Jeffrey Smith-Cyber Risk Underwriters
Healthcare executives often ask us how best to minimize cyber risk without breaking the budget. Here are a few easy and cost effective tools we highly recommend to healthcare providers. Most are available free of charge and require minimal expertise to implement.
According to Verizon, email fraud accounts for more than 93% of enterprise attacks which result from phishing scams or fake emails designed to lure recipients to click an infected link or document or forward information to a fake sender. In our experience, the most effective form of training is the use of phishing simulations. Phishing security tests provide an indication of how many employees are susceptible to email social engineering attacks. These programs are simple and easy to implement. Danna-Gracey offers free phishing simulation service for medical practices. Paid subscriptions are available that include on-line registration, monthly phishing exploits, and detailed analytics to isolate opportunities for improvement.
Multi-Factor Authentication (MFA)
In our experience, multi-factor authentication is possibly the single most cost effective strategy for SME’s to mitigate a litany of risks. An insured can install antivirus, firewalls, deploy encryption and perform vulnerability tests but without multi-factor authentication, all these measures are easily compromised. Versions of MFA are available free with Office 365 & Google Suite. Expect to pay up to $6 per user per month for advanced versions.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
Email spoofing is the use of an email message from a forged address that hides the sender’s true identity. The objective is to trick the recipient into taking an action designed to perpetrate business email compromise and email scams leading to growing frequency of social engineering attacks that often lead to successful wire transfer fraud. DMARC acts to provide greater assurance on the identity of the sender of an email message and gives email domain owners the ability to protect their domain from unauthorized use often referred to as email spoofing. Once DMARC is turned on, only emails that pass the authentication will be trusted and delivered. Emails that fail the check are quarantined or rejected. DMARC is free but you may need the webhost or email administrator to assist enabling since DMARC is not turned on by default.
Business Vendors: Get a Pre-Nuptial
Vendors are often the weakest links for in the security defenses of most providers. In the past few months alone, we seen several claims resulting not from actions (or inactions) of the insured but due to breaches suffered by contracted vendors. One involved a healthcare provider infected with ransomware delivered via a record transcription service with access to patient files. The claim resulted in over $300,000 of remediation expense and business interruption loss.
Managing vendor cyber risk is not unlike risk management services that agents provide to clients for other business contracts. In addition to typical requirements such as favorable hold harmless and indemnity provisions, we recommend vendor contracts define PHI/PII and clarify authorized user access policies. Also, you can also negotiate minimum basic security controls (such as firewalls, patching and encryption) and require regulatory (HIPAA) compliance. Finally, requiring your vendors to purchase stand-alone cyber insurance with a minimum of $1,000,000 limits with additional insured status is not unreasonable
Build a Human Firewall
Employees are still the weakest link in any security defense with human error the biggest challenge to overcome. Most successful hacks result from people clicking on links and opening malicious email attachments, visiting phony websites, downloading malicious software and using the same password across multiple accounts, all of which results in data being breached and identities stolen. If employees were more aware of the dangers, they become the most powerful defense against cyber attacks. Easy and cost effective tactics to turn your employees into security “sensors” include restricting administrative privileges to prevent employees from downloading malicious software, implementing best practices for email & passwords, and taking advantage of the free stuff offered by most cyber insurers. Your cyber insurance policy may include effective employee training videos, do-it-yourself templates to create incident response plans and general information security policy. More robust training is cost effective with subscriptions generally costing around $17 to $25 per employee/year, which may also include phishing simulation.
At a cost of around $15 per employee/per year, a provider can achieve HIPAA compliance to improve protection and minimize the risk of fines & penalties from non-compliance in the event of a breach event. These annual subscription services generally include an annual comprehensive HIPAA security risk assessment & findings report, policies & procedures, security training and access to other compliance tools.
For questions or additional information, please give us a call or drop us a note.
 Verizon’s 2018 Data Breach Investigation Report
About the Author
Jeffrey founded Cyber Risk Underwriters to offer tech-backed cyber insurance and related products distributed to insurance agents, cyber security providers and “InfoSec” investors.
Prior to joining Cyber Risk Underwriters, Jeffrey enjoyed over 25 years of success providing complex P&C insurance and risk financing design, brokerage and relationship management expertise for complex risks including technology, healthcare, private equity, and real estate.
Cyber Risk Underwriters maintains offices in Atlanta Georgia, Park City Utah and Huntington Beach California.