Speaker 1: You are listening to Your Practice Made Perfect. Support, protection, and advice for practicing medical professionals brought to you by SVMIC.
Brian: Hello and welcome to this episode of our podcast. My name is Brian Fortenberry. Today we're going to be talking about something that is affecting all of us regardless of our occupation or even just our personal lives. It is cybersecurity and it's becoming a bigger and bigger issue certainly in the healthcare industry. Joining us today to help us navigate this complex and difficult issue is Miss Kari Stern from NAS. Kari, thanks for joining us.
Kari: Thanks, Brian. Thanks for having me today.
Brian: Before we jump in and start talking about all of the parts of cybersecurity and the coverage also that you guys provide to our policyholders at SVMIC, tell us a little bit about yourself and your experience there at NAS.
Kari: Sure. I've been with NAS for about five years. I'm the Senior Claims Manager. I have over 25 years insurance experience in all different lines of coverage. I've been focused primarily on cyber for the last five years as its continued to become a really important coverage for policyholders as technology becomes more integrated in all aspects of the business. It's just become an evolution in the strength of the coverage and it's just been an exciting foray in insurance.
Brian: Well, I tell you it is incredibly interesting what is out there today and to be honest with you, when you say interesting, it's also kind of scary. There is a lot happening in the world of computers and cyber attacks and everything else. We have a relationship there that our policy holders get coverage for cybersecurity and there's several different parts of that policy as well. Where I kind of wanted to start today, Kari, is when a security breach or a cyber attack such as ransomware or any of the other types of things covered by the policy occurs then our policyholders contact our claims at that point who then in turn can contact you guys at NAS as well along with coverage documentation. Once NAS determines that coverage does apply to what the policy holder is calling about, when should the policy holder expect to hear from an NAS representative? How does that process get rolling on the end of NAS?
Kari: Yes. Well, time is of the essence in all of these cyber events. Early reporting to SVMIC is critical so that it gets to NAS as quickly as possible. When we get the claim, we immediately look at the coverage, we look at the event that is going on, and we reach out to the insured within 24 hours. Most often it's the same business day because we're going to get any missing information, confirm what is happening in the event, so that we can determine what assistance the insured needs. Most often we're going to appoint an attorney to coach the insured through the process to provide both legal advice, if notification is needed they're going to help draft letters, they're going to coordinate all of those pieces to make sure that the insured is getting the utmost response and is compliant in their handling of whatever the event is. We also look at what is happening in order to determine what type of IT help or assistance the insured may need.
Brian: Would you suggest then, Kari, that say a policy holder believes there has been some type of breach, some type of cybersecurity issue, would you say it's best to probably even if you're unsure if it's covered by cybersecurity or whatnot, if you're a physician or a physician practice it's best probably to go ahead and reach out to the carrier so they can in turn contact you with the information, just to see if it is something that's covered? It's probably better for early notification than late notification, correct?
Kari: Correct. That's part of the benefit of the program too is that there is no deductible. There is no cost to the insured to report a claim and let us get a look at it. We would potentially engage IT's help right away to determine what, if any, access there was. Sometimes they determine that there was no access or they didn't get to the health records and therefore there's no notification needed. What's really important there is that the Department of Health and Human Services came out with a bulletin around June of 2016 and, in their bulletin, the Department of Health and Human Services made it clear that they deem any intrusion into the insured's system to be a breach and it is up to the insured physician to prove that nothing was accessed while the intruder was in their system, which is again why it's really important for the early notice and intervention. We've had a couple of situations where an insured, well-meaning, thought, "Oh, well, I've got this ransomware event and I'll wipe my system and restore from a backup" so that they could get back up and running as quickly as possible. While that's admirable that they want to do that what has occurred in that process is they've inadvertently wiped their logs. Then what happens is they end up placing themselves in a situation where they've wiped their logs. Now forensically no one can prove whether or not the patient records were accessed and the Department of Health and Human Services would deem that a breach. And therefore you now have a notification obligation and while maybe you would have been able to prove they didn't access anything, you didn't have a notification, it becomes a binary situation where you have to now notify all of your patients. Again, that's another reason why that early reporting is just super key.
Brian: Yeah. It sounds like the failure to notify early really with all the ownership on the physician or physician practice could really become an issue within itself and whenever you get this notification or this belief that you have been compromised in some way some of the policy holders or anyone really might think, "The very first thing I need to do is reach out to law enforcement or a regulatory body." Does the policyholder need to contact those authorities or is it best that they don't?
Kari: You know, that's always a question for counsel, which is why we appoint them at the outset because they would advise the insured on what, if any, reporting is required to either law enforcement or the Office of Civil Rights or Department of Health and Human Services. It's important that an insured speak with counsel before doing that because they could provide information inadvertently in a report that's wrong and that could then come back in an investigation with maybe an adverse finding against the insured because they reported without having a complete understanding of the event that they went through.
Brian: Right. Obviously the very first call needs to be to the carrier so NAS can get involved as soon as possible in order to have counsel present to avoid some of those types of issues. Also, Kari, in the event of some type of attack of breach, what type of information is going to be required from the policyholder themselves to really get the ball rolling with NAS?
Kari: The only information really required to get a claim rolling is for the insured to reach out to SVMIC and provide the basic information. When did they discover the event? What do they know at that point? It may be that they don't know anything at that point, which is fine. If there was a ransom notice where it says, "You must pay X number of dollars in Bitcoin" screenshots of that information is important, preserving their logs are important. Again, it goes back to not wiping their system. Then just calling SVMIC to report the claim and providing their contact person that's available for NAS to reach out to to ask questions and to coordinate. Then from there once counsel is involved and IT forensics is when they really start to drill down on the specific information after they can get in and get a look at the insured system.
