Cyber Risk 201: Prevention and Solutions for Cyber Risks

Risk Awareness Series: How Cyber Risks, Sexual Harassment Claims and the Regulators Can Wreak Havoc on Your Practice

Introductions

Marc Haskelson President Compliancy Group Greenlawn, New York

Jeffrey Smith Managing Partner Cyber Risk Underwriters Atlanta, Georgia

Matt Gracey President / CEO Danna-Gracey Delray Beach, Florida

Tom Murphy Professional Liability Specialist Danna-Gracey Delray Beach, Florida

Jennifer Davison CEO Vero Orthopaedics & Vero Neurology Vero Beach, Florida

Recap Cyber Risk 101: Top Risks

Source: Accenture/AMA 2017

• Failure to Encrypt Data Access

• Cloud And Security Software Reliance

• Lack of Security Training and Awareness

• Third Party/Vendors

• Lack of HIPAA Knowledge & Compliance

Ransomware Attack 2018

Vero Orthopaedics Ransomware Attack • Ransomware attacks on 2/14/18 and 2/27/18

• Policy was reviewed and changed 10 days prior to attack. Without having a review done of currently policy we would not

have had business interruption coverage.

• Total revenue loss incurred $139,881. Insurance reimbursed $129, 823

• Insurance company hired cyber company out of Washington to do a full analysis of system and mechanisms were put in place by company which was fully covered by insurance. This added an extra layer of protection to our system.

• Attorney hired by insurance company did a full HIPAA/Audit of the attack to ensure there was no breach. A full report was provided by the firm for safeguard to the practice that there was no breach of patient information. The fee for this was covered under the policy.

• A decision to review and change the policy with a $600 annual increase to our policy saved our practice from what could have been a significant loss of income.

• Ensure you have backups offsite real time. IT CAN HAPPEN TO YOU!

Proactive Cyber Security Things You Can Do Now

1. Get HIPAA Compliant

2. Passwords – Use a sentence or phrase

3. Show your employees what to look for / Prevention Plan

4. Restrict unnecessary access/user privileges

5. Keep Anti-Malware / Anti-Virus up-to-date

6. Filter spam and (.exe, .zip) attachments, and show hidden file extensions (a .PDF may really be an .EXE)

7. Ensure a foolproof backup plan, for fast recovery

Get HIPAA Compliant • Assessment of risks: Remediate vulnerabilities

• Training: Staff knowing what to look for and how to identify attacks

• Policies and Procedures: Stops Ransomware infections before it takes hold

• Encryption: Protect the sensitive information

• Backup: Practice 3-2-1

• Secure Messaging

• Monitoring and auditing

• Disaster planning: Restoration of access to data get back to business

The pieces of HIPAA compliance.

 Ever y piece needs to be completed annually or as the regulations change.

 Missing even one piece can result in fines or loss of reputation.

Audits SRA (Security Risk

Assessment), Administrative,

Privacy Remediation

Plans

Policies, Procedures & Training

Business Associate

Management

HIPAA Compliance

Incident Management

Document Version

Employee Attestation &

Tracking

The HIPAA Compliance Puzzle

Traditional Cyber Insurance

• Terrific risk finance tool!

• Vetted claims resources

• Static solution to dynamic problem

• Doesn’t get to the bottom of the risk

• No actionable intelligence

• No ongoing protection Remember me?

NextGen Cyber Insurance Getting to the Bottom of the Risk

• Diagnostics before MRI?

• Passive Scanning

• Business Threat Intelligence

• Compromised Credentials

• Actionable Intelligence

Next Generation Cyber Insurance for Providers Underwritten and managed by hackers with a background in assessment and security technology, our platform gets to the bottom of the risk. Solutions incorporate security tools to keep insured’s safe during policy period in addition to risk finance and claims adjusting.

TRADITIONAL NEXT GEN

Underwriter CPCU White Hat

Rating Process

• Questionnaire • Base Rate • Modifier • Static

• Evidence Based • Passive Scan • Threat Intel • Dynamic

Actionable Data & Remediation None YES

Identify & Repair

Vetted Panel Providers YES YES

First Responder "Breach Coach" Cyber Engineer

Keep Insured Safe?

NO

• 24/7 Alerts • Threat Intel • Credentials • Patch • Ransomware

Coverage Enhancements Coverage may include......

