By Jake Durham
Cybersecurity has become one of the most talked about issues in today’s business world. In a recent article by Security Magazine, cybersecurity breaches were not only linked to significant financial detriment, but also anxiety levels among individuals that rival traditional terrorism. New technology advancements bring new problems, and these problems can not only effect company balance sheets but our own personal mental health as well. Anyone, including an audiology practice, clinic, hospital, etc., can be a victim now.
Federal Reserve Chair Jerome Powell said recently that cyber risk is one of the biggest risks facing our economy and emphasized that while we know how to deal with most of the risks facing our economy, we have never dealt with a major cyber-attack against one of our major financial systems.
Even though Powell’s comments related to our public financial system, our health-care system is just as susceptible—and that includes your audiology practice.
So, what can you do to prevent your practice setting and your staff from falling victim?
Start by increasing your cybersecurity and educating your employees on how to recognize a potential attack.
- Run computer software and system updates regularly.
- Provide annual security workshops with your staff along with their annual HIPPA trainings.
Employee education and increased security standards are crucial but human error is the number one cause of a cyber incident. It has now become “when,” not “if,” something will happen. When it happens, it could cripple your practice financially.
As an example, if your computer systems in your office were to suddenly go down and be held for ransom by a cyber-criminal, does your staff know what to do next? If not, having an established cyber incident response plan in place to help you respond quickly and uniformly against this type of attack can significantly reduce the negative social and financial impacts to your practice.
To learn more about crafting an incident response plan for your practice, Exabeam has an educational guideline on their website titled “Incident Response Plan 101” that will help you build a plan of your own.
Having the proper security, education, and response plan in place is a great tool to minimize the risk of a cyber incident negatively impacting your practice but you cannot fully eliminate this risk. To further minimize risk, you may want to consider adding cyber insurance to your insurance program. Doing so will transfer this risk from your balance sheet to an insurance carrier’s balance sheet.
We’ve all heard of it before but what does cyber insurance cover exactly?
Cyber insurance covers the costs associated with hacking attacks, data breaches, and system failures to your practice.
Below are the two most common cyber risks your practice faces today in 2022
Ransomware is a common type of malware that encrypts your computer systems or files and denies you access until a ransom is paid. This type of malware is specifically designed to disrupt, damage, or gain unauthorized access to your computer system. It will typically enter your system through a phishing email where your employee is tricked into clicking on a fraudulent link or downloading an attachment that in turn gives a cyber-criminal unauthorized access to the backend of your computer system
In 2020 alone, there was a 715 percent increase in ransomware attacks when compared to 2019. The average ransom amount demanded by cyber-criminals was $170,404, up more than 30 percent from Q4 averages in 2019. For further on context, the average ransom demand was only $5,000 in 2018. This large, continued increase in ransom demand amounts we’re seeing is primarily contributed to criminals becoming greedier overtime as the success of these attacks increase.
In addition to paying the ransom, your office will be subject to various other costs as well.
This chart below from Evolve MGA breaks down the average costs of a ransomware incident. Evolve MGA is one of the largest cyber insurance specialists in the United States.
You should anticipate hundreds of hours for lawyers and forensics to conduct their professional work and resolve all issues.
So, what does a ransomware incident look like? EmsiSoft has an excellent blog that describes the nine most common methods ransomware spreads. This would be great to share with your staff to help them better understand what a potential attack looks like.
2. Funds Transfer Fraud
A funds transfer fraud event usually begins with a phishing email to someone in your office where they are asked to wire funds. Coalition recently posted a blog outlining an example of what a funds transfer fraud incident can look like.
Imagine an email from a health insurance company address with the subject line: “Due to Covid-19, we are changing our payment procedures.” Your office admin clicks on a link in that email and a hacker suddenly has access to their email inbox. From there they can send spoofed emails or create fake invoices that seem legitimate and can convince their target to wire funds.
Unfortunately, once the funds are wired, it’s incredibly difficult to track and retrieve them. This happens daily and is probably the most common type of cyber scam your staff will come across. Before wiring any funds, your staff should always confirm the wire request is legitimate and the directions are correct.
Below is an excerpt from Academy member, Sam Bittel, AuD, who describes his experience with cyber insurance…
My private practice, Hearing and Balance Specialists of Kansas City, elected to pursue cybersecurity insurance three years ago. The need for this coverage became clear after observing cyber breaches at several health-care clinics and hospital groups.
A bit of research revealed that small health-care practices are quickly becoming one of the primary targets for cyber criminals. Not only does our coverage insure us in case of a breach or lost clinic time, but it also gives us the tools to protect our practice.
We understood that we have an important responsibility in protecting our patients’ sensitive information. Also, our practice cannot afford to have our database held at ransom for any length of time. Crime has clearly evolved with the digital age, so we felt that the steps we take to protect our practice must also evolve.
We now have the peace of mind to feel safe and secure as our practice and patients navigate the digital landscape.
If you’re still contemplating whether or not cyber insurance could be a valuable addition to your insurance program, are you confident that you or your employees will never make a mistake?
Remember, human error is the number one cause of a cyber incident. We’re not perfect and anyone in your office can make a mistake and cyber insurance can help lessen the financial impact to your practice.
Cyber insurance will not only cover the growing number of cyber-attacks facing your practice, but it also gives your team instant access to a number of technical and legal experts needed after an attack that you would not otherwise have.
You have access to experts who are there to support you and make sure the claim process runs as smooth as possible. And for the sizeable losses from stolen funds, lost revenue, or considerable cleanup costs, it is worth the extra insurance spend to include in your practice’s insurance program.
To help protect American Academy of Audiology members, Lockton Affinity has partnered with Academy to offer their industry-leading cyber insurance product, CyberLock Defense.
If you’d like to learn more about what is included in this offering or if you’d like to request a quote, follow this link.
A special thank you to the teams at Security Magazine, Exabeam, Evolve MGA, Emsisoft, and Coalition for providing a great overview and discussion around this topic as well. If you’d like to learn more about how to properly protect your practice, please visit their websites
Jake Durham is a risk advisor at BCP Tech; a division of Baldwin Risk Partners. In his role, Jake specializes in risk management and property/casualty insurance for businesses across a variety of industries such as technology, life sciences, and manufacturing. He offers extensive experience in areas such as professional liability, management liability, technology risk management/due diligence, and cyber liability.
The American Academy of Audiology Releases Position Statement on Early Identification of Cytomegalovirus in Newborns
The “American Academy of Audiology Position Statement on Early Identification of Cytomegalovirus in Newborns” was published on March 27, 2023, in the Journal of the American Academy of Audiology and is also available on the Academy’s Practice Guidelines and Standards website, accompanied by a video abstract. Congenital cytomegalovirus (cCMV) is the leading cause of nongenetic…
2023 Academy Honors and Awards Recipients
Every year, the Academy asks colleagues, friends, and mentees to look around their professional circles and identify members who are deserving of recognition for outstanding service to audiology and the hearing sciences. The American Academy of Audiology is pleased to recognize the following award recipients for 2023, please join us in extending our heartfelt congratulations….
Audiology Practice Analysis
In 2021-2022, the American Academy of Audiology and the American Board of Audiology commissioned a practice analysis for pediatric and general audiology. The practice analysis provided the requisite information to maintain an updated content outline for the Pediatric Audiology Specialty Certification (PASC) examination, as well as to inform resource and policy development relative to various…