What will go wrong and how your hospital can deal with it
The evolution of cyber: crime, security and insurance
By Brant Couch, CIC, CPA
Chilling, infuriating, frustrating, futile… these are just a few of the words that came to mind as I dug into the current state of cybersecurity. That’s because, ever since I asked, “Are You Rolling the Data Breach Dice?” in 2013, the amount and complexity of cyber risk rural hospitals face continues to increase.
One indication of increased complexity is the evolution of the meaning of the phrase “data breach”. In 2013, it was used as a catchall to describe internal mistakes as well as attacks by cyber criminals. Now, “data breach” is largely associated with internal mistakes while “cyberattack” is used to describe the theft of data for illicitly profitable purposes. Collectively, the term “cyber event” has become the new catchall phrase.
Of the 45 largest healthcare cyber events in the first nine months of 2018, Healthcare IT News reported cyberattacks out-numbered data breaches two to one; 30 cyberattacks versus 15 data breaches.
“Every barbarian is at every gate.” That’s how Joshua Corman, a cybersecurity fellow at the Atlantic Council, described the cyberattack situation to Wired Magazine in a recent article about an incredibly destructive piece of malware called NotPetya. (This article evoked the word “chilling”.)
While this may seem to clearly indicate the majority of cyber risk comes from criminal hackers, a large number of the cyberattacks were successful phishing expeditions. These incidents occurred because someone on the inside fell victim to a phony email, telephone or text message. Someone on the inside opened the gate and let the barbarians in.
The 2013 answer to the threat now seems relatively simple; develop a cybersecurity strategy, rally and train the troops, implement some policies, and fortify your systems… in other words, shut the gate and stand behind it. And, just in case the gate doesn’t hold, be sure you have some cyber insurance.
That’s all changed. The growing acceptance that a cyber event is a “when?” certainty, not an “if?” chance, has moved the conversation past the ideal of achieving impenetrable security to the concept of resiliency.
It’s a major shift in attitude with major implications for how you develop, implement and keep up-to-date your cyber risk strategies. It embraces the belief that if you can’t absolutely prevent a cyber event from occurring, then improving your hospital’s resiliency is vital to mitigating the negative impact of a breach.
Not only do cyber events occur routinely, most organizations don’t even know they’ve been breached. Not only does it take an average of almost 200 days before the breach is discovered, most breaches are discovered by a third party. (This piece of data from the Ponemon Institute evoked the word “futile”.)
Bringing resiliency into your cyber risk management starts with looking at the aftermath of a cyber event by asking: How well and how quickly will your IT systems and hospital recover when it’s your turn?
The work ahead
For most organizations, there is a lot of work to be done. A 2019 Forbes insights report published with the assistance of IBM, reported only 42% of 353 executives surveyed were confident their organization could recover from a major cyber event without experiencing any negative impact to their business. For rural and community hospitals, the aftermath can include harmed patients, consulting fees, fines, litigation, bad press, community mistrust, decreased patient volume, and lost revenue.
Here’s an interesting example of how including the concept of resiliency changes your cyber risk management strategy. This four-part ongoing process was published by the National Rural Health Resource Center in January 2018. It’s can be found in their very practical “Cybersecurity Toolkit for Rural Hospitals and Clinics”.
Folding in the concept of resiliency results in a much different picture. While the previous diagram illustrates how to prevent and protect your hospital from cyber events, it does not also include the assumption that a cyber event is inevitable.
This diagram from the book “Cyber Resilience of Systems and Networks” (Springer 2018), takes that inevitability into account and, while the need to prevent and protect is not diminished at all, prevention and protection come before (plan/prepare) and after (adapt) the essential cyber resiliency objectives of absorb and recover.
It’s clear that in order to prosper in a cyber environment that has every barbarian assaulting you every gate, you need a much more holistically proactive approach.
(For a very in-depth discussion of cyber resiliency objectives, resilience techniques as well as strategic and structural design principles, check out the Cyber Resilience and Response report published by the U.S. Department of Homeland Security and the Office of the Director of National Intelligence through the Public-Private Analytic Exchange Program.)
You are not alone
As CEO of HealthSure, I live in the world of rural healthcare risk and insurance management. While the variety and severity of threats faced by our nation’s rural and community hospitals is perhaps greater than in any other sector, I believe cyber risk is the most dynamic.
One of my core passions is to encourage collaboration between healthcare leaders, vendors, advisors and where possible, the legislators and regulators who play such a prominent role in your ability to deliver high quality healthcare to your community.
When it comes to insurance, it has been very clear that the insurance companies are faced with the same challenges confronting rural healthcare leaders. In an ideal relationship, your cyber insurance company will be nimble enough to stay ahead of the game by working with you to assess, mitigate and fairly cover the real risks you face.
The concept of resiliency shines a spotlight on the need for your entire hospital leadership team (board members, senior executives, department heads, legal and compliance personnel and your IT team or providers) to collaborate, agree and continuously engage in their cyber security roles. Unfortunately, for many hospital leaders, there is a significant gap between what they think is covered and what needs to be covered. And, because of this there is also a gap between what they need covered and what is actually covered.
Finally, I believe an experienced risk and insurance manager, one with an in-depth understanding of the ever-changing world of cyber risk along with significant credibility and influence with insurance companies, is an essential element in any successful cyber resiliency plan.
If you would like to discuss any of the concepts and information shared in this article, please contact us.
Employee Safety is key to a hospitals success. An injured employee is very costly to a hospital. It is not just the dollar amount of the injury. The soft cost of that employees injury are rarely measured. For rural and community hospitals employee safety is a unique challenge. Join us for a discussion about practical solutions to improve your hospital’s safety culture to help keep your hospital’s employees safe from what matters to them and your patients.
As the HOTCOMP Safety Group Administrator, we are co hosting a Safe Patient Handling webinar with Texas Mutual.
HealthSure is pleased to announce the addition of three new A Players to our team.
HealthSure is excited to welcome Heidi Hughes to our team as a Risk Advisor. She has already proven herself as an essential member in HealthSure’s team. Heidi brings a proven, creative talent for devising “outside the box” solutions that exceed client expectations and needs. “Heidi has illustrated that she is going to be an asset to our clients from day one. She brings a unique perspective to help our rural and community hospitals.” Brant Couch, CEO of HealthSure.
Heidi is passionate about relationship-building. With over 12 years of success initiating, nurturing and strengthening relationships, she knows what it takes to earn and sustain client loyalty. Heidi experience includes business development roles at high-profile payroll outsourcing and service firms. She is graduate of San Diego State (B.S. Business Administration). Heidi continues to pursue her love of personal fitness as the owner of Mighty Fit in Austin, TX.
HealthSure’s P&C team is excited to have two new team members. Brandy Blackwell and Christina Jessup have joined the HealthSure team as Associate Account Members to the team. Both Christina and Brandy bring a hands on customer service approach. “Since day one they have both jumped in to understand how they can best serve HealthSure’s clients. We are very excited to have them join the HealthSure family.” Jennifer Fudge, VP Operations.
Our purpose is to help healthcare organizations succeed in the increasingly complex world of risk and insurance, and we need to add more “A players” to our team to support the growth of our organization.
Please be on the look out for the following positions:
HealthSure offers flexible work arrangements, a strong culture of empowerment, teamwork, and support to advance your career.
Small but important print
This communication is designed to provide a summary of significant developments to our clients. Information presented is based on known provisions. Additional facts and information or future developments may affect the subjects addressed. It is intended to be informational and does not constitute legal advice regarding any specific situation. Plan sponsors should consult and rely on their attorneys for legal advice.
©2019 HealthSure. All Rights Reserved.