The CyberPHIx Roundup: Industry News & Trends, 3/1/23

PODCAST TRANSCRIPT

Britton: [00:00:15] Hello and welcome to The CyberPHIx Health Care Security Roundup. Your quick source for keeping up with the latest cybersecurity news trends and industry-leading practices specifically for the healthcare industry. I am your host, Britton Burton. In addition to this roundup, be sure to check out our resource center on Meditology Services, which includes our CyberPHIx interviews with leading health care, security, privacy, and compliance leaders, as well as blogs, webinars, articles, and lots of other educational stuff. We have a full agenda to cover today, so let's dive into it. Hello, everyone. Really good to be with you today. One quick heads up. I've been a bit under the weather this week, so if my voice sounds a little nasally or it cracks several times, spoiler alert it does throughout the podcast. I promise I'm okay. And I'm not a 13-year-old boy. Just working through some voice issues. But bear with me and let's have a great podcast. Our first story today is from early February right after we recorded the February podcast. But it's such a precedent-setter. We felt we had to go ahead and cover it here in the March edition. I'm sure by now you've seen the headline that the FTC has announced its first enforcement action under its new health breach notification rule or HB, and are against good recs. So back in the January pod, we covered this rule, this HIPAA rule. One important note that you may not realize I certainly didn't until researching it more. 

Britton: [00:01:50] The HP and R is actually not a new rule. It's just that the FTC expanded its applicability back in September of 2021 when they released a new interpretation. But the rule has been in existence for years, so this new interpretation in September of 21 Ta few things. The FTC claimed that, number one, developers of health care apps were health care providers furnishing health care services. Number two, health information on apps could constitute a personal health record when information was drawn from multiple sources. And number three, breaches of security were not limited to just cybersecurity events, but could also include sharing of information without an individual's authorization. And so now we have the first proof that they are serious about this, specifically the H, B, and R requires vendors of personal health records also called for related entities and third-party service providers to notify consumers and the FTC and the media if the company experiences a breach of unsecured, identifiable health information. Or they could face civil penalties for those violations if they don't. So the order does not apply to entities already covered by HIPAA. I think you all know that, but it does not apply to entities covered by HIPAA or to their business associates. And that's been the big loophole in HIPAA that healthcare delivery orgs have wrestled with somewhat when dealing with some of these health apps and connected devices that are kind of tangentially connected to the healthcare experience. 

Britton: [00:03:18] So there are several detailed allegations from FTC about this case, but I don't think all of those are super, super important to get into here. For traditional HIPAA-covered healthcare entities, which makes up most of our audience, I'll sum it up by saying most of this stems from GoodRx sharing information with third parties, specifically in this case, Facebook and Instagram. Facebook pops up a lot, right? So sharing information with these third parties without gaining user consent, without limiting the use of that information by the third parties to the direct services requested by the consumer. Those are the two key things. No user consent and then not limiting the use to directly to the service requested by the consumer. There's more detail, but those are kind of the underlying things. And in turn, then these third parties were using that personal information to do targeted digital advertising, as you're probably not surprised to hear. So again, more detail you can look up more, but I think that summarizes what the basic case is about. So let's cover the proposed enforcement language from FTC, because there's some interesting stuff here. So FTC, first of all, top level headline will require GoodRx to pay $1.5 million in civil penalties and permanently cease sharing health information with third parties for any advertising purpose. 

Britton: [00:04:38] Additionally, good RCS will be required to obtain user's affirmative express consent prior to sharing user health information with third parties for a non-advertising purpose. Provide sufficient notice to the media, the FTC and each consumer who's unsecured. So remember, this is a new acronym. Yay new acronyms Personal Health Record. Not one that I had heard until this. This case provides sufficient notice to the media, the FTC and each concerned consumer whose unsecured, identifiable health information was acquired by an unauthorized third party. Require every third party that obtained any of that from good RCS to delete the information. Implement a comprehensive privacy program that protects the privacy, security and confidentiality of consumers personal information, including their health information. Establish document and adhere to a data retention schedule. That's interesting, right? Don't see a ton of specific regulation or requirements on data retention, but establish, document and adhere to a data retention schedule that is publicly available with details about the information Goodreads collects and why such collection is necessary. And then finally obtain an initial and biannual privacy assessment conducted by an independent third-party professional. So obviously this is a major precedent-setter. I mean, some of those individual settlement requirements and just the fact that FTC has issued its first penalty, major precedent setter, the impact to health delivery organizations may not be immediate and super direct right now, but I think you have to believe the wearables and. 

