Cyber Risk 201: Prevention and Solutions for Cyber Risks Risk Awareness Series: How Cyber Risks, Sexual Harassment Claims and the Regulators Can Wreak Havoc on Your Practice
Cyber Risk 201: Prevention and Solutions for Cyber Risks
Risk Awareness Series: How Cyber Risks, Sexual Harassment Claims and the Regulators Can Wreak Havoc on Your Practice
Introductions
Marc Haskelson President Compliancy Group Greenlawn, New York
Jeffrey Smith Managing Partner Cyber Risk Underwriters Atlanta, Georgia
Matt Gracey President / CEO Danna-Gracey Delray Beach, Florida
Tom Murphy Professional Liability Specialist Danna-Gracey Delray Beach, Florida
Jennifer Davison CEO Vero Orthopaedics & Vero Neurology Vero Beach, Florida
Recap Cyber Risk 101: Top Risks
Source: Accenture/AMA 2017
• Failure to Encrypt Data Access
• Cloud And Security Software Reliance
• Lack of Security Training and Awareness
• Third Party/Vendors
• Lack of HIPAA Knowledge & Compliance
Ransomware Attack 2018
Vero Orthopaedics Ransomware Attack • Ransomware attacks on 2/14/18 and 2/27/18
• Policy was reviewed and changed 10 days prior to attack. Without having a review done of currently policy we would not
have had business interruption coverage.
• Total revenue loss incurred $139,881. Insurance reimbursed $129, 823
• Insurance company hired cyber company out of Washington to do a full analysis of system and mechanisms were put in place by company which was fully covered by insurance. This added an extra layer of protection to our system.
• Attorney hired by insurance company did a full HIPAA/Audit of the attack to ensure there was no breach. A full report was provided by the firm for safeguard to the practice that there was no breach of patient information. The fee for this was covered under the policy.
• A decision to review and change the policy with a $600 annual increase to our policy saved our practice from what could have been a significant loss of income.
• Ensure you have backups offsite real time. IT CAN HAPPEN TO YOU!
Proactive Cyber Security Things You Can Do Now
1. Get HIPAA Compliant
2. Passwords – Use a sentence or phrase
3. Show your employees what to look for / Prevention Plan
4. Restrict unnecessary access/user privileges
5. Keep Anti-Malware / Anti-Virus up-to-date
6. Filter spam and (.exe, .zip) attachments, and show hidden file extensions (a .PDF may really be an .EXE)
7. Ensure a foolproof backup plan, for fast recovery
Get HIPAA Compliant • Assessment of risks: Remediate vulnerabilities
• Training: Staff knowing what to look for and how to identify attacks
• Policies and Procedures: Stops Ransomware infections before it takes hold
• Encryption: Protect the sensitive information
• Backup: Practice 3-2-1
• Secure Messaging
• Monitoring and auditing
• Disaster planning: Restoration of access to data get back to business
The pieces of HIPAA compliance.
Ever y piece needs to be completed annually or as the regulations change.
Missing even one piece can result in fines or loss of reputation.
Audits SRA (Security Risk
Assessment), Administrative,
Privacy Remediation
Plans
Policies, Procedures & Training
Business Associate
Management
HIPAA Compliance
Incident Management
Document Version
Employee Attestation &
Tracking
The HIPAA Compliance Puzzle
Traditional Cyber Insurance
• Terrific risk finance tool!
• Vetted claims resources
• Static solution to dynamic problem
• Doesn’t get to the bottom of the risk
• No actionable intelligence
• No ongoing protection Remember me?
NextGen Cyber Insurance Getting to the Bottom of the Risk
• Diagnostics before MRI?
• Passive Scanning
• Business Threat Intelligence
• Compromised Credentials
• Actionable Intelligence
Next Generation Cyber Insurance for Providers Underwritten and managed by hackers with a background in assessment and security technology, our platform gets to the bottom of the risk. Solutions incorporate security tools to keep insured’s safe during policy period in addition to risk finance and claims adjusting.
TRADITIONAL NEXT GEN
Underwriter CPCU White Hat
Rating Process
• Questionnaire • Base Rate • Modifier • Static
• Evidence Based • Passive Scan • Threat Intel • Dynamic
Actionable Data & Remediation None YES
Identify & Repair
Vetted Panel Providers YES YES
First Responder "Breach Coach" Cyber Engineer
Keep Insured Safe?
