Author: John Farley
Those who manage risk in senior living environments have traditionally focused on perils associated with the physical safety of residents, professional errors and omissions, contractual liability and other forms of risk. However, a comprehensive enterprise risk management approach that reflects today's changing risk landscape calls for a reassessment of what is now impacting bottom lines, brand reputations and most importantly patient safety. Cyber risk has emerged as one such threat that cuts across all sectors and poses a very real threat to senior living organizations.
Today's cyber threat actors favor multiple attack strategies. Ransomware has emerged as the attack method of choice, where malicious software is launched via phishing emails. Once inside a network, the software often spreads quickly to lock down all data throughout the victim's entire ecosystem, impacting devices, servers, phones and many other integral parts of the organization — effectively ceasing operations.
Demands in the six and seven figures are often made in exchange for the release of data. Refusal to pay often results in threats to destroy data or release sensitive data to the public. Legal costs, business interruption, IT forensics investigation costs, regulatory fines and other costs may also follow.
To illustrate the bottom line impact of ransomware attacks, Coveware issued a recent report1 that found that the average ransom payment was $322,168. Even more concerning, business interruption costs could be even greater than the amount of the ransom paid, as the average downtime is 20 days. In a senior living environment, critical life-supporting medical devices and electronic medical record systems could become inaccessible. What might be an initial financial threat could quickly escalate to an inability to properly care for residents effectively, raising risks exponentially.
Preventing and mitigating ransomware attacks
Implementing an effective cyber risk management program always starts with a comprehensive understanding of your environment, with insight into security gaps specific to the organization.
The FBI has offered advice on preventing and mitigating ransomware attacks, including:
- Regularly back up data, air gap and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the Cloud).
- Install updates/patch operating systems, software, and firmware as soon as they are released.
- Use multifactor authentication (MFA) with strong pass phrases where possible.
- Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts.
- Disable unused remote access and remote desktop protocol (RDPP ports and monitor remote access and RDP logs.
- Audit user accounts with administrative privileges and configures access controls with the least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages coming from outside your organization.
- Disable hyperlinks in received emails.
- Focus on cybersecurity awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).
Transferring cyber risk
The cyber insurance marketplace offers solutions to transfer risks associated with ransomware and other cyber threats. Policy terms and conditions vary and can be negotiated. Most policies cover both first and third-party costs, and a select few may negotiate coverage to extend to bodily injury and property damage resulting from cyber attacks.
Those who seek comprehensive cyber insurance coverage need to be prepared for a market that is laser-focused on data security controls, with a particular focus on those designed to prevent ransomware attacks. Without these in place, applicants may be subject to higher insurance rates, reduced policy limits, greater retentions and policies that restrict coverage. There is also a distinct possibility that a cyber insurance underwriter will decline to offer terms at all if not satisfied that specific protections are in place.
Be prepared to answer questions about MFA, RDP, privileged access management, data backup practices, email hygiene, incident response planning and employee training. To that end, it's advisable to work closely with your cyber insurance broker before entering the cyber insurance market. Doing so may help you understand where your security controls may be lacking and can provide a roadmap to remediation. Ultimately, the goal will be to be viewed as a best-in-class risk by the underwriting community.
To learn more about cyber risks and protections, see our cyber reports and articles.