Pharmacy Data Security In A Hack-Filled World – Insurica, Protection from Malware and Ransomware Attacks
Monthly Mastermind – Protect Your Pharmacy From Malware And Ransomware AttacksAll Office Hours
Learn how to protect your pharmacy from malware and ransomware attacks.
Are you 100% confident your infrastructure could withstand a cyber attack? How about being able to recover financially?
We live in a hack-filled, ransomware world.
Get critical information from Insurica to help protect your pharmacy. https://go.insurica.com/pharmacy
We are going to be going live
Welcome to a another edition of a monthly mastermind meeting. These meetings are deep dives into a topic to really help you dig in and help your pharmacy. We have got a very timely topic today that really isn’t a pharmacy topic. It’s really more of a business topic. But I think it’s super important for pharmacy owners to understand. If you guys have watched the news in the last few months, you know that there’s been some big disruptions with some hackers and requesting ransom money and all that kind of stuff for if they hacked your data, and I have heard that happening to a pharmacy or to and it’s just not where you want to be. So I actually have an old friend for many years ago from good old California days. He who happens to still be there but Devon is working with security and world and so I reached out to him to find out how can we help share some information that will keep you safe, your wallet safe and get you through this time. So Devon, I will turn it on over to you please if you want to do a quick intro of yourself and then you can intro Ryan.
Thank you, Lisa. Thank you. My name is DevonHardin. I’m a property and casualty agent with Walter Mortensen and shirker. And I’d like to introduce our team here from insurance. So that’s going to be talking today about cyber primarily led by Ryan Qusay of our residents. Cyber expert, Mr. Khrushchev has just been with insurer cut for about three years now. Correct? Yes, that is correct. About three years. He joined us from a personal injury firm as a paralegal, and I’m not sure how we got him over here, but we’re grateful we did. And upon joining us, he was in the same field that I’m in currently, which is the property and casualty field. But we needed we needed some we needed some representation in the cyber field. And, and Ryan has volunteered somewhat forcedly forcefully to become a resident cyber experts. So and then Julia Hester is also not in fact, Julia, would you mind being your introduction?
Yeah, sure. I just work for specific groups in different areas to try and set up programs. I’ve been within szarka for two and a half years now. And I’m kind of a jack of all trades. So I’m here to fill gaps if you have any extra questions.
And with that, Ryan, would you like to go ahead and take it away?
We can start. We share the slides yet or?
Yeah, I’ll go ahead and start right now. Okay.
there we go. Yeah, so Gu, we created Gu as a kind of like an in house wholesaler, for insurance. And that’s given us access to a bunch of different markets, including cyber obviously. So it’s a huge benefit for insurance right now. It’s going to be a huge benefit. Hopefully, for all of you guys. With this pharmacy program. You can go to the first slide, Devon next one. Perfect. So yeah, let’s just jump into the risks in the healthcare and it’s because healthcare providers typically hold large amounts of highly sensitive health related information about their patients. Their primary cyber exposure is what you’ve been seeing in the news is like data breaches. And because of healthcare takes an average about 200 days to detect a data breach and about 90 days for containment, becoming a massive growing risk in the area. Also, due to the HIPAA regulations. This also leads to notification requirements, investigation costs fines penalties as a result, and this is just an attractive and lucrative for all the cyber criminals out there because they’re earning up to about $1,000 per stolen medical record. Next slide, please. Devon. So not only data breaches, but you’re also seeing a lot of malware attacks. Malware just malicious software that’s specifically designed to cause damage to computer networks, which has devastating impacts on the business operations day to day with system damage. Also business interruption costs come along with it. And a side effect would be reputational harm to the business. Recent events have shown that the cyber criminals motives from our attacks are predominantly going to be sought money from the business to put some money in their pocket. But sometimes they just kind of do it for the fun of it because they’re just bad actors. Next slide please. Thank you. And emerging risk we’re seeing on this field is the funds transfer fund because healthcare centers are completing wire transfers, usually for supplies and services to their business. Or sometimes it’s something to go around with the building. Either way they’re doing or online banking as well. So these are often initiated with simple phishing emails to fraudulently do health care providers into transferring money to what they believe is going into legitimate payments for supplies and services, but actually going into fraudulent bank accounts. And I was able to find a couple examples or case studies of both of these tax with data attack and also a malware attack. I’ll get to that one on the next one. But this one is happened to a medical service provider, they fell victim to a ransomware attack it encrypted around 120 workstations about 15 servers, rendering them all useless and making all patient management records and electronical medical records stored on their network, completely inaccessible. They went through their ICT vendor and the IT vendor was actually able to wipe the ransomware from the system and rebuild their network from backups. But unfortunately, they were not able to see if any of the personal health information was viewed or stolen. So with the ransomware, completely wiped from the system, it was impossible for the forensics to analyze the attack. And as well as identify the ransomware Vironment to establish whether or not any of these personal health information was stolen or viewed. So they then had to engage in their own legal counsel, which came to the conclusion that they would in fact have to notify all 100,000 of their patients of past and present. It also triggered in office of civil rights investigation, which is going to have potential reputational harm as a result.
