Click here to add your own text
Lessons Learned: Ophthalmology EHR Data Breach
Ophthalmology EHR Compromised
On December 4, 2021, EHR vendor Eye Care Leaders suffered a data breach, specifically of its cloud-based myCare Integrity platform. Eye Care Leaders provides 9,000+ physicians with EHR and PM solutions that are specific to ophthalmology. The security incident allowed for unauthorized access to the myCare Integrity’s EMR databases (hosted on AWS), followed by deletion of databases and security configuration files.
EHR, EMR, and PM platforms are the foundation of how covered entities operate – so what happens when there’s a security incident that impacts the availability of the EHR that your organization uses? What are the consequences if your EMR vendor exposes your PHI in a data breach?
What Happens if Your EHR is Compromised?
Eye Care Leaders was able to swiftly identify the data breach and restore some the databases and files from backups. In the forensic investigation, Eye Care Leaders found that, fortunately, the data breach did not allow unauthorized access to its clients’ systems, but patient information may have been exposed – information like patient names, dates of birth, medical record numbers, insurance, medications, and the type of care provided.
Although the breach occurred in December, Eye Care Leaders began notifying clients in March. As of May 2022, the following covered entities have reported their breaches to the HHS OCR, and have confirmed that Eye Care Leaders was the source of compromise:
- Ad Astra Eye: 3,684 individuals affected
- Frank Eye Center: 25,333 individuals affected
- ilumin: 14,984 individuals affected
- Regional Eye Associates, Inc. & Surgical Eye Center of Morgantown: 194,035 individuals affected
- Northern Eye Care Associates: 8,000 individuals affected
- Summit Eye Associates: 53,818 individuals affected
- Allied Eye Physicians and Surgeons: 20,651 individuals affected
- EvergreenHealth: 20,533 individuals affected
Managing Third-Party Risk
When you entrust a third-party EHR vendor with access to your organization’s sensitive data and environment, you must make sure that vendor is doing their security due diligence. What controls do they have in place to protect your data? Do they have as stringent of a security program as you do?
Your internal IT team or managed service provider must be prepared to effectively manage third-party risk. Even if a vendor meets compliance standards (HIPAA, HITRUST, ONC Health IT Certification), that doesn’t guarantee that controls won’t fail or cyber attacks won’t be successful.
Cyber Risks within Ophthalmology
The ophthalmology sector, like all other healthcare specialties, are not excluded from cyber attacks. Every healthcare provider of any size can be a target because of the valuable information that they can access. Actually, specialty providers are especially attractive to attackers because of their typically small size and limited IT resources. Michael Hamilton, former CISO of the city of Seattle, told ISMG that the trends in 2021 indicated “threat actors are intentionally moving down-market to … clinics and specialty care organizations.”
- January 11, 2021: 20/20 Eye Care and Hearing Care Network notified 3.3 million individuals that their PHI had been exposed due to a leaky S3 bucket.
- January 13, 2021: Cochise Eye and Laser suffered a successful ransomware attack that encrypted its patient scheduling and billing software.
- September 3, 2021: U.S. Vision identified and reported suspicious activity on their network that compromised data.
- September 14, 2021: Simon Eye Management, a chain of eye care clinics, was compromised through unauthorized email access, which was an attempt to engage in wire transfer and invoice manipulation attacks.
These are just a handful of the security incidents reported by ophthalmology sector last year – but even these examples represent millions of compromised records. What a data breach cost your organization? Could your ophthalmology practice afford to recover from a successful cyber attack?
If you feel that you need a more effective strategy for managing vendor risk, Dedicated IT is here to help. As a managed service provider that specializes in healthcare, we know how to partner with EHR, EMR, and PM providers and support your security initiatives. Contact us today to get started.
What to Expect from Cyber Insurance Applications in 2022
Applying for Cyber Insurance
Cyber insurance claims have increased as successful cyber attacks have heightened, causing insurers to implement a much more detailed and exhaustive underwriting process. The days of quick cyber insurance applications are long gone – so what can you expect in the years to come? How can you provide insurers with an accurate picture of your risk profile?
