Avoiding Cyber Insurance Claim Denials A growing concern in the ever-evolving cybersecurity landscape by Krista Adamson, CIC, CISR
- The ability to prove proper security measures are in place It is no longer enough to implement security measures and follow preventative protocols. You also need to be able to prove what you’ve and what you are doing. Insurance companies want to avoid paying claims at all costs. That’s why they put the onus on clients to ensure all preventative measures for thwarting cyber criminals and protecting networks and data are in place. To acquire insurance, you now need to prove you are sufficiently protecting your networks and data. To have a claim honored, you need to prove you have kept up with all the cyber security best practices that enabled you to acquire insurance in the first place. Stating the obvious, a paper trail – documentation without any gaps or missing information – is required before an insurer will pay an insurance claim. The elephant in this room is that due to the ever-changing and increasingly sophisticated nature of cyber-attacks, you and your hospital will likely struggle to always be able to prove the effectiveness of your systems. This is just one reason why you should never go it alone when it comes to cyber security and insurance.
- Actually having proper preventative security measures in place This one is obvious. You can’t get cyber insurance if you do not protect your networks and data. If you do not have security measures in place, managed internally or by a third-party, you are extremely vulnerable to all sort of attacks and other incidents and no insurance company will touch you.
- Endpoint detection and response Your approach to cybersecurity has to be comprehensive. And, you guessed it, the definition of comprehensive continuously evolves. For example, relying solely on antivirus software is no longer a sufficient form of protection. Insurance companies look at many things, but one area of particular focus is endpoint detection and response (EDR). This security solution continuously monitors end-user devices to detect and respond to cyber threats like ransomware and malware. EDR solutions record activities and events taking place as well as workloads to give security teams what they need to spot incidents that would otherwise go unnoticed. Modern EDR solutions provide advanced threat detection, investigation, and response capabilities. This includes investigation alert triage, suspicious activity validation, threat hunting, and malicious activity detection and containment.
- What’s not your fault is still your responsibility Your hospital’s cyber security isn’t your only responsibility. Your third-party vendors’ cyber security is also on your plate. Due to the interconnectedness of modern healthcare and information system technology, attackers can gain access to your hospital’s systems and data by targeting your outside partners and providers. It is now essential for third-party organizations to have virtually the same level of security measures as you do. If your network is attacked through their network, the vendor’s cyber security measures have to be up to snuff, or a claim may be denied.
- Cybersecurity awareness and training Even with the strongest, most secure forms of cyber protection, you can’t protect your hospital against attacks if your employees inadvertently help attackers. Human error is responsible for 38% of all data breaches, second only to malicious or criminal attack. But whereas you can’t control the cyber crooks, you can prevent human error through awareness and training.
- Using a weak password or storing it incorrectly. Imagine; a numbers-only, 12-character password can be hacked in 25 seconds or less! A password using all lower-case letters takes three weeks to hack. It takes 300 years to hack passwords using lower-case and upper-case letters. Adding numbers and other symbols pushes the hacking challenge out to 34,000 years. Your staff must be trained to create strong passwords, to not use the same passwords to access multiple applications or systems, to regularly update passwords, and to store them securely. Thankfully, there are a growing number of password manager apps you can use to maintain centralized password disciplines throughout your hospital and ensure staff uses strong passwords.
- Using software that is outdated or not secure Cyber criminals know third-party software can offer the best route to breach your network. That’s why it is essential to have clear third-party software usage policies and guidelines. Some estimates say one in three breaches are caused by known vulnerabilities not being patched in a timely manner. Which is why you need to run software updates regularly. And then there’s Shadow IT. When staff installs applications without the knowledge or approval of your IT department, it creates serious security vulnerabilities. You must have clear rules requiring your people to get approval before they install new software.
- Handling data carelessly
The most common examples of carelessness are:
- Emailing confidential information to the wrong person
- Unintentionally releasing or publishing confidential information
- Not using the ‘blind carbon copy’ (BCC) when sending group emails
- Low security awareness People with low levels of security awareness are more easily deceived into clicking a link or opening an attachment in a malicious email. One simple act can lead to the installation of malware that opens your hospital up to attack. The costs can be crippling and the downtime dangerous. That’s why ongoing training is essential. Good news; training is one of the most important and cost-effective security measures you can take.
- Unauthorised access to devices This is especially an issue with remote workers who let family members use their work devices (laptops primarily). Family members may unknowingly jeopardise security by installing unauthorised software, changing settings and configurations, downloading malicious files, not to mention accessing confidential data. And it should go without saying but it is essential for your staff to not share their device password with anyone.
- Be confident you know exactly what your current cyber insurance does and does not cover
- Conduct a thorough and accurate analysis of your cyber compliance including areas needing attention
- Implement timely solutions to compliance issues
- Get policy-specific documents so your hospital can produce evidence of due care when needed
- Get the best cyber insurance with only the coverage at the best price
- We are beta – testing digital payments in our new payment portal. Paying your insurance premiums just got a whole lot easier. HealthSure is delighted to announce we are now accepting digital payments! Keep an eye out for a link on your next invoice that will allow you to access our new payment portal, or if you want to check it out now, visit your myHealthSure page and click Make a Payment (Applied Pay) on your home page. Our goal is to provide exceptional service, and we are excited to offer you a convenient way to make payments safely and securely, using your credit card, ACH, ApplePay™ Pay by Text, and more. The choice is yours! Please note there is a $4.00 processing fee for each transaction and a 3.5% fee if you pay by credit card. Important: Applied Pay only applies to HealthSure payables. If you receive an invoice directly from an insurance company or premium finance company, please follow payment instructions on the invoice. Please don’t hesitate to contact us if you have any questions. We are always here to help!
- You can now access INDIO through the em>myHealthSure Portal! Indio is the online, secure, platform that combines all of the different functions of a typical insurance renewal into one platform.
- The online portal allows you to access / work on your insurance forms whenever and wherever you need them.
- All data in the system “smart maps” between forms, so you don’t have to enter data multiple times! (i.e. if you put your business name on one application Indio will go ahead and transpose that information onto all of your other forms)
- The portal has a “Documents” tab which allows you to upload and download documents as needed. All documents that are exchanged using Indio are run through an anti-virus software to ensure that nothing malicious is being sent.
- Using Indio allows you to assign applications, forms, or even sections within applications to specific points of contact within your organization – In turn, reducing the need to print, scan, or even sign (with wet signature) forms offline.
- Indio allows you to sign all of your applications and forms live on the platform using their e-signature solution.
- Indio is highly secure and your data is all confidential.
©2022 HealthSure, Inc. All rights reserved.
©2022 Zywave, Inc. All rights reserved.
The information provided in this alert is not, is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the HealthSure, our lawyers or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. HealthSure and Marathas Barrow Weatherhead Lent LLP are not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions.