Homeland Security would like everyone to recognize and celebrate October as Cyber Security month. While we’re not sure “celebrate” is the most appropriate way to think of cyber risk, we present our second annual privacy liability issue in recognition of an area of risk that draws more attention and simply keeps getting bigger with each passing day.
Are you spinning the cyber wheel?
The three pillars of cyber risk management
Meeting a challenge as complex as cyber risk may seem to defy simplification, yet with the right attitude and approach, and the support of a team of knowledgeable experts, you can lead without having to be mired in the details.
In our work with leaders of healthcare organizations we see the most successful sticking to three fundamentals of cyber risk management: people, processes and technology.
- The people you must influence, trust, and rely on include cyber allies, leaders and citizens.
- Cyber Allies: These are your peers who are fighting the same battles as you. Staying abreast of their initiatives, mistakes, and responses can help you avoid and mitigate the impact of cyber risk.
- Cyber Leaders: These are the people – usually an internal leader managing external advisors and technicians- who have the skills, knowledge, and experience to provide strategic cyber security leadership.
- Cyber Citizens: Everyone in the organization must be made aware (and kept aware) of the role they play in the prevention and reduction of cyber risk. We’ve gone way beyond not falling the clumsy ruses used to steal passwords or inject viruses into computer networks. From handling sensitive data, understanding how to spot phishing emails to the use of BYOD, cyber security is no longer a technical issue; it’s a business issue in which everyone has a role to play.
- Processes are vital to the implementation of any effective strategy. To be effective, your cyber security strategies require processes that define, monitor and manage the roles, activities and documentation you use to protect your organization’s information. (Processes are worthless if people do not use them… that’s why your number one focus must be people.)
- A note about compliance: Being in compliance with legislative and regulatory requirements protect your organization from financial and other penalties. If you still think cyber crime is just a hobby pursued by bored computer geniuses, think again. Cyber crime has become a highly-organized business which increasingly means legislation and policies designed to improve security may not be enough. Organizations need to go beyond a compliance-based approach to security, and adopt a more risk-based approach.
- Technology is all about choosing the right infrastructure and software. It is perhaps the most difficult area to simplify. In a world where even the smallest change can set of a cascade of unforeseen glitches and breakdowns, it is little wonder healthcare leaders view technology as a digital Pandora’s box. So, while choosing not to provide any technical advice in the quest for optimal cyber-secure technology, the one principle we offer as guidance is protect your data and information first. By this we mean focus on highest risk areas first and take action there rather than trying to safeguard everything.
Cyber security has become a business issue
Less than two years ago, cyber security was deemed a technical challenge for the IT department to handle. That’s obviously no longer the case. Healthcare organizations must not only prevent breaches and ward off attacks; they must also be prepared to manage the business impact of these events.
A modern security mindset includes managing the entire life cycle of a cyber breach and involves effective incident resolution, speed with which the incident was resolved and minimization of the incident’s impact on the organization.
Finally,if you are wondering if you should be concerned, reading the other stories in this issue of HealthSure Headlines might help you decide. Then, if you are interested in knowing your organization’s level of exposure to data breaches and other cyber risks, HealthSure can help you conduct a cyber risk assessment.
After-the-fact logic proves increasingly costly
Time and time again, healthcare providers are splashed across the media for being victims of yet another data breach. The most cringe-worthy stories involve those without a cyber risk management strategy.
Every healthcare organization with a network, database, and online presence faces an increasingly complex and growing amount of risk. Yet, some healthcare leaders are taking a wait and see approach to covering these risks.
In a notice sent to healthcare providers, the FBI says, “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”
Hackers love health data
Reuters news agency in its coverage of the notice repeated a fact that is becoming more widely known: “Health data is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances.”
In this rapidly evolving environment, it is important to realize most traditional business policies do not cover risks associated with:
- The theft of customer data resulting from a lost or stolen laptop
- Failure to follow federal or state patient notification regulations when personal data has been illegally accessed
- Connected medical devices, network-attached printers, faxes and surveillance cameras (these devices are being targeted more often than major information systems according to SANS: a respected source for computer security training, certification and research).
- Online health monitoring
- Accidentally passing a virus or other type of malware to suppliers and ACO partners
- Employee slander of another organization in a blog or social media site
- Content posted on your website that infringes on copyrighted material
Wait and see can be costly
A recent HealthSure case highlights the issues facing healthcare organizations that are taking a wait and see approach. We conducted a cyber risk assessment for an organization we felt could benefit greatly from an appropriate amount of cyber coverage. Despite the logical results the assessment produced, the decision makers declined on the basis that their organization had never had a claim of this nature.
In the ensuing 12 months, a costly data breach occurred. After the dust settled, HealthSure was asked to help with the acquisition of an appropriate amount of coverage. The coverage now costs approximately 35% more than it would have a year ago (not to mention the reluctance of some carriers to offer coverage at all).
Burning down the house to save money
As things change, our logic must change with it. These days, not having appropriate cyber coverage is a like saying, “I will not buy home insurance until I have a fire… and depending on how bad it is, I will then decide if and how much insurance I will buy.”
Cyber coverage limitations reminiscent of past big ticket risks
In its influential annual insurance risk study, Aon points to cyber risk coverage as a potential “bottleneck to further innovation.” Titled “Global Insurance Market Opportunities: An in-depth perspective,” the study describes cyber as a headline-grabbing risk that demands new solutions.
“Emerging risk lines will be the growth engine for insurers over the coming decade, providing coverage against perils like cyber, reputation and brand, social media, corporate liability, and risks related to the sharing economy.”
Aon also conducts an annual Global Risk Management Survey that reveals risk managers have highlighted cyber risk as a top 10 risk this year. This is the first time cyber has made it into Aon’s top 10, a result that points to the likelihood of accelerated growth for the already expanding cyber insurance market.