Britton: [00:06:17] Personal health apps and so on that have, as I've said, been tangentially connected to the whole health services continuum, are going to have to take notice here and start shoring up their their data practices, which will in a longer term bring them into better alignment with the privacy rules that we already have to follow in the traditional health care industry. You know, one other aspect that I think is worth mentioning here, is definitely something to keep in mind as the lines blur more and more between what I would call traditional health care and then this kind of more consumer-friendly version of health care. Many organizations are beginning to build apps, services, devices that cross more into this area and that blurs those lines between are you a covered entity or a business associate or now a health entity covered by HP and are. So if your company is doing development in this kind of space that you're aware of, but maybe you kind of didn't consider it in scope for your program or something, this would be a discussion, a discussion worth having a with your privacy team, with your legal counsel, your i.t. Development shops. Because this is now real, as we can all see. Well, let's get back to our comfort zone here after that story with the HIPA security rule and some new reports on hippo security rule compliance. 

Britton: [00:07:36] Like a warm pair of slippers, right? Ocr released reports to Congress based on an analysis of all the 2021 breaches reported through the OCR Hippo Breach Web portal. So this report stuck out to me because it's it's direct from OCR, whereas a lot of what we see is from a third-party firm analyzing OCR data, not that those are not useful, I don't mean that at all, but when you see something that's direct from OCR based on their own data, I think your ears got to perk up a little bit more. So as you all know, OCR investigates all data breaches of 500 or more records and initiates HIPAA compliance reviews in all of those breaches to determine whether noncompliance with the HIPA rules was a contributing factor. So in 2021, OCR launched investigations into 609 data breaches of 500 or more, and then 22 data breaches that were fewer than 500 individuals. So 631 if my math is correct. There are a few interesting tidbits about the number of individuals affected and percentage of breach type and cause, and the types of entities compromise that you can find if you look these reports up. But to me, that's not really the crux of this. By far the most interesting part to me was Oscar's commentary on where the healthcare industry is falling short and what the most common actions taken by compromised organizations were. 

Britton: [00:09:04] So let's start first with where covered entities are falling short with this direct quote from OCR. So quote, There is a continued need for regulated entities to improve compliance with the HIPA rules, in particular the security rules, standards, and implementation specifications of risk analysis, risk management, information system activity review, audit controls and access control where areas identified as needing improvement in 2021. Ocr Breach investigations, end quote. So that part stuck out to me because it's basically the same set of requirements, especially in the case of risk analysis and risk management going back for 15 years now, we just can't seem to get some of those basic things down as an industry and they're hard problems to solve. I'm not saying that we're all asleep at the wheel here. The biggest chunk of my experience certainly has been in the cybersecurity risk management arena. So I'll admit [00:10:00] that I'm particularly passionate about that topic. And my take is that we keep seeing this as the number one shortcoming, in part because it's risk management is a very difficult concept that takes much, much more than just implementing technology. It requires understanding how your company communicates about risk in general beyond cyber risk. It requires educating your colleagues on a daily basis, even those in the Security Department who understand security threats and vulnerabilities and controls. It requires a very nuanced understanding of risk tolerance and risk thresholds that most people do not get even outside of the cybersecurity conversation. 