So just to the 100,000 patients in general, it’s like over $200,000, just to notify them and then the investigation costs on top of that were pretty extensive. So this case study actually highlights two important lessons. First, the lesson for the first lesson is that it’s essential when a ransomware attack or any other cyber event occurs. Granted that you have a policy through a cyber cyber policy, you should engage their cyber insurance provider as soon as possible. By doing so you have a coordinated response to the attack, which can be revised and any evidence that may become crucial later on can be preserved on like this attack. Secondly, placing your cyber insurance with an experienced provider can make all the difference by having your own in house incident response team with specialist knowledge of cybersecurity and forensics. They’re also able to successfully prevent plesiosaurs claims costs from escalating and ensure that the organization organization’s reputation doesn’t suffer any unnecessary harm. Because, as we know, more than half of us would not return to a service provider provider if they were subjected to a security breach. The next one, this was a malware, malware attack. On a larger scale, this one was done at a hospital. relatively the same though the employees came into work noticed all the devices and servers were no longer functioning properly. All their electronic data that held patients information was no longer accessible. So that means they couldn’t look at their patient histories, doctor’s notes, allergies and drug prescriptions. So the doctors nurses had to now go back and ask each individual payment patient about their medical history all over again. This also created a problem with the electronic monitoring monitoring of patients. This and bedside machines for dispensing medication were inoperable. So this made the hospital had to bring in an army of additional nurses to help ensure patients were being monitored effectively. And so all these manual processes and hiring of more staff caused significant delays to the service. And by just mid afternoon, the hospital was forced to call Red Alert, which just basically notifies all health service tribes in the area that there’s gonna be longer wait times at this hospital. And if they want to go to another hospital or service priser It probably be better. So the only way to return the hospital to the normal operation was to wipe and rebuild all their servers or servers and devices from scratch couldn’t access their backups. So this created a longer process. One of the major complications to this actually was their connection to a hosted centralized electronic health system, which gave them access to all their patient records in details, allowing them to exchange information with other health care facilities. But because of the malware attack on their system, the hospital was cut off by the service provider service provider, who was refusing to reconnect them until their network was declared completely clean, and malware free by an independent forensic Consultant. So in the meantime, this hospital had to connect to a separate cloud cloud network to access the data that they needed at an additional $200,000 a day. It wasn’t until about two months later that the hospital was able to call up their red alert. And then another month later, they were finally back into normal operating procedures, which is a long time. So the hospital on this incurred about $2.6 million in system damage costs, which was the bulk of it was just hiring people to replace harddrive servers, laptops, computers, printers, scanners, and all their software licenses. And then they lost another I think, for the 4.5. Yeah, four point 4.5 was business interruption primarily due to the drop off and patients income following the red alert. So in this case, they did have a cyber policy, but they just didn’t have the right amounts, or limits to properly cover but a lot of it was taken care of by their cyber professionals insurance. So yeah, cyber insurance is a highly cost effective way to gain access to the support needed in order to both prevent and respond to cyber events. Most cyber policies come with a number of proactive risk management tools like social engineering and phishing focused employee training, which helps to reduce the amount of phishing attacks.
