- The recent Inogen data breach, in which hackers were able to penetrate an employee’s email account, highlights the need for healthcare organizations to use multifactor authentication (MFA) to control access and to get robust cyber insurance if they don’t already have it.
Inogen, a Goleta, California-based supplier of portable oxygen concentrators, admitted in a recent filing with the Securities and Exchange Commission that unauthorized individuals had gained access to personal information on 30,000 customers through an employee’s email account.
The information that was likely accessed included names, addresses, telephone numbers, email addresses, dates of birth and death, Medicare identification numbers, insurance policy numbers, and medical equipment rented by Inogen’s rental customers.
The company stressed that the compromised data did not include medical records or payment card information, but it may have included non-public financial information on the company. Inogen said it is providing credit monitoring and an insurance reimbursement policy to those affected by the breach.
Following a forensics investigation, the company has decided to implement MFA for remote email access and provide additional security training to employees.
MFA uses multiple “factors” to verify a person’s identity. Factors are broken into three categories: something you know (password), something you have (security token), and something you are (fingerprint). MFA uses at least two of those factors to control access to applications and systems.
MFA is a good security method for healthcare organizations to deploy, if they are not already using it.
“The type of information accessed [in the Inogen breach] looks to be high-level customer information. It looks like financial information and medical information were not accessed. That’s an important distinction because that type of information can trigger a lot more potential reporting obligations,” said Mayer Brown Health Care Co-leader and Cybersecurity and Data Privacy Attorney Laura Hammargren.
“[MFA] is a good security protocol that is widely used in a lot of industries. If a healthcare company can institute that, that is definitely a good [security] measure,” Hammargren told HealthITSecurity.com.
She noted that medical device makers are not usually the target of hackers, since other healthcare targets, such as health insurers and hospitals, usually have more valuable medical information.
“There haven’t been as many breaches of equipment manufacturers. We hear a lot about health insurer breaches or hospital breaches probably because they have so much data that is attractive to hackers,” Hammargren stated.
Inogen said that it had cyber insurance coverage in place for certain potential liabilities and costs relating to the incident, but this insurance was limited in amount, subject to a deductible, and “may not be adequate” to protect against all costs arising from the breach.
Patricia Carreiro, an associate with the law firm of Axinn, advised healthcare companies to get robust cyber insurance if they don’t already have it.
“Cyber insurance should be a part of everyone’s risk planning. Insurance is a very important way of considering risk,” she told HealthITSecurity.com.
“For a lot of companies that end up with data breaches, this can be a death knell for them. You really want to make sure you have the right coverage.”
A unique consideration for healthcare companies when it comes to cyber insurance is bodily injury coverage. While this might not be an issue for a data breach, it could come up in a ransomware attack where a healthcare facility might not have access to medical records needed for treating a patient, Carreiro explained.
“That could be a frightening situation,” she said.
The attorney stressed that companies need to protect privilege when dealing with their insurance company following a breach.
“If you might be sued by one of these people whose information was hacked, then you need to make sure you are preserving your attorney-client privilege or work product privilege,” Carreiro said. “If a company shares information with the insurer, it waives that privilege.”
Healthcare organizations should be diligent and comprehensive with their research as they consider cyber insurance coverage, she concluded.
“You want to figure out what your risks are, figure out what other insurance coverages you have, what other tools you have in place, and then it is all about matching up the pieces, matching your risks with the policies that are out there.”