By Mary Byrnes, AAI-M, AU, Education Department
Recently two things happened. First, I received a call from an agency that wanted to review some cyber tips with their staff and secondly, I attended a webinar on Cyber Exposures for the Healthcare Industry.
I took the webinar mostly out of curiosity. The reality was that it was so eye opening and it made me think of the common types of information and exposures that there are between both healthcare and our own industry.
Mailroom Failure-In 2017, Aetna mailed letters to 12,000 recipients in 20 states about HIV medications. The letters were placed in window envelopes prior to mailing. The envelopes used allowed third parties to see the who was receiving medication for HIV/AIDS. The award on the suit was $17,000,000.
This claim shows us that through something so innocuous as mailing letters could come such a huge release of Personally Identifiable Information. Although, this is not a cyber type incident, it does show that a huge exposure is people. There lies the commonality in this claim and in the exposures that agencies have from cyber exposures.
Agencies have some of the same types of information that the healthcare industry does:
- Billing Info (credit card, bank info, addresses, etc.)
- Social Security #s
- Insurer info
- Medical info (agencies that write Health Insurance)
Agencies are dependent on the IT infrastructure for insurer communication platforms/portals, billing, vendors, etc.
The common types of breaches are:
- Employee carelessness &/or negligence
- Employees & Social Media
- Rogue Employees (former employees with an axe to grind)
- Phishing schemes
- Lost or stolen devices
- Business associate failures (former vendors with an axe to grind)
All of these types of breaches point to a human factor.
Let’s go over one of
the breaches on the list.
Phishing is when someone (cyber-criminal), poses as a trusted party to get sensitive information from a source. This could be a mass email sent from a spoofed site that looks almost exactly like a site that you use all the time. The email might say that they need to update your credit card info or social security number possibly due to your account being compromised.
As everything else evolves, so are the cyber criminals. They're not always looking for the quick turnaround for what some of them consider low profit with mass email spoofs. Now, many are willing to do some research into a firm, mine for data about the people at a firm, watch their emails etc. They're even willing to scope out the physical location, seeing who comes and goes.
Picture this…the boss goes away on a long-awaited vacation. Beforehand, they've included in all of the emails that they've sent out that they'll be out of the office for a couple of weeks visiting sites in Europe. While the boss is away, an email is received by the accounting department from the boss. It says that they are having a great trip, seeing the sights and doing some shopping. They've decided to buy some jewelry from a well-known store overseas and they don't want to put it on their credit card because they'll be there for a while and doing more shopping. Please wire $xx,000 to Well Known Jewelry Store, here's the routing number etc. Please let me know when it's done. See you in a couple of weeks. Thanks, the Boss. The accounting person is really busy and this is the last thing that needs to be done before they can leave for the day. They wire the $$ and respond to the email from the Boss that it's done. The email goes back to the cyber-criminal, they receive the $$ and close the account.
Did the employee willingly send the funds-yes. Without some type of insurance can the funds be recovered-no.
From an insurance standpoint-this would be treated on a Crime Policy by endorsement for Social Engineering. An unendorsed crime policy won't do the trick, it needs to be amended to include the coverage.
Not only is a Cyber policy a good idea for your agency and your insureds, but Crime policies should be endorsed to include the Social Engineering coverage.
Risk Management Tip: If ever you get a request to transfer funds or to change an account number that you send money to (vendors, carriers, etc.), don't do it based on an email or a call in. First, call your usual contact or the person supposedly requesting the $$ (example: vendor, carrier, the boss, etc.) and ask about the request. Verify! Do not call the number in the email or email that was provided in the call requesting the money transfer or the account number change or call the number back from the email or the phone call that was received.
Cyber Security Tips for Everyday:
- Don't open emails from strangers and especially don't open attachments from them.
- Use strong passwords, don't use names (human or pet, etc.) add a few special characters or numbers.
- Free Wi-Fi connections can be unencrypted, so be careful of accessing personal or sensitive data in places where you're unsure of the security (hotels, hospitals, airports, restaurants, internet cafes, etc that provide open access to their patrons).
- Make sure that your computers & systems are updated with the latest updates on operating systems and virus protection etc. It's not uncommon for a vulnerability to be discovered and an update issued.
The criminals aren't going to target mega corporations; they're looking at John & Jane Q Main Street. To keep your information safe, the key is to be aware and diligent.