Kusserow on Compliance: FBI on cybersecurity—advice and tips

The FBI recently made presentations on cyber security at the Boston Conference on Cyber Security and at the American Hospital Association annual meeting. Key points from these presentations included, underscoring that the FBI is the lead federal agency for investigating cyber-attacks by criminals, overseas adversaries, and terrorists. The FBI views cyber threats seriously, as a growing problem as cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Both private and public sector networks are targeted by adversaries for trade secrets, sensitive business data, and privacy information. Universities are targeted for their research and development. Individuals are targeted by fraudsters and identity thieves. Children are targeted by online predators. The FBI has been gearing up to the challenges from these threats by enhancing its Cyber Division’s investigative capacity to sharpen its focus on intrusions into government and private computer networks. However, they are struggling against a number of challenges, including finding talented workers in competition with the private sector, and the fact that a majority of cyber-attacks are never reported because parties want to address the problem without getting entangled in an FBI investigation. This hampers their work. The FBI desires to encourage better reporting, emphasizing that the agency has an interest in protecting private information and data; any internal information received will not be used against a provider, as they will be treated as a victim. The FBI recognizes that health care organizations are major targets for cyber-criminals, because the sensitive data they collect in droves can be sold at a high price for use in fraud and identity theft. Medical devices are also increasingly becoming a target.

The FBI is encouraging health care companies to share some basic network information with their local FBI offices, before an attack occurs, and to join an information-sharing group with other companies in their industry. The following observations and advice came from the two FBI presentations:

FBI Advice and Tips

  1. People are “weak links” in cyber-attacks, so train them to recognize and prevent cybercrimes.
  2. Review if everyone with high-level access to a hospital’s database needs to have that access.
  3. It is important to update and patch systems regularly to prevent intrusion.
  4. More people with security access, the easier it is to breach.
  5. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access.
  6. Develop a business continuity plan to prevent down time.
  7. Establish real-time data backups to permit work to continue.
  8. Organizations should establish closer ties with the local FBI before there is any incident.
  9. Those harmed in a cyber-attack will be treated like victims of a crime.
  10. Called for building a relationship with the local FBI.
  11. Organizations should join information-sharing groups with others in their industry.
  12. Regular systems tests can also help flag vulnerabilities before a hacker can get in.
  13. Don’t assign responsibility for cyber security to someone at a low level in the organization.
  14. Cyber security is an enterprise risk and executive and board level interest is needed.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on
Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

21st Century Oncology faces class actions in wake of data breach

Following a data breach of the nationwide cancer center, 21st Century Oncology, patients filed multiple class action lawsuits against the provider alleging that 21st Century failed to establish adequate cybersecurity measures in violation of federal and state law. Although the breach impacted an alleged 2.2 million patient records, the provider notified patients that it does not believe medical records were accessed or information was misused as a result of the breach. One of the class action complaints condemns the provider’s lack of control over protected health information (PHI), saying, “the last thing patients dealing with potentially deadly illnesses need is further harm and stress caused by the insecurity of their most private data and how it may be used by thieves.”


In a complaint filed on March 23, 2016, several patients alleged that the provider was not aware that it had been infiltrated until notified of the breach by the FBI. Although investigators informed the provider of the breach on November 12, 2016, 21st Century announced it was instructed not to inform patients until this month. The lawsuits allege that data stolen by thieves includes patients’ names, Social Security numbers, physicians’ names, medical diagnoses, treatment information, and insurance information. One lawsuit asserted that the content of the 2.2 million current and former patients may have been copied and transferred as a result of the breach. The complaints allege that the provider violated the Health Information Portability and Accountability Act (HIPAA) (P.L. 104-191) and industry data protocols, was negligent in its safeguarding of PHI, was in breach of the implied covenant of good faith and fair dealing, and, in some cases, violated state consumer protection laws.

Prior breach

One lawsuit alleges that 21st Century is not a stranger to data breaches. Specifically, the complaint alleged that between October 11, 2011 and August 8, 2012, a 21st Century employee provided PHI to a third party who used the information—names, Social Security numbers, and dates of birth—to file fraudulent tax refunds. The complaint alleged that 21st Century also failed to detect the earlier breach.

21st Century

According to 21st Century’s announcement on the more recent breach, the provider is notifying affected patients and offering them free one-year credit protection services. Some of the lawsuits acknowledge the provider’s offer and call it inadequate, suggesting that the threat and harm resulting from the breach is more serious than the compensation reflects and will last longer than a year. The lawsuits follow a settlement earlier this month, where 21st Century agreed to pay $34.7 million to settle claims that it billed Medicare and Tricare for medically unnecessary radiation tests between 2009 and 2015.