NO
• 24/7 Alerts • Threat Intel • Credentials • Patch • Ransomware
Coverage Enhancements Coverage may include......
• Hardware (Bricking)
• Service Fraud (Bitcoin Mining)
• Contingent Pollution
• Increased limits for corrective action plans
• Lower deductible options
Keeping Insureds Safe During Policy Period Solutions may include......
• Threat Monitor: Security Guard
• Patch Management: Got Leaks?
• Credential Monitoring: Lost Keys to the Kingdom
• Anti-ransomware: Locked out of your own house?
• DDoS Mitigation: Where did all this traffic come from?
• Bug Bounty Vulnerability Disclosure Registry
• Most of the Time Your Medical Malpractice Insurance Doesn’t Offer Enough Coverage
• Your Business Office Policies Don’t Cover Cyber
Do I Need Additional Insurance?
The Cost Of A Privacy Breach: - Customer Notification: 1$ - 2$ (per person) - Consulting Help for Forensic Research and Data Recovery: $250 - $300 (per hour) - Legal Fees: $400 - $600 (per hour) - Credit Monitoring Subscriptions: $10 – $20 (per person) - Credit Card Reissuance Fee: $20 - $30 (per card) - Information Hotlines for Customer Support: $5 + (per call) * In 2018, Average Post-breach Cost Per Record of $408
*Ponemon Institute's 2018 annual study
Cost of a Breach
Coverage Typical Carrier Cyber Endorsement Our Coverage Aggregate Limit of Liability $200,000 $1,000,000 Third Party Coverage
Network and Privacy Liability $50,000 $1,000,000
Regulatory Defense & Penalties $25,000 $1,000,000
Multimedia Content Liability $50,000 $1,000,000
PCI Fines and Assessments NA $1,000,000
Contingent Bodily Injury NA $250,000
Corrective Action Plan Expenses $25,000 $250,000
First Party Coverage Parts Breach Response & Notification Notified Individuals: 5,000 $1,000,000 [1]
Crisis Management/Public Relations $50,000 $1,000,000
Cyber Extortion $50,000 $1,000,000
Business Interruption $50,000 $1,000,000
Digital Asset Restoration $50,000 $1,000,000
Funds Transfer Fraud NA $1,000,000 [2] Computer Replacement NA $500,000
Brand Reputation NA $1,000,000
Court Attendance Costs NA $25,000 [3]
Insured Retention $1,000 [4] Options
Business Interruption Wait Period 12 Hours 8 Hours
Maximum Indemnity Period 30 Days 180 Days
[1] In addition to policy aggregate limit [2] Retentions range $5,000 to $25,000 [3] Maximum $250 per day [4] Plus 50 notified individuals
Typical Cyber Endorsement vs. Our Cyber Coverage
Coverage Typical Carrier Cyber Endorsement Our Coverage Aggregate Limit of Liability $200,000 $1,000,000
Cyber Security Cyber Risk Assessment NA Included
On-Call Security Professionals NA Included
Ongoing Threat Monitoring (24/7) Alerts NA Included
Credential Monitoring Alerts NA Included
Patch Management Updates NA Included
Anti-Ransomware NA Included
DDoS Protection NA Included
Bug Bounty Registration NA Included
Claims & Mitigation Services Legal Panel Yes Yes
Breach Notification & Incident Response Yes Yes
Forensics & Remediation Yes Yes
Public Relations Yes Yes
Typical Cyber Endorsement vs. Our Cyber Coverage (Continued)
In Closing…
• Medical practices maintain personal and professional data that is actually preferred by cybercriminals due to the premium they can demand on the “dark market”.
• Smaller independent practices are actually more vulnerable than large healthcare systems due to the ease with which a criminal can access this unprotected “low hanging fruit”.
• Expect greater HIPPA oversight from the Office for Civil Rights (OCR) in Phase ll of their audit program for HIPAA compliance.
• All medical practices should take data security seriously and implement a data security plan with the help of qualified individuals while at the same time secure relatively low cost insurance protection to help with the business interruption you can expect once a breach is recognized.
Delray Beach • Jacksonville • Miami • Orlando • Panama City [email protected] • www.dannagracey.com • 800.966.2120
Upcoming Final Webinar in the Three-part Risk Awareness Series:
Practice Risk 301: Cyber Risk Review and Sexual Harassment and Regulatory Defense
December 11, 2018 at Noon