From the Compliance Manager Cyber Attacks: Why Russia and Korea are Targeting Health Plans

September 27, 2022

In light of the security and privacy incidences we hear about in the news on a daily basis, it seems to be a good time to highlight Cyber Security in this quarter’s Compliance Watch. On March 21, 2022, President Joe Biden gave an official statement regarding Russian cyberattacks against the U.S. — making his most prominent alert yet about what he called new intelligence concerning the Putin regime’s plans.

President Biden stated “If you have not already done so, I urge our private sector partners to harden your cyber defenses immediately by implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time — your vigilance and urgency today can prevent or mitigate attacks tomorrow. “

On July 6, 2022, the FBI warned of attacks on health plans by North Korea. Recent Ransomware attacks have targeted electronic health records services, diagnostics services, imaging services, and intranet services. According to the FBI, this is because “North Korea works under the belief that health care organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health.”

Many employers are familiar with HIPAA rules. The reality is that they more describe the ends rather than the means of securing Protected Health Information (PHI) and ePHI (electronic records for treatment, diagnosis, prognosis, charges, medicines, or coverage/insurance billing). Today more people are working from home in remote office space on small personal equipment. Data researchers have indicated that PHI is valued at four times other data so Covered Entities or Plan Sponsors need to be ready for these attacks on health plans, TPAs, and other service providers, and be aware of other key issues in the post-pandemic world.

This is possible through enhanced administrative and technical controls. Each plan sponsor should determine reasonable and appropriate measures and work with their Business Associates to review procedures and controls no less than annually. A risk assessment should consider the size, complexity and technical infrastructure for access control along with probability and criticality of potential risks. A health plan should maintain established policies and procedures along with a protocol for reporting of HIPAA incidents. Also, a standard business associate agreement (BAA) needs to be in place with any client or vendor with which sensitive data is shared, transmitted, or exchanged as required to provide services. Training is the final critical element of comprehensive measures to protect the data and avoid any incidences to the plan.

In summary, 2022 carries increasing and unique security dangers. All covered entities should be alert and enforce best practices:

  • Identify – All covered entities and business associates must prepare
  • Protect – Data Security is an on-going process and covered entities should seek assurances from Business Associates
  • Detect – Perform a risk assessment, and if you have already done so, continually review and update the assessment
  • Respond – Implement security tools such as multi-factor authentication and encryption of emails and file transmissions to safeguard protected data
  • Recover – Refresh internal procedures and training to stay updated on recent considerations and trends in technological capabilities

The magnitude of these countries’ cyber capacity is consequential. It is more critical than ever to take protection of data seriously, going beyond awareness to taking active measures. As partners in the Health and Welfare benefits space, we strive to work with all our clients and advisors to enforce the highest standards and provide timely resolution to Security concerns. Compliance is a key focus of our service model. Please do not hesitate to reach out with any questions to or your daily relationship manager with questions.

Michelle Fowler

Privacy Officer and Compliance Manager | Chard Snyder, an Ascensus company