Britton: [00:10:40] It requires buy in and maintenance from nearly every corner of your organization to maintain a risk framework that actually produces quality, output and actionable data points. And the GRC space has certainly improved over the past 5 to 10 years. But security practitioners and we as an industry overall, we still need to get better [00:11:00] at handling reporting and managing risk through those tools rather than getting sucked down into the individual controls and vulnerabilities and findings that tend to dominate most GRC tools and most cybersecurity conversations. And we have to create better, more efficient tools that help us lead the conversation, communicate actual business risk and shape culture rather than just tracking findings. So that's my soapbox. I'll get off of that. But we just it's amazing to me that we keep seeing that as basically the number one finding and and it doesn't ever seem to change. So I mentioned there was a second part that I think is also interesting here. It caught my eye. The most common remedial actions, two breaches of 500 or more records. They analyze essentially the responses of these orgs that were breached and gave this list of Here's what most of them did. So I'll run through that list real quickly. Number one, implementing multi factor authentication for remote access to revising policies and procedures. Three Training or retraining workforce members who handle PHI for providing free credit monitoring and identity theft protection services to their customers. 

Britton: [00:12:12] Next, adopting encryption technologies. Next, imposing sanctions on workforce members who violated policies and procedures for removing PHI from facilities or who improperly accessed PHI. And then the final three Changing passwords. Performing a New risk. Assessment and then finally revising business associate contracts to include more detailed provisions for the protection of health information. So this is sort of an interesting mix of things on this list to me. You know, a lot of them are things that an organization should have been already doing proactively to prevent a breach. Right. And then some of them are things they would obviously do reactively to responsibly manage the incident. Obviously, free credit monitoring and identity theft protection is one example of that. But items like multifactor on remote access, adopting encryption technologies, I mean, we've got to be doing those in our daily security program and decision making. So this list, it seems worth sharing if you need a little help focusing on what are the absolute tablespace controls, we need to be really, really confident or in place and are operating effectively because there's four or five on that list that are make sure. Right. And then what are some things we know we'd want to include in our breach letter to show that we're playing ball as the government expects. Hopefully, you all have that breach letter template pre-written. 

Britton: [00:13:33] Maybe you got to tweak it in the event for some of the fact pattern of the event that happens. But I'd say 90% of it should be written ahead of time. And there's some nuggets in there that I think would be useful. Moving to a different regulatory body. We're all aware and have been for some time of the looming SEC rule that will require more oversight of cybersecurity disclosures and risk management practices for publicly traded companies and registered investment advisors and funds. But it's kind of been hurry up and wait. So I saw a really, really interesting analysis from Pillsbury Law in early February that I wanted to go ahead and cover here, because this one has been something that I know I've been sort of waiting with bated breath to see. When are we going to learn about when this is coming out? So they wrote a really great analysis, and I'm just going to directly quote actually their three main takeaways that they summarize at the top, because honestly, I can't do a better job of saying it more succinctly than Pillsbury Law did. And then I'll get into some more details afterwards. So Pillsbury's three main takeaways were the SEC has nearly doubled the size of its crypto assets and cyber unit and has aggressively pursued cyber related enforcement actions against public companies and regulated entities. That's one number two. 

Britton: [00:14:50] In a few months, the SEC will finalize new rules governing firm's cybersecurity obligations, ushering in an unprecedented wave of oversight. Important point there in a few months as of February 3rd when this was written. And then point number three companies must proactively prepare for changes to the cyber regulatory regime by assessing the adequacy of their security protocols, disclosure controls and procedures and disclosures to investors regarding cyber matters. All right. So I particularly wanted to point out the one that mentioned in a few months this has been on our radar as far back as first quarter of 2022. And we keep waiting for the announcement of it's here. So this isn't quite that, but this is the closest we've gotten to that, and I think that's important. So for a quick refresh, summarize some of the most pertinent points to be aware of within this new rule. First, it's a mandate for public companies to report via their Form 8-K any cyber incidents within four days. Four days, right. Of concluding that an incident was material and to provide updates on those incidents in Forms 10-K and 10-Q. So that definition of material can be really tricky, but the SEC does at least have some guidance on that definition all the way back from 2018 and 2011, interestingly enough. But it's still not super clear, right? It's still not black and white. And then perhaps even more confusing, there's also a mandate to report immaterial incidents that are material in the aggregate, which is even more difficult to define. 