They also come with dark web monitoring, which scans the dark web for signs that data relating to your business has been compromised, and what to do about it if it’s if you need to, like go in and act on it or simply just someone snooping around. But most importantly, the best part is, when it comes to responding to these cyber events and ransomware attacks, the good cyber policies will have give you access to it experts, forensic specialists, PR firms and lawyers, often with no deductible to the insured. And you know, due to social distancing, bank robbing is no longer a thing. It’s more like cyber hacking, which is kind of my joke for the day. I hope you like it. Yeah, as you can see, these, these are just based on like a $50 million business, small business. So a lot of this money is just outrageous just to get control of a cyber hack going on. So a lot of these small facilities don’t have that just on hand to do dish out. So having a cyber policy is a great pairing to have with your other insurances because it fills in the gaps that the other ones aren’t providing. Go to the next slides. So these slides are just basically outlining the coverage highlights that each cyber policy comes with. Like said the incident incident breach response is probably the best coverage that you can have. This includes all the cost that’s going to come with the forensic specialist it PR firms legal that you get access to. Next slide. Yeah, so this is the best one, the Cybercrime all the losses of fun. So like, like I said before, ransomware extortion demands, but also the funds transfer fraud. So if they are socially engineered, or due to by a bad actor, they’ll be on they have limits and protections for those as well. Also personal funds.
Also, yeah, so business interruption this coverage. So whenever, like we saw in the hospital, with they’re down for a long period of time that losing income based off of no patients coming in or anything like that. They have limits to help them, get them back up to business operating and make sure that the least amount of business interruption is possible, and also to get their what is the reputation not as damaged as possible. Excellent. And this is probably the I think the most important one for the health is where it’s covering all the funds or fees penalties for the lawyers and everything like that for notifying and all the investigation costs for the personal health information due to HIPAA, which is probably the best coverage that the health care can get those limits are very helpful in keeping the business running. Yeah, so just as the closing thoughts, but the frequency and severity of these cyber attacks are escalating greatly, especially in the past two years. According to the FBI, there’s been about 62% increase in the ransomware demands, just through the first six months of 2021 in the US alone, which is up from the 20% increase we saw in 2020. Also the ransomware demands as money demanding from the ransomware is have seen a 225% increase Since the beginning of 2020, and according to some cybersecurity firms, these ransomware attacks are estimated to cost businesses globally, around $20 billion in 2021, and predicted to reach about 265 billion. Yes, with a B by 2031. The combination of high rewards and low risk for the cybercriminals means that ransom wares here stay at least for the foreseeable future. And with businesses being penetrated multiple times per hour, and cybercrime has grown in frequency and severity, I feel like businesses can’t afford not to have this coverage. Because every business today relies on computer systems to operate, whether it’s for business, business critical activities, or simply just for online banking. And no matter how much a company is investing in their IT security, they’ll never be 100% secure, because us as humans are still the weakest link in the cybersecurity chain, just by one employee clicking on a bad link could take down an entire system. So the purpose of having these cyber policies is to one respond in the event where the worst happens. This, this is back up and running. Just also with minimal disruption and financial impact to the business. In today’s rapidly evolving market for cyber insurance coverage, providing emergency response services, as well as the final financial compensation, in the wake of all these different tap site types of cyber attacks is now just the standard. That concludes my presentation. So we’ll just open it up to if anyone has any questions, you guys can direct them towards me, I’ll do my best to answer them.
Yeah, I do have a couple of questions that have come in right now. So where does somebody get training for their employees? You know, you kind of mentioned phishing, you mentioned just right now, one employee clicking on one back link. So where’s the best place to get like real training to help employees prevent that, you know, every pharmacy just you guys know, obviously, they go through the HIPAA Privacy and Security and stuff. But some of that stuff isn’t very practical, or maybe, you know, actionable types of things in terms of preventing this kind of thing. So where do you recommend for that?