Applications in the Past
For many years, cyber insurance applications have consisted of, generally, the same 30-50 questions. Answers were grouped into standard categories like information security, third party services, risk background, loss experience, and current coverage. This information would help insurers get a grasp on:
- Who is responsible for cybersecurity at your company
- If you are responsible for storing, processing, or transmitting sensitive data
- What technologies are used to protect data, systems, and your environment
- If you have documented policies and processes that address cybersecurity
- Your company’s history of cyberattacks or data loss
- Whether you are in compliance with any industry standards or regulations
These questions were pretty painless to answer and didn’t require much information gathering or collaboration. When organizations submitted an application for a high dollar policy, they could count on insurers not needing to verify much else.
Expect Exhaustive Applications
In 2022, organizations can expect a lot more questions in a cyber insurance application. In addition to the general risk information collected in past applications, the latest cyber insurance applications now include questionnaires about:
- Specific controls that secure data whether it’s stored, processed, or transmitted
- What data backups are in place
- If an organization follows IAM best practices
- Specific controls that protect the network
- Firewall configurations
- Patching cadence
- Cloud security
- Specific controls that mitigate ransomware
- What type of security awareness training is required of employees
- Agreements with third parties or vendors
- Review of specific documentation like Incident Response Plans, Disaster Recovery Plans, and Business Continuity Plans
- Review of annual risk assessment
- Review of audit reports, if applicable
You must be as thorough as possible in your application. Once you submit this information, you may be subject to more extensive questionnaires or even interviews with team members that oversee IT, cybersecurity, or compliance programs
Getting the Details Right
With the level of information now required by underwriters, you can’t assign the insurance application or renewal process to just one person in your company. Who should fill out your cyber insurance application? With the new complexities, it may be appropriate to get input from:
- Internal IT team, IT provider, or managed service provider
- Risk managers
- Privacy officers
- Compliance officers
- Finance department
- Marketing department
- HR department
- Executive team or c-suite
- Board of directors
By collaborating with many different departments in your organization, you give yourself the best chance of success.
With the right guidance and planning, you can renew an existing policy with minimal changes in coverage or fees – but it’s critical that you understand the changes in the industry and how to fill out a detailed application.
To prevent denials or a decrease in coverage, start preparing for your renewal with our self-led security risk assessment. If you’d prefer one of our IT experts walk you through the process, get in touch with us and a member of our team would be more than happy to assist.
6 Myths About Outsourcing IT
It’s Time to Say “Yes” to an IT Provider
Could a managed service provider be the partner you need for IT? Let’s break down the six myths we commonly hear about why companies cannot outsource IT support and management.
“We just upgraded our technology.”
That’s great! A good IT provider isn’t looking to add more to your stack, upsell you, or make IT complicated. Our job is to leverage the technology you already have and make IT run more efficiently. We might even reduce costs by identifying redundant or wasteful technology.
“We already have someone who takes care of IT.”
We love working with companies that value their IT resources. Whether your IT staff is a whole department or just an individual, Dedicated IT can provide your IT staff with the bandwidth to work proactively on core issues vs. whack-a-mole reactive support. Plus – haven’t you ever considered what it would look like to have additional hands on-deck when your team needs specific expertise, takes vacation, or simply feels buried?
“We are too small.”
This is one of the most dangerous approaches a business can have when it comes to IT. Just because you’re small doesn’t mean catastrophic IT issues won’t arise or that you’re not a target for cyber attacks. No matter the size of your business, you deserve an IT partner that helps you prepare for IT time bombs and build a secure infrastructure.
“We don’t have the budget for it.”
The IT budget is a concern for every business, often because it’s an area where it’s easy to overspend. That’s why we’re so focused on providing predictability to IT costs. Within the first months of partnership, we are determined to find ways to stabilize the IT budget – and we have been successful at it!
“Our current IT provider built our infrastructure.”
You’re not stuck with the same IT provider forever – you can make the switch! Our technicians are experts in understanding and upgrading environments, creating a strategy, providing support, and maximizing profits.
“We never outsource anything, ever.”
We get that – but what do you do when you need very specific IT expertise? What happens if a disaster strikes your organization? Working with Dedicated It isn’t your typical outsourcing experience. We pride ourselves on our ability to integrate easily, as if we were on your staff.
Finding the Right IT Provider to Outsource IT
It’s a tough decision to make the move to outsource IT, but with the right managed service provider, the return could be:
- Deeper insight into IT projects
- Daily tasks completed more efficiently
- Stable and predictable IT costs
- Dependable, high-quality IT support for your staff
Don’t wait until something breaks or someone quits. Contact us today to gain access to our team of in-house IT technicians and support specialists.