Brian: You mentioned their counsel and IT forensics and things of that nature. You guys go out then and get professionals I guess from forensics to maybe help with PR or reputation or, like you were saying earlier, you have an obligation to report a certain amount of information depending on the compromised size of medical records. You guys handle all of that, correct?
Kari: Correct. We coordinate all of that with counsel. We're retaining both the attorneys to assist the insured, the IT forensic experts that we feel are more appropriate for the event, credit monitoring, call center notification mailing, PR services if they are needed. That can be very important in getting ahead of a breach, particularly if it's a large breach. Crafting those notices in the media, how to deal with that. All of those expenses are covered as part of their endorsement and we coordinate all aspects of that for the insured, again, with counsel's input.
Brian: If it is a form of a ransomware or a breach or whatever from the cyber attack part of it, certainly that is something that you don't want to have to deal with as a physician or really anybody but a component of that then becomes your professional reputation and then your requirement by the government to provide notification and credit monitoring and all of that. I can imagine that would be overwhelming for someone who didn't have this type of protection to have to do. It becomes incredibly important at that point that you get all of these people involved to even really protect your professional reputation, correct?
Kari: That's correct. Again, that all ties back to that early notice and the sooner we can jump in there and figure out what's going on and coordinate those efforts and engage PR as necessary, the wording and the letters needs to be crafted properly, every state has different requirements on what must be in the letters. Particularly you'll find insured has maybe got a practice that borders with a couple of different states, they could potentially have patients in different states and you might have different letter obligations and different reporting obligations for each of those states. For someone to try and navigate that on their own would indeed be overwhelming and again that's the benefit of having counsel. They're the experts.
Brian: Kari, you're the senior claims manager there at NAS. What types of cases are you seeing out there right now? What are some of the more frequent types of cyber issues that you're coming across?
Kari: Well, the number one still right now is the ransomware events where the insured will come in and their records will be encrypted and there's a ransom demand for Bitcoin in order to get the decryption key in order to decrypt the records. That's still probably the number one claim that we're seeing. Those are extremely disruptive to a practice because the process of unencrypting records takes longer than the process to encrypt them in the first place by the bad actor.
Kari: The second type of claim we most commonly see is inadvertent disclosure of protected health information. It can be things like receptionists talking out of turn in social situations and talking about patients using names and that so that somebody else overhears it. That's still a top claim that we see. Records being sent to the wrong location via email or mail.
Brian: The thing is, Kari, you can speak to this probably better than most, honestly whether it is an intentional act on the part of someone to be malicious, to do harm to you or get money, ransom, whatever, that type of breach and the type of breach where it's accidental, accidentally lost something or you overheard someone speaking or an employee is out at an event and speaking about protected health information that they shouldn't be talking about, that really then it sounds like is not considered any different when it comes to the type of breach with the federal government. You're still going to be held to a standard, whether it was accidental on the part of someone in your practice or whether it was intentional on someone out to do harm. Is that correct?
Kari: Correct. From the government's perspective, a breach is a breach. When they're doing their investigation, whether it's accidental or intentional really doesn't weigh into whether or not they take action. What weighs into whether or not they take action is the insured's appropriateness in their response in their handling of the incident.
Brian: Would you have any advice to policyholders or practices on ways to maybe mitigate that or prevent that? I don't know that you can but maybe through your experience you've seen some ways that might be worth noting.
Kari: We typically don't give technical advice because everybody's system is different and their business operations are different. Of course, having good passwords is always important and being kind of, I guess, aware or tuned into what your employees are doing is important. NAS is working on implementing a cyber risk management website with SVMIC, which will be available to their policyholders. That will be a good tool because it has all types of information from working on good policies and practices within the business. It's got training modules that a practice can use with their employees. It's available information by state. That's something that we're in the process of developing that would be extremely helpful for insureds in the future.
Brian: Kari, as we start to wrap things up here, what are some basic recommendations that you could make to those listeners today to help prevent or as you were saying maybe not even necessarily prevent a cyber attack but best advice that you have for them, if not in prevention, once you realize there has been a breach of some kind, just, what are the immediate steps that they need to take after that? Because panic just sets in and you don't know what to do. What would you recommend to those people?
Kari: That's a good question. I think ahead of an event, again, I think good password protection control, not letting employees share passwords, not having passwords that are password or 000, that's a good control right there. Maybe making them change their password every so often can help. Old passwords that are out there maybe when an employee leaves from being found by somebody that might infiltrate a system. Those are good basic controls. Then as far as when they have an event, again, I can't stress enough, early notice to the carrier is key in getting it over so that we can get the appropriate people involved. Also, if they have the ability to isolate the event. If you know it's on one computer then control that computer. Don't let anybody use it, don't let anybody send anything from it. That kind of activity will help limit the scope.
Brian: Well, Kari, I tell you, that's some fantastic information. In the face of cyber issues that we deal with in our professional and personal lives this is something that we certainly all need to be more aware of, more vigilant on, and it is comforting to know that we have people like you and NAS to help us through these times. Kari, I really appreciate you being here with me today and taking time to discuss this.
Kari: I'm happy to do it.
Speaker 1: Thank you for listening to this episode of Your Practice Made Perfect with your host Brian Fortenberry. Listen to more episodes, subscribe to the podcast, and find show notes at SVMIC.com/podcast. The contents of this podcast are intended for informational purposes only and do not constitute legal advice. Policy holders are urged to consult with their personal attorney for legal advice and specific legal requirements may vary from state to state and change over time.