Volume 46

Avoiding Cyber Insurance Claim Denials New Features We’re Excited About Understanding “Quiet Quitting” Trend

---

Avoiding Cyber Insurance Claim Denials A growing concern in the ever-evolving cybersecurity landscape by Krista Adamson, CIC, CISR The need for cyber insurance has never been greater. Getting the best coverage has never been more complex. And complying with insurance company requirements has never been more critical. Admittedly, there’s not a lot of fun to be had when it comes to making sure your hospital is protected from cybercrime and covered in the event of a cybersecurity breach. But, as in most challenges in life and business, there is a silver lining. Implementing cyber security best practices creates opportunities for staff engagement, skills development, and nurturing a culture of safety. Cyber Compliance… it’s now a way of life Cyber insurance has never been a get-it-and-forget-it purchase. The insurance owner’s role in protecting the viability of their insurance continues to grow as insurance companies figure out how to provide cyber insurance and make a profit. This means unless you play your part, just having insurance does not guarantee your claim will be honored. When it comes to having the very best protection for your hospital, the golden rule is to understand that cybersecurity is an ongoing activity that involves everyone in your hospital and even some people outside of your hospital. As the cybersecurity landscape evolves, insurers require clients to do an increasing amount of proactive cybersecurity management in five key areas.

1. The ability to prove proper security measures are in place It is no longer enough to implement security measures and follow preventative protocols. You also need to be able to prove what you’ve and what you are doing. Insurance companies want to avoid paying claims at all costs. That’s why they put the onus on clients to ensure all preventative measures for thwarting cyber criminals and protecting networks and data are in place. To acquire insurance, you now need to prove you are sufficiently protecting your networks and data. To have a claim honored, you need to prove you have kept up with all the cyber security best practices that enabled you to acquire insurance in the first place. Stating the obvious, a paper trail – documentation without any gaps or missing information – is required before an insurer will pay an insurance claim. The elephant in this room is that due to the ever-changing and increasingly sophisticated nature of cyber-attacks, you and your hospital will likely struggle to always be able to prove the effectiveness of your systems. This is just one reason why you should never go it alone when it comes to cyber security and insurance.
2. Actually having proper preventative security measures in place This one is obvious. You can’t get cyber insurance if you do not protect your networks and data. If you do not have security measures in place, managed internally or by a third-party, you are extremely vulnerable to all sort of attacks and other incidents and no insurance company will touch you.
3. Endpoint detection and response Your approach to cybersecurity has to be comprehensive. And, you guessed it, the definition of comprehensive continuously evolves. For example, relying solely on antivirus software is no longer a sufficient form of protection. Insurance companies look at many things, but one area of particular focus is endpoint detection and response (EDR). This security solution continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware. EDR solutions record activities and events taking place as well as workloads to give security teams what they need to spot incidents that would otherwise go unnoticed. Modern EDR solutions provide advanced threat detection, investigation, and response capabilities. This includes investigation alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment.
4. What’s not your fault is still your responsibility Your hospital’s cyber security isn’t your only responsibility. Your third-party vendors’ cyber security is also on your plate. Due to the interconnectedness of modern healthcare and information system technology, attackers can gain access to your hospital’s systems and data by targeting your outside partners and providers. It is now essential for third-party organizations to have virtually the same level of security measures as you do. If your network is attacked through their network, the vendor’s cyber security measures have to be up to snuff, or a claim may be denied.
5. Cybersecurity awareness and training Even with the strongest, most secure forms of cyber protection, you can’t protect your hospital against attacks if your employees inadvertently help attackers. Human error is responsible for 38% of all data breaches, second only to malicious or criminal attack. But whereas you can’t control the cyber crooks, you can prevent human error through awareness and training.