Britton: [00:16:22] I think you can probably picture what that can mean, but actually defining it in a way that, you know, I now have to disclose this in my 8-K, that's a different ballgame in my mind. The rule will also require companies to describe their policies and procedures for identifying and managing risks from cyber threats, including from third-party service providers. Very important one. And then the last big thing, and there's a lot of detail here, I'm trying to summarize it as best I can. The last big one is another precedent setter, at least as far as I'm aware, in terms of governance on boards of directors. The proposal would require companies to disclose their board of directors oversight of cyber risks and directors and officers expertise in implementing and managing cybersecurity. So essentially, companies would have to disclose any detail necessary to fully describe the nature of a director's expertise and whether they have a designated chief information security officer, and if so, that officer's relative seniority within the company. So a lot there, especially the board part about you have someone who's like the dedicated security guy who understands it, has experience in it. Very, very interesting development there. And then another really big statement from Pillsbury's analysis, direct quote, this one, In short, we expect that the rules will likely be adopted substantially as proposed and that enforcement activity will increase in the wake of the rules implementation. 

Britton: [00:17:52] This is big to me because I've also been trying to find a statement like this for nearly a year. There has been a lot of debate about the term material. What is a material incident? What does that mean and whether or not a four-day disclosure timeline is at all reasonable? And so I think part of me thought that there might be some changes to the rule because there has just been so much debate about the reasonability of those two things. And as that comment period drags on, it's like, well, you know, maybe it's going to change. I don't know how much action we should take to satisfy this right now because it seems like it might change. This is the first time, at least, that I've seen maybe you have seen it elsewhere, but this is the first time that I've seen anyone publicly stated this is probably going to be what gets stamped into the rule. So we've got next few months as of February 3rd and we've got basically the way it's written is probably what's going to be passed. And I think those are really, really important to to understand. All right. So timing and likelihood of it being largely unchanged. Those are the biggest takeaways, as I said. But let's talk a little about how you can prepare. 

Britton: [00:18:58] Obviously, you need to work with your cyber, your privacy, and your legal teams to interpret that SEC guidance and to find your company's version of material incident and material incidents that are material in the aggregate. That's a critical thing. I think you've got to have your own definition of that. Since there is not a given definition from the SEC, that means it's up to you to define it and to be able to point to it in a policy or whatever in the event you get audited and you can go, look, we this is our definition and we either met it or we didn't. But having that definition is going to be critical. You've got to make sure your incident, reporting protocols, and tooling are tuned for speed and for scope of what this is for days and then the scope of what material means and some of the other details that are within about what incidents are and what type of reporting, what type of details need to be shared. You've got to make sure you're performing continual risk management activities. There's a theme here, right, and you have clear policies and procedures defined for those activities. Beyond that, can you prove that you've assessed where your sensitive information lives, that you've assessed threats and vulnerabilities to that information, that you've assessed the controls that you have in place? Can you demonstrate that you have continual processes to evaluate and improve those controls? These are the types of things you need to be thinking about to to prove compliance with this rule. 

Britton: [00:20:19] You need to be able to do the same for your third parties. Do you have policies and procedures that define your TPR and program? Do you have an inventory of vendors? You've assessed and readouts on their security posture and control deficiencies. Do you have a way to communicate with them in the event of an incident? More of an operational approach to prem not just assess at time of contract, but continuously assess continuously, be able to communicate in breach and vulnerability remediation situations? And then finally, can you prove that you have that governance in place, that that board-level stuff we're talking about at the beginning? Are you reporting risk at the board level, first of all? And then does that board have someone on it with the cybersecurity expertise? So obviously, there's a lot to think through here. It now appears imminent. So if you are in scope as a publicly traded company in the healthcare space, this has got to be on your radar. All right. Let's do a quick hitter here. New announcement from NIST about lightweight cryptography. I think this is going to be an important one in the healthcare space. Nist has announced they will publish a new lightweight cryptography standard later in 2023. 