What we find interesting is Aon says the “customer need is clear” when it comes to cyber risk solutions while cyber risk presents significant challenges for insurers. The authors speculate, “… if the private market does not provide solutions, it may fall on governments-and taxpayers-to provide a backstop, as has been done for flood risk and for terrorism.”
However, the report also says the nature of cyber risk is different. “There are reasons to believe that cyber will follow a different course. Cyber risk has the potential for a much more robust data set than terrorism, given the daily occurrence of cyber attacks. Moreover, while terrorist attacks imply a significant concentration of risk, cyber exposures are relatively well distributed. And loss control efforts can reduce the frequency and duration of data breaches.”
But, even with the robustness of the data set and the broad distribution of risk, the report says the uncertainty surrounding cyber risk and insurance is not to be denied. “Cyber insurance products struggle with clear loss triggers and an objective determination of loss severity. And the main threat to businesses-damage to reputation and brand-is not insured.”
If you would like to have a partner to help you meet the cyber risk and insurance challenge, contact HealthSure. Our experience in healthcare and extensive resources – including the best carriers and risk experts available – can help you prevent and protect your organization from this ongoing, thriving risk.
A look inside the FBI’s Cyber Division
By Curtis Verstraete
On its website, the FBI cyber division says, “We are building our lives around our wired and wireless networks. The question is, are we ready to work together to defend them?”
With the FBI warning that the healthcare sector was especially vulnerable and appealing to cyber-criminals, we thought we would poke around to find out what the FBI is up to.
The FBI leads the national effort to investigate high-tech crimes, including cyber-based terrorism, espionage, computer intrusions, and major cyber fraud. It does this by gathering and sharing information and intelligence with public and private sector partners worldwide.
The highlights of a brief tour of the cyber division’s website include key priorities, initiatives, partnerships, threats, scams, cases and take downs, protections and other resources. Each of these areas contains interesting and often highly relevant information for staying informed and tapping into useful resources.
All that practical (boring!) information aside, the most compelling section of the site is Cyber’s Most Wanted.
From Russia with malice
Topping the list is Russian Evgeniy Mikhailovich Bogachev who has reward of $3 million being offered for information leading to his arrest and/or conviction. He is being sought for his alleged involvement in a wide-ranging racketeering enterprise and scheme that installed, without authorization, malicious software known as “Zeus” on victims’ computers. The malware captures bank account numbers, passwords, personal identification numbers, and other information necessary to log into online banking accounts. It is alleged that Bogachev and others utilized to this information to steal money from the victims’ bank accounts.
Phantom products net cash
$1 million is being offered for information leading to the arrest and/or conviction of Romanian Nicolae Popescu for his alleged participation in a sophisticated Internet fraud scheme. Conspirators, based in Romania and elsewhere in Europe, posted advertisements on Internet auction market sites for merchandise that did not exist.
These “sellers” sent fraudulent invoices that appeared to be from legitimate online payment services to buyers… the victims. When victims wired money to an account identified on the false invoices, the conspirator would withdraw the proceeds.
The China connection
Perhaps most disturbing of all is a group of five members of the People’s Liberation Army (PLA) of the People’s Republic of China (PRC) who are wanted for conspiring to commit computer fraud; accessing a computer without authorization for the purpose of commercial advantage and private financial gain, damaging computers through the transmission of code and commands, aggravated identity theft, economic espionage, theft of trade secrets and 26 more criminal charges.
All five were officers of the PRC’s Third Department of the General Staff Department of the People’s Liberation Army (3PLA), Second Bureau, Third Office, Military Unit Cover Designator (MUCD) 61398, at some point during the investigation. Each allegedly provided individual expertise to a conspiracy to penetrate the computer networks of six American companies while those companies were engaged in negotiations or joint ventures or were pursuing legal action with, or against, state-owned enterprises in China.
TORCH announces fall webinar series
Expert answers to tough questions in the board room
TORCH is presenting three online events that explore and answer the tough questions board members ask when things go wrong.
Presented by TORCH and hosted by HealthSure and Reed, Claymon, Meeker & Hargett, PLLC (RCMH), the online series is offered as a rare opportunity to learn how to prevent and protect your hospital from the occurrences that cause trouble in the boardroom.
Convenient, concise and highly relevant, each event brings together experts who are intimately knowledgeable about the complex challenges and new opportunities being faced by modern, small-community hospitals.
October 26th from 12:00 – 12:45 p.m. CDT
The first installment in the series is called Privacy Pitfalls and Cyber Liability: The essential cyber month online event
Hosted by Jennifer Claymon from RCMH and Brant Couch from HealthSure, the webinar is an examination of the essential cyber-security strategies for preventing breaches and protecting your hospital in the event something bad does occur.
Featuring subject expert John Southrey from Texas Medical Liability Trust (TMLT), this is a not-to-be-missed event for anyone who wants to make sense of a month of cyber-chatter.
Or, if somehow you’ve been able to tune out the noise, this event will help ensure you’re up to speed on what continues to top of the list* of risk concerns for hospital CEOs. (*Modern Health Care and Business Insurance survey results.)
All attendees will receive a free Cyber Vulnerability Scorecard.
Have you seen this person?
HealthSure is adding to our team of “A players”
We’re seeking a customer service representative who can ask the right questions, clarify client expectations and needs, and create an environment where our advice leads to the best possible solutions for our clients.
Have you seen someone who is detail-oriented and has a passion for insurance? We need a person who will make a vital contribution to the day-to-day success of our property and casualty team by helping them deliver top-quality products and services.
If you have seen this person (perhaps in the mirror), please contact Jennifer Fudge our Director of Operations.