While we have discussed ransomware several times this year this is a different discussion. The threat of ransomware continues to be a major issue for all businesses. Healthcare is certainly taking it’s fair share of those attacks. MSPs were a gateway for mass cyber attacks in 2019. Make sure your IT provider is using the new guide specifically for them produced by NIST and NCCoE: PROTECTING DATA FROM RANSOMWARE AND OTHER DATA LOSS EVENTS. While we are at it there are a couple of articles relating to the impact ransomware has had on insurance coverage that we need to bring to your attention.
In this episode:
Ransomware – MSPs, and Insurance – Ep 263
2020 COVID Session Dates
August 18, 19, 20
For info go to TheHIPAABootCamp.com
Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.
Ransomware – MSPs, and Insurance[12:23] Let’s take a look at ransomware from a couple of different perspectives today. We have discussed how much is happening and how things are changing in these attacks. That process began in 2019 and continues today. But, what if you think you are covered because you have an IT provider who takes care of security for you and an insurance policy you think will cover you if you get hit. Have you really evaluated your assumptions there? It is probably time to confirm some things on both sides.
MSP guidance from NIST and NCCoE[14:44] We may have mentioned this months ago but this group does put out a lot of good information and continue to produce more. First, let’s make sure we cover who they are:
The NCCoE developed recommendations that will enable MSPs to adopt cybersecurity technologies and techniques to improve security for themselves and their small- and medium-sized business customers. MSPs can apply or customize the recommendations to fit their cybersecurity needs. The publications below offer implementation recommendations, a reference architecture, and details specific technologies/capabilities MSPs should consider deploying.NCCoE MSP Project Summary
Below are some of the points covered in this guidance.
Planning is critical. Your plan should include the some of the following details:
What files are being backed up? Is it just some of what you need? Are event logs backed up for forensics to use? What about your cloud services? Many groups learn the hard way that the backup didn’t include accounting or some local folder where documents are stored.
Know your RTO and RPO. Often it is surprising when people have no idea what is backed up, how long it would take to restore it and where would the restore put them.
What dependencies do you need to consider? Are some systems dependent on other systems or information being restored before it can be completed properly? What about encryption keys and digital signatures required to unlock systems once they are restored or to be able to restore them?
Backup files management. What backups are offline and secured? How many versions of your backup are created? What logic is used to create the multiple backup copies?
Develop your written response and recovery policies and procedures. Do you just assume everyone knows what to do? What if everyone you need isn’t available when your emergency occurs?
There is much, much more included in the planning section. That is followed by the Implementation Recommendations and the Testing/Monitoring Recommendations.
We are just scratching the surface on these recommendations. These guidelines are not suggesting anything that hasn’t been brought up as part of a proper formal plan. However, you can bet that all your MSPs don’t have this level of plan in place and they may be making assumptions others are handling it. We encourage you to discuss this with your vendors and we especially encourage vendors to do this work proactively for your clients who trust you to handle their backups. I can not tell you how excited I would be to have a provider give one of my clients information that says we used this as a reference and here is what we have put together!
One important thing to remember in healthcare. You must account for the forensics and potential breach notification requirements under HIPAA. You may need to consider that under some other regulations and contracts, as well. Do not forget to include that in your planning, testing, and documentation.
Ransomware impact on insurance[39:10] Back in Feb I had set aside an article to discuss in an episode and well, you know what happened. The title: Ransomware Attacks Are Causing Cyber Insurance Rates to Go Through the Roof; Premiums up as Much as 25 Percent really got my attention. This week I saw another article that reminded me how much this one got my attention – Indiana Court of Appeals Holds That Losses From a Ransomware Attack Are Not Covered Under Policy’s Computer Fraud Provision. This certainly brought me back to the first one.
Here is the sad point reported in the first article.
Number 1, this is only making the problem worse for all of us. Number 2, we have often discussed how even making a payment doesn’t mean you will easily be back up and running in no time. Very few that are hit hard enough to have to pay the ransom are up and running quickly.
The report from these insurance industry folks say the costs are going up between 5% and 25%. As a result everyone is trying to find a way to cut the costs. They included ideas such as having a specific ransomware policy. They suggest that high-risk companies with a history of breaches may even be forced into a policy like this and those policies may only pay out 20% of your total claim. Ouch!
All of this means you really do need to review that coverage and understand clearly what options you may have if you are hit with ransomware or any other attack for that matter.
That brings us to our next article. In it we learn of a case where a company was hit in Nov 2017, which was before they are as sophisticated with their attacks as they are now. The company, G&G, had all kinds of issues with encrypted files and password-protected drives. A real mess. They saw no other option than to pay those criminals.
Guess what happened!?! People always think we are just making stuff up. Well, here you go. The attacker took the payment and then demanded another payment. In fact, they ended up having to make THREE payments before they were able to get access to everything. We keep telling you paying doesn’t mean you get out of jail quickly.
G&G filed a claim under the “multi-peril commercial common insurance policy” which said that it covered “loss of … ‘money’ … resulting directly from the use of any computer to fraudulently cause a transfer of that property.” The insurance company, Continental Western Group, denied the claim and said ransomware doesn’t apply to that coverage. Conveniently, the term fraud wasn’t specifically defined in the policy.
It went to court, which is why we are reading about it. This is the appeals court round of arguments and they agreed with the lower court. Ransomware isn’t covered as fraudulent. Here was the quote from the ruling I found very interesting and to the point:
They aren’t playing around with that clarification. The court clearly sees this as a business decision that the company made, not some fraud brought against them by the attacker.
While worrying about preventing ransomware attacks we also need to accept the fact that it is becoming more likely there will be an attack. That means the ability to recover from one needs as much attention as preventing one including what insurance coverage you may have to rely upon.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!