Britton: [00:21:28] No specific date given, but sometime in 2023, those algorithms that were chosen were basically designed to protect information created and transmitted by the Internet of Things. That was the whole point behind this. So already that's relevant to us in the healthcare security space, because as you know, we have more and more Iot gadgets on our networks. But NIST is directly quoted as saying these are also designed for other miniature technologies, such as implanted medical devices, things like stress detectors inside of roads and bridges, keyless entry fobs for vehicles, small devices like these that need lightweight cryptography because they need something that limits the amount of electronic resources used, because these are tiny devices that have limited electronic resources. So the spokesperson for this is a woman named Carrie Mackay from NIST who said that this algorithm should be appropriate for most forms of tiny technology like this, basically just did what they always do. They had a very long time of trying to determine the most effective approach in this case, the most efficient, lightweight algorithms, and held a development program that took several years. This one of them, one I'm not going to go into the naming and technical details of it, but suffice to say one of them won. And Carrie also stated the goal of this project is not to replace IIS or hash standards. Nist still recommends their use on devices that don't have the resource constraints that these new algorithms address. 

Britton: [00:23:01] So important point there. Again, just bring this to your attention, because I know we've all heard from medical device manufacturers for years that encryption isn't possible because of resource constraints. And again, we're hearing that with Iot as well. The more and more that we encounter in the healthcare space. And so it sounds like later this year we will have a way to respond to that answer that basically, hey, that's no longer acceptable. So exciting news to come on that front. I want to bring this next one up in the spirit of never trusting when attackers say they won't attack certain sacred cows. Associated Press learned from federal officials that the new 988 mental health and suicide helpline was the victim of a cyber attack back on December 1st that caused nearly a day-long outage. So the attack occurred on Network four in Toronto, which is the company that provides telecommunications services for the helpline. The 988 number, if you haven't heard of it, is designed to work similarly to 911. Basically, let's give them a universal, easy-to-remember number that can be reached in an emergency and has round-the-clock human support to respond to people in distress. It just went live in July of 2022 and according to the story, has received millions of calls and texts for help in that six-month or so time period. 

 Britton: [00:24:24] So when the attack happened, anyone who tried on December 1st to call the line for help with suicidal or depressive thoughts or instead greeted with a message that said this line is experiencing a service outage. Good to know that it's a text line too, not just a callable line and apparently chat bubble as well. So text and chat services were still available. That's good news. But the call service was not. I felt this was important to cover if you're in an industry or work at a company where you think, no way we'd ever be a target of all this cybercrime stuff. The 908 hotline is not the type of victim who would be flush with cash and would be able to pay some kind of large ransom or extortion payment. This is sickening to me because this number only exists to help people who are in their lowest moments. Right. And any kind of outage could result in someone literally taking their own life. And yet they still got attacked. Many attacks these days are automated and sprayed. And so this that I wouldn't be surprised if that's what happened here. Obviously, I don't know. But that's the nature of a lot of the attacks. And so it doesn't have to be intentional. This may not have been intentional. What that means, though, is your company doesn't have to be intentionally targeted either. 

Britton: [00:25:41] And I just think it's important to share stories like this. Here are some quick data points for you from a recent report from HealthNet Security. It starts out with some pretty good news. The number of data breaches affecting healthcare providers declined in the second half of 2022. And they also say that decline is consistent with a downward trend [00:26:00] over the past two years. So yay, Right? But they go on to say that current breach totals are still higher than pre-pandemic levels. So they say the frequency of confirmed data breaches was down 9% in the second half of 2022 as compared to the first half. But the number of individual records compromised actually went up by 35%. So basically, I think it's saying the number of breaches is down, but the impact and totality of each breach is sharply increasing. Perhaps not a big surprise given the trend towards centralizing data more with service providers, with cloud, doing things to allow better efficiency and modern data analysis techniques and drive value. But data that backs up that sort of speculation nonetheless. Right. Two specific findings from them that I know you've heard us talk about a lot that I think just bear repeating because we keep seeing more data to back it up. Attackers continue to find success targeting business associates and third party vendors such as electronic medical record providers, lawyers, accountants, billing companies and medical device manufacturers. 