• Hardware (Bricking)

• Service Fraud (Bitcoin Mining)

• Contingent Pollution

• Increased limits for corrective action plans

• Lower deductible options

Keeping Insureds Safe During Policy Period Solutions may include......

• Threat Monitor: Security Guard

• Patch Management: Got Leaks?

• Credential Monitoring: Lost Keys to the Kingdom

• Anti-ransomware: Locked out of your own house?

• DDoS Mitigation: Where did all this traffic come from?

• Bug Bounty Vulnerability Disclosure Registry

• Most of the Time Your Medical Malpractice Insurance Doesn’t Offer Enough Coverage

• Your Business Office Policies Don’t Cover Cyber

Do I Need Additional Insurance?

The Cost Of A Privacy Breach: - Customer Notification: 1$ - 2$ (per person) - Consulting Help for Forensic Research and Data Recovery: $250 - $300 (per hour) - Legal Fees: $400 - $600 (per hour) - Credit Monitoring Subscriptions: $10 – $20 (per person) - Credit Card Reissuance Fee: $20 - $30 (per card) - Information Hotlines for Customer Support: $5 + (per call) * In 2018, Average Post-breach Cost Per Record of $408

*Ponemon Institute's 2018 annual study

Cost of a Breach

Coverage Typical Carrier Cyber Endorsement Our Coverage Aggregate Limit of Liability $200,000 $1,000,000 Third Party Coverage

Network and Privacy Liability $50,000 $1,000,000

Regulatory Defense & Penalties $25,000 $1,000,000

Multimedia Content Liability $50,000 $1,000,000

PCI Fines and Assessments NA $1,000,000

Contingent Bodily Injury NA $250,000

Corrective Action Plan Expenses $25,000 $250,000

First Party Coverage Parts Breach Response & Notification Notified Individuals: 5,000 $1,000,000 [1]

Crisis Management/Public Relations $50,000 $1,000,000

Cyber Extortion $50,000 $1,000,000

Business Interruption $50,000 $1,000,000

Digital Asset Restoration $50,000 $1,000,000

Funds Transfer Fraud NA $1,000,000 [2] Computer Replacement NA $500,000

Brand Reputation NA $1,000,000

Court Attendance Costs NA $25,000 [3]

Insured Retention $1,000 [4] Options

Business Interruption Wait Period 12 Hours 8 Hours

Maximum Indemnity Period 30 Days 180 Days

[1] In addition to policy aggregate limit [2] Retentions range $5,000 to $25,000 [3] Maximum $250 per day [4] Plus 50 notified individuals

Typical Cyber Endorsement vs. Our Cyber Coverage

Coverage Typical Carrier Cyber Endorsement Our Coverage Aggregate Limit of Liability $200,000 $1,000,000

Cyber Security Cyber Risk Assessment NA Included

On-Call Security Professionals NA Included

Ongoing Threat Monitoring (24/7) Alerts NA Included

Credential Monitoring Alerts NA Included

Patch Management Updates NA Included

Anti-Ransomware NA Included

DDoS Protection NA Included

Bug Bounty Registration NA Included

Claims & Mitigation Services Legal Panel Yes Yes

Breach Notification & Incident Response Yes Yes

Forensics & Remediation Yes Yes

Public Relations Yes Yes

Typical Cyber Endorsement vs. Our Cyber Coverage (Continued)

In Closing…

• Medical practices maintain personal and professional data that is actually preferred by cybercriminals due to the premium they can demand on the “dark market”.

• Smaller independent practices are actually more vulnerable than large healthcare systems due to the ease with which a criminal can access this unprotected “low hanging fruit”.

• Expect greater HIPPA oversight from the Office for Civil Rights (OCR) in Phase ll of their audit program for HIPAA compliance.

• All medical practices should take data security seriously and implement a data security plan with the help of qualified individuals while at the same time secure relatively low cost insurance protection to help with the business interruption you can expect once a breach is recognized.

Delray Beach • Jacksonville • Miami • Orlando • Panama City info@dannagracey.com • www.dannagracey.com • 800.966.2120

Upcoming Final Webinar in the Three-part Risk Awareness Series:

Practice Risk 301: Cyber Risk Review and Sexual Harassment and Regulatory Defense

December 11, 2018 at Noon