Everyone thinks they know about cybersecurity, but thinking about the effects a cyberattack could have on an organization should be enough to lose sleep over, according to risk management experts.
During a webinar hosted by general and professional liability insurance company HealthCap Risk Management Services, cybersecurity experts discussed the anatomy of a cyberattack and best practices to prepare for one.
Cybersecurity, at its core, is about confidentiality, integrity and availability, according to John P. DiMaggio, co-founder and CEO of Blue Orange Compliance, a risk assessment company. Including senior living in the definition of healthcare, he said that healthcare organizations are targets of cyber criminals because of their relatively weak defenses, the value of the data necessary for operations, and the numerous interfaces and sharing of information that occurs among providers.
A cyberattack actually can start 21 days before an organization even knows there is a problem, DiMaggio said. During that time, the “bad guys” are “snooping around” and finding weaknesses. Exploiting weak passwords and other vulnerabilities, and sending phishing emails or links that install malware, are among the ways that bad actors can breach a system, he said.
Once an attacker gains a foothold, he or she will begin going through an organization’s files — including its cyber insurance policy, to identify a claim payout that potentially could be used to set a ransom amount. Hackers then could install ransomware, download data and trigger the ransomware software to encrypt an organization’s data until the ransom is paid.
John P. Hessburg, JD, principal at Kitch Attorneys & Counselors and lead for the firm’s senior living practice group, said that some of the largest healthcare providers in the nation have been hit by cyberattacks. The creativity of bad actors is “staggering,” he added, but organizations can take steps to insulate themselves from government fines and civil lawsuits.
Actions taken in the wake of a breach to further safeguard data and inform affected stakeholders will go a long way in mitigating those risks.
DiMaggio said that factors within an organization’s control under cyber risk management start with the company’s management philosophy and implementation. Cybersecurity is about people, process and technology, he said.
Reasonable security practices — considered the minimum — include risk analysis and management, access control measures, training, incident response planning, physical controls, technical safeguards, third party/vendor management, backup and disaster recovery and patch management.
But DiMaggio recommended going above that minimum threshold by using recognized security practices to mitigate penalties and ensure regulatory compliance. Those practices, he said, include email and endpoint protection, access management, data loss prevention, asset and network management, vulnerability management, incident response, medical device security and cybersecurity policies.
The bottom line, the experts said, is that even with the tightest security measures, there is no guarantee a cyberattack won’t happen. But sitting back and waiting isn’t an option either. Being proactive by putting in place policies and procedures can lessen an organization’s exposure to government penalties and civil class action lawsuits.
Employers faced greater litigation — and higher related expenses — last year than in previous years due to increased regulations, class action suits and cyberattacks, according to corporate counsel at Norton Rose Fulbright.
“Large healthcare organizations with depth of knowledge in their IT departments didn’t think it could happen to them,” said Angie Szumlinski, HealthCap director of risk management. “It could happen to you.”