Britton: [00:27:06] So here's the key stat. In the second half of 2022, more records were exposed due to breaches at Business associates, 48% than actual healthcare providers, 47%. We've had some stats like that I think in recent podcasts that I've been sharing because that's sort of been a. A trend that we see here at Meditology and Coral. And any time we see things like that that sort of back up. Yeah,  this is real. This isn't just a feeling. I think it's worth sharing. We've just got to keep our eyes on that third-party space. Also, notably, they mentioned that attacks against EMR systems were basically nonexistent until 2022. So that's interesting, right? Emr vendor attacks spiked to 7% in the first half of 2022, and then we're 4% in the second half of 2022. For the full year of 2022, EMR related breaches accounted for 6 million individual records exposed. So again, more evidence that attackers are shifting that bullseye to the vendors who support our health systems. The EMR stat specifically, obviously there's a move towards cloud-based EMR for a completely good reason. I understand it. I'm not saying it shouldn't go there. We've just got to be able to get our arms around the risk of it. And obviously, TPR is just not an optional thing anymore. I doubt any of you think that to be the case. The real problem is that we need to be able to do it at speed and scale that supports modern business operations. 

Britton: [00:28:31] It's not the ignorance that, oh, I should be managing third-party risk. It's the how do you even do this? And we've got to get better at the speed and scale. Another quick one on some research about the rise in wiper malware attacks. A recent report from Fortinet shows a 53% increase in wiper attacks in the last three months, the last quarter of 2022. The report cites Russian-backed attackers who were working in support of Russia's military objectives in Ukraine as the main reason for this increase. So that's interesting. Wiper activity has been the report says wiper activity has been largely nonexistent prior to 2022. But in 2022 alone, they saw 16 different families targeted at 25 countries around the world. So wipers tend to be malware strains that look just like ransomware on the surface level, but then essentially have no data recovery mechanism more intentionally meant to just destroy data or not allow you to recover data as opposed to elicit that ransom out of you. That means it's typically more meant for sabotage than financial gain because there's really no way to get the data back and therefore no point in the attacker asking for money from the victim. I think most of the security industry agrees that there's not a major difference in how we need to prepare for wiper attacks in terms of how we compared to how we already prepare for ransomware attacks. 

Britton: [00:29:58] The attack vectors are largely the same. The end result of having unusable data is basically the same. So most of the mitigations you're already deploying for ransomware should continue to be your focus. You just may need to include this, this concept of wipers and your in your messaging to leadership and in your er contingency plans because your instant response plan probably includes some parameters for when you might have to negotiate with an attacker on payments or how you go about securing a cryptocurrency broker, know those, those parts would, would likely be irrelevant in the event of a wiper attack. More than likely, this threat model exists more for organizations with geopolitical ties or ties to social issues that tend to draw the ire of social activists. So it's definitely something you should consider. What does your company do? Like what is everything that they do? Do you know everything your business is involved in? And are you maybe a little bit more likely to be in play for a wiper attack than just your typical hospital? If so, does that mean there's maybe a chapter you want to add to your ransomware playbook? I think that's why I wanted to bring this up. All right. For our final topic today, we've got a pretty big one on cyber insurance covering several different aspects. 