Here are the five errors staff (those humans!) routinely make:

1. Using a weak password or storing it incorrectly. Imagine; a numbers-only, 12-character password can be hacked in 25 seconds or less! A password using all lower-case letters takes three weeks to hack. It takes 300 years to hack passwords using lower-case and upper-case letters. Adding numbers and other symbols pushes the hacking challenge out to 34,000 years. Your staff must be trained to create strong passwords, to not use the same passwords to access multiple applications or systems, to regularly update passwords, and to store them securely. Thankfully, there are a growing number of password manager apps you can use to maintain centralized password disciplines throughout your hospital and ensure staff uses strong passwords.
2. Using software that is outdated or not secure Cyber criminals know third-party software can offer the best route to breach your network. That’s why it is essential to have clear third-party software usage policies and guidelines. Some estimates say one in three breaches are caused by known vulnerabilities not being patched in a timely manner. Which is why you need to run software updates regularly. And then there’s Shadow IT. When staff installs applications without the knowledge or approval of your IT department, it creates serious security vulnerabilities. You must have clear rules requiring your people to get approval before they install new software.
3. Handling data carelessly The most common examples of carelessness are:
   • Emailing confidential information to the wrong person
   • Unintentionally releasing or publishing confidential information
   • Not using the ‘blind carbon copy’ (BCC) when sending group emails
   The best practices include clearly defining data categories (e.g.: public, internal-only, confidential, restricted) along with guidelines for how staff how should handle, transmit, store, and dispose of each type of data.
4. Low security awareness People with low levels of security awareness are more easily deceived into clicking a link or opening an attachment in a malicious email. One simple act can lead to the installation of malware that opens your hospital up to attack. The costs can be crippling and the downtime dangerous. That’s why ongoing training is essential. Good news; training is one of the most important and cost-effective security measures you can take.
5. Unauthorised access to devices This is especially an issue with remote workers who let family members use their work devices (laptops primarily). Family members may unknowingly jeopardise security by installing unauthorised software, changing settings and configurations, downloading malicious files, not to mention accessing confidential data. And it should go without saying but it is essential for your staff to not share their device password with anyone.

Never Go It Alone If complying with your cyber insurance policy’s terms seems impossible, you need to remember to never go it alone. Our team and our cyber partners can help you:

• Be confident you know exactly what your current cyber insurance does and does not cover
• Conduct a thorough and accurate analysis of your cyber compliance including areas needing attention
• Implement timely solutions to compliance issues
• Get policy-specific documents so your hospital can produce evidence of due care when needed
• Get the best cyber insurance with only the coverage at the best price

---

New Features we’re excited about! Our HealthSure Commercial Lines Team is excited about two improvements to our myHealthSure portal.

1. We are beta – testing digital payments in our new payment portal. Paying your insurance premiums just got a whole lot easier. HealthSure is delighted to announce we are now accepting digital payments! Keep an eye out for a link on your next invoice that will allow you to access our new payment portal, or if you want to check it out now, visit your myHealthSure page and click Make a Payment (Applied Pay) on your home page. Our goal is to provide exceptional service, and we are excited to offer you a convenient way to make payments safely and securely, using your credit card, ACH, ApplePay™ Pay by Text, and more. The choice is yours! Please note there is a $4.00 processing fee for each transaction and a 3.5% fee if you pay by credit card. Important: Applied Pay only applies to HealthSure payables. If you receive an invoice directly from an insurance company or premium finance company, please follow payment instructions on the invoice. Please don’t hesitate to contact us if you have any questions. We are always here to help!
 
2. You can now access INDIO through the em>myHealthSure Portal! Indio is the online, secure, platform that combines all of the different functions of a typical insurance renewal into one platform.
• The online portal allows you to access / work on your insurance forms whenever and wherever you need them.
• All data in the system “smart maps” between forms, so you don’t have to enter data multiple times! (i.e. if you put your business name on one application Indio will go ahead and transpose that information onto all of your other forms)
• The portal has a “Documents” tab which allows you to upload and download documents as needed. All documents that are exchanged using Indio are run through an anti-virus software to ensure that nothing malicious is being sent.
• Using Indio allows you to assign applications, forms, or even sections within applications to specific points of contact within your organization – In turn, reducing the need to print, scan, or even sign (with wet signature) forms offline.
• Indio allows you to sign all of your applications and forms live on the platform using their e-signature solution.
• Indio is highly secure and your data is all confidential.
Contact your account manager to learn more.

---

Understanding “Quiet Quitting” Trend