these customers and these patients. They want to do the right thing. We like that, because we obviously want to do the right thing for these individuals as well. We make a pretty good team going forward doing whatever it takes to recover these people from bad things happening as a result of the breach.