Britton: [00:31:17] I'm going to try to weave this into a holistic perspective on cyber insurance. So bear with me, because these are all separate concepts from separate research sources, but all obviously very, very connected. I'll see if I can land the plane and you can send me an email afterwards telling me if we landed it or not. Our first headline in this three-part story is that in August of 2022, Lloyd's of London announced that it would require its underwriters around the world to exclude major state backed cyber attacks from their common standalone cyber insurance policies. The perspective of this article was worry that this will set a precedent that other insurance companies adopt in 2023, since Lloyd's is such a massive player. So look, obviously Lloyd's is doing this, as you all know, because the entire cyber insurance industry has been rocked by these mega breach cases with huge, huge price tags. And they're not able to absorb the costs of their insured clients. Premiums have already skyrocketed while coverage amounts of drops. We've covered that several times on the podcast here. But we also know that the insurance market is going to continue to react to this sort of evolving dynamic by finding ways to scope out certain things or make it harder to obtain insurance. So this is just an example of that, excluding nation-state-attributed attacks. 

Britton: [00:32:42] This one, though this specific one to me is pretty problematic. Obviously, the current cybersecurity landscape is completely intertwined with geopolitics and nation state actors. I mean, every single week there are multiple reports of some new North Korean or Chinese or Russian backed threat group targeting health care, targeting critical infrastructure. We also keep waiting to see how the Russian escalation against Ukraine is going to affect companies and government entities who are not in any way involved in the war. So this is a complex ball of wax that you're now bringing into the. Is the coverage going to be triggered conversation? The report says that the de facto way to determine if a nation state was involved, that will determine whether or not it's the coverage will be triggered will come down to attribution by government, intelligence and security organizations. So even that, you know, that's going to create this, I think, kind of interesting, adversarial dynamic between private companies and the FBI or whoever that I don't know if that's great. It also says in cases where law enforcement agencies and courts cannot provide conclusive evidence, the burden of proof will likely fall on the insurer rather than the customer. So at least that part is a little bit of good news. It's not like the burden of proof is on me and my hospital company or my medical device company to prove that it was not a nation state. 

Britton: [00:34:11] But this whole thing is just, as I said, really problematic. It's all so intertwined that it's yet another reason for me to wonder if cyber insurance is even worth it. I don't think we can say that it's not worth it yet. We're not to that point, but we're we're going to really need to trend towards balance in this marketplace. The pendulum is swinging too far in favor of the insurers right now as a reaction to how far it had swung and like, just get insurance and they'll pay you and everything's fine, which wasn't the right approach either. So for risk practitioners and CISOs out there, you know, this is I think this is just the heads up that you need to start with. You've got to be aware that this is out there. Right as your underwriters, as your your policy evaluation period comes up in 2023, you've got to be able to ask those underwriters, Hey, what is your stance on this nation state thing? They may try to sneak it in on you. Who knows, right? So if you have any ability to negotiate terms, to ask very clearly up front, is that is that a part of this? You do everything you can to make sure that clause isn't in your next policy, because I think it's going to be a difficult one to deal with if if you do wind up having to exercise your policy. 

Britton: [00:35:22] The second story, much more positive news. Luckily, there was a really good interview with a lady named Isabel Dumont recently. She's the VP of market engagement at Cowbell. Cowbell is an insurance, a cyber insurance provider for small and medium businesses. So she discussed the importance of third-party risk management and stated that, quote, Many suppliers to large companies often are small businesses that lag behind in their deployment of cybersecurity controls. Boy, do we know that in the healthcare space they can be an easy path for cybercriminals to launch attacks on larger organizations. Continuing this additional risk needs to be considered when pricing cyber coverage and has an impact on cyber insurance premiums. She goes on to explain. Having adequate cybersecurity deployed when interacting with third-party vendors drastically improves the risk profile of any organization, and it also makes it more insurable for cyber, which in turn in return excuse me, lowers premiums or opens more coverage options. So some great quotes there from Isabelle. In my opinion, this is the kind of balance that we need. This is the balance I'm talking about from the insurers, meaning cyber insurers should focus on raising the expectations for what it takes to receive coverage or provide incentives like lower premiums and higher coverage amounts. If companies meet certain expectations, that puts reasonable targets in place for companies to shoot for. And it also raises the game of the entire security field because there is real tangible benefit to implementing certain controls. 