Yeah, so if they do get a cyber insurance policy, these carriers have contracts or relationships with these security firms. So they get a discount, or sometimes it’s with zero deductible to the insured for the first two or three, one or two times. They can have the entire staff trained on like extensive phishing emails, what to look for what not to look for what to click on, not click on, basically, just to be basic forensic it and be like, Okay, well, I can see that’s not what I want to look for. So they, I mean, our company has, does it, I think, once or twice a year that we have cyber training. So yeah, once they have a cyber policy, they have access to all these great tools like that they can have someone come in and teach them if they want to, or they can do like the kind of like a webinar, click on this and then teach them virtually as well.
Another question is about backups. So a lot of pharmacy software systems, you know, do cloud backups. I remember back in the day, I’m old enough that I remember used to have this backup machine, and you put these weird looking cassette things in there, and you had one for each day of the week. And I’m not a lot of pharmacies have that anymore. A lot of them do cloud backups. But should you have an on site physical, like copy? Or can you talk a little bit about backing up the data, because you mentioned some systems being able to be restored from backup.
So the two exams I said, So one was able to backup their things relatively easy, because they had backups stored off site off site is what they’re looking for. So it’s not directly Contai tied to the network. So once that network goes down, they can still retrieve the backups from an off site network. And that way, restoring the system is much easier because you have those backups that are not tampered with and able to do a much easier, like I said, streamline it. Um, so yeah, clouds are below except clouds, as long as it’s protected, protected with a VPN, because that’s also an off site storage. So clouds are acceptable, just they need to have proper security controls in place to for the carrier, so we’ll be able to write them.
You know, and you guys are obviously coming from insurance. So the question I have, and, you know, putting on my pharmacy owner hat is, you know, I have a business protection policy, you know, kind of all this other stuff that we already have insurance for, is this kind of stuff not normally covered in there, or can you talk a little bit about where the gap is? Because I you know, I would think that my business policy might cover some of these things, but, you know, obviously, it may not so can you talk just a little bit about what your business policies cover and why is this different?
Yeah, so like your typical PNC policy is only covering your bricks and mortar. So it’s not worried about your electronic data like the pH I PII stuff. So There’s really not much coverage there. And if there is, it’s like very small limits or it’s excluded. So that’s where the cyber policy comes in place. It fills all those gaps like a PNC policy, because it’ll, it’ll pay for replacing the computer software which the PNC policies usually don’t cover the hardware, which is the computers and devices, and also the data, which is the most important part. So yeah, just the PNC policies, do office them, but just very small limits, or most often, as we’re seeing now they’re excluding them, because of all the cyber attacks happening. So the standalone cyber policy is filling the gaps where the coverage is needed.
Yeah, if you don’t mind me chiming in, actually, because healthcare historically is sitting in a unique position, because what happened was, your normal Bob policy actually did traditionally cover those exposures. And then target happened forever ago. And every insurance carrier said, Oh, no, oh, no, we we can’t afford this exposure on a normal general liability bills, liability, or a business owners policy. So you may see even on your current policies, you know, places that are great at covering pharmacies, CNA and hand over, pharmacists mutual. But when you get into the nitty gritty, like Ryan has said, because of the attacks, and also like Ryan said, HIPAA data is worth double what a normal business can provide. So you’re getting targeted a lot more. And they put even more exclusions. So most of your business owners policies, or general liability policies, if they have a cyber endorsement, about 90% of the time, they actually exclude any claims about HIPAA. So that’s a huge gap for you guys. And just to talk up, Ryan, and Gu, some insurer has a healthcare practice, and everybody else had insurer cut in the construction practice or whatever, they were pretty happy with the cyber options that were currently available on the market. But massive problems if you do anything in healthcare, which was kind of one of the big pushes to why we started working on different programs that are kind of outside the norm of what some carriers big exposure, they don’t want to pick up.