Britton: [00:36:57] I know I would love to be able to say to my board something like, Hey, we can reduce our premium by $1 million. If we spend the 200,000, I'm asking to develop our CPR program further. That is an outstanding thing to be able to say as a risk manager and a cybersecurity leader who is always striving for ways to quantify the benefit you can provide. So specific to the TPR requirement that Isabelle discusses. This makes total sense to me. How many times on this podcast do we talk about, even on today's literal podcast, do we talk about the target shifting to third parties in health care? Insurers are already doing things like validating that their clients do things like MFA, regular vulnerability management, routine risk analysis, so on. So this is just a natural extension in my mind of those types of validation texts checks to determine if a company is insurance worthy, which of course means that we and the practitioner realm need to make sure we're getting our CPR programs in place, finding ways to make it more efficient, putting the onus on third parties to prove their security posture through tools like high trust certifications and routine pin testing. If we do that, we all win because we're raising the bar for security. We're the rising tide that lifts all boats and hopefully we're lowering our premiums on cyber insurance. 

Britton: [00:38:19] All right. And then the last piece of this cyber insurance bundle of stories is this fascinating story about hard bit ransomware. I'm not sure if you all saw this,  but it was a major eyebrow raiser to me. According to security research firm Varonis, the group behind Hard Bit is asking their victims to tell them what their cyber insurance limit is. Varonis shared part of their the message that comes up on the ransomware lock screen for the victim. And I'll give you a few direct quotes from it because they're they're sort of mind boggling quote, very important for those who have cyber insurance against ransomware attacks. Insurance companies require you to keep your insurance information secret. Thisis to never pay the maximum amount specified in the contract or to pay nothing at all. Disrupting negotiations. The insurance company will try to derail negotiations in any way that they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. So how about that? Pretty savvy, right? Later on, they add a little personality to it. Quote Since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance. Be sure to inform us anonymously about the availability and terms of insurance coverage. 

Britton: [00:39:40] It benefits both you and us, but it does not benefit the insurance company. So that was fascinating to me, right? Because I've just never seen anything quite like that in the negotiation process that are clearly trying to play on the, Hey, we're in this together. I know I attacked you and I'm making you have the worst day of your life and your company can't even operate. But we're in this together against the insurance people. That's just like, I mean, talk about chutzpah to go that route, right? I'm going to. Now, here's the part where I try to land the plane. So obviously, all three of these stories, all three of these factors are related. I'm glad the stories came out within a week or so of each other the way they did, because I think it paints this perfect picture for why the cyber insurance realm is so topsy turvy right now. What we see through these stories, attackers are extremely successful in compromising organizations. That's been the case for a while. But now apparently they're even getting savvy enough to ask you how much coverage, cyber insurance coverage you have so they know exactly how much money to ask for. So organizations are obtaining insurance because there's this feeling of inevitability of it's going to happen at some point. So we've got to have it. That inevitability is pushing insurers towards loss instead of profit, or at least not enough profit if we're being honest with each other. 

Britton: [00:40:58] But look, there are business just like everyone else. So of course they've got to meet certain markers and make profit. So they're reacting to the market and changing terms and changing requirements to stay profitable. We have one example from this bundle of stories that in my mind and my opinion is the completely wrong way to do it scoping out nation-state-sponsored attacks. And then we have another example that is the right thing to do making companies prove they have a PR and program. So this is going to be a continuous, I think, backand forth. I think we've probably got a few more years of this where the pendulum is swinging a little bit back and forth. How do you prove you're worthy of cyber insurance? What is actually recoverable? I don't think it's going to be solved and we're all going to be super thrilled with it here in the next six months or within 2023. But I felt like this was just a great way to kind of encapsulate everything that's going on. And I hope I landed on the plane. That's all for this session of the CyberPHIx Health Care Security round-up. We hope this was informative for you and we'd love to hear from you. If you want to talk about any of this. Please just reach out to us at [email protected]. That's all for this week. So long. And thanks for everything you do to keep our healthcare organizations safe.