No, that’s good, thank you. I know even back in my pharmacy, my very first pharmacy, when I you know, it was controlling the servers and everything, like I would have the firewall and you know, you’d see all these hits like you you see all these like massive like hits and different things. Do you guys help with giving advice on like, how to set up your whole systems, because a lot of times these pharmacies, they get started, and it’s a software company or software vendor, you know, that they’re selecting that’s like, Oh, by this, you know, type of firewall or by this type of thing. And it’s all just kind of generic recommendations, which maybe may or may not the best, but do you guys help them with any sort of audit to like, Hey, am I in a good spot now? Or do I need to make improvements?
Yes, absolutely. So when they do purchase cyber policy, they have access to a risk management team as well. So they’ll come in pre whatever. So like, you get the policy and then like, Alright, can we take a look at what we need or what we’re lacking on. So they’ll come and do that for free? No deductible to the insurer to come and take a deep dive into your system. They’re like, Okay, well, we see vulnerables here, this way you should do to fix those. This looks good. Keep doing this and stuff like that. So that’s always free to insure because the carriers want no attacks, obviously. So they’ll give it to you for free. I’m just deep dive into your system. But like, like I said, help them set it up or make improvements to where they need to prevent any of this from happening.
Now, in terms of talking about, like the fines that somebody gets, or experiences when there is a breach, like, Does every breach result in a fine, like if I try to do everything, right, and I’m supposedly doing everything right, but a hacker is was smarter than my systems. Like, am I always on the hook for these big fines? Or how do fines come into play? Because obviously, there’s an expense for just notifying patients and, you know, mailing costs and phone costs and stuff. But you know, those fines can get really scary large. So I just was curious of like, at what point do they start finding a sock sock
back to the first case study when to so if that small medical service provider would have contacted their insurance provider, they would have done a deep dive and seen that okay, maybe nothing has been accessed or looked at so we don’t need to notify anybody. So that’s where I think the insurance policy comes in, because they’ll do the deep dive, but try and minimize your claims costs or investigation costs, fines and penalties as much as they possibly can. Because like, the case study said they didn’t access or acknowledge their carrier so they didn’t know if anything had been accessed. So they’re like, well, we might as well do it anyways, because if we don’t, we’re going to get even more fines. So that’s where the, the insurance policy is coming into play as well. Biller, they’re trying to save you as much money as possible trying to get you the least amount of investigation and fees and get you back up and running with a little financial impact.
Awesome. Well, those were all the questions that I had come into me during the segment, I just want to tell you guys, I appreciate you guys spending some time. You know what, this was all heavy on my mind as I was that person watching the news and watching the disruption and just thinking like, man, if that were to happen to our pharmacy, like, I don’t like I don’t know, if we could recover, you know, just the, the PR and the, the reputation hit is is invaluable. You know, it’s like you said, how many people are gonna go back to somebody after they’ve been hit, though, honestly, after they’re hit, and they’re recovered, they’re probably stronger and better off than everybody else. But that’s not the way you know, your human brain says. And so I don’t know, any pharmacy owners that could that could have a major breach and be okay, afterwards. And so I thought this just was a really important topic, you know, as cryptocurrency and all of that starts to explode. And these, you know, Ransom, people are really operating off the grid, so to speak. From that perspective, I just think pharmacy owners need to have all of the tools as they possibly can to help support and secure their pharmacy data. So thank you guys, there is a website that you can go to to learn a little bit more about insurer QCCA. It is go.in surecut.com forward slash pharmacy, I will post it up in the comments of where this video is. And at least least find out, talk to them, see if it’s something that you need, have them look at your current coverage, you know, maybe they can help decipher that, but just use them as a trusted resource. And as that experts to really help say, because you don’t want to call them after you have a breach. That is the wrong time to call them. So thank you to the entire team. I really appreciate it. And I’m sure we’ll be talking again soon and have a great rest of your day. Thanks