In part two, cyber experts Lauren Winchester and Joel Fuhrman of Corvus Insurance discuss the importance of incident response planning and the “one thing” to consider for cyber risk management.
Anthony Passalacqua, 0:14 : Hello and welcome back to TMLT’s podcast TrendsMD. I'm your host Tony Passalacqua, and today I am welcoming back our special guests Lauren Winchester and Joel Fuhrman from Corvus Insurance to discuss cyber security. I also have our co-host, Juan from our IT department.
TMLT is working with Corvus Insurance — an insurance technology firm — to provide our policyholders with more a robust cyber risk management. Every TMLT policyholder will have a security scan of their website conducted by Corvus to detect any cyber vulnerabilities. Corvus will then provide each policyholder with their individual report identifying any risks found and how to mitigate them. Reports will be provided on our MyPortal member website for download. If you are a policyholder and want more information about how we are working with Corvus, please contact Customer Service at 1-800-580-8658.
In part one of our conversation, we discussed what proactive risk management measures there are to take for cyber security. In this podcast, we’ll discuss reactive risk management.
So what I like to think of as reactive risk management is, everything's kind of starting to go wrong. And so now you're kind of moving into more of a direction of reacting to an event versus trying to be proactive. So, one of the first questions I always like to ask everybody is, is, is it possible to prevent or protect yourself against every attack? INSERT: Lauren, what do you think?
Lauren Winchester, 1:39: Probably not. But that shouldn't deter you from trying. You know, I think there you can talk about the proactive risk management. So, what are you doing on the front end to try and protect your system? We talked about a couple of things already that were really key, and I have a couple others to highlight as well, you know, especially specific to the kind of the ransomware threat and what we see. But when you talk about “reactive,” what you're really looking towards is, “What is our company's ability to mitigate, once the threat actor is in the system, in order to mitigate the impact of that,” right? And so, if we start with that, it's about how are we a.) early identifying that there is a threat actor in our system, right? What tools do we have in place for this early identification, including user training? Right? So, users, do you see any odd behavior on your computer? If so, is there a culture and good training that's embedded within that user to know, “I need to alert Help Desk.” We also talk about different threat detection software. Right? So, what type of software is sitting on your endpoints to help identify threats? Now, the new buzzword is EDR, and endpoint detection and response - really great tools that are basically antivirus software on steroids, because they have the benefit of AI and machine learning that basically says, “This user is acting strangely. That's not how this user normally acts. I'm going to stop this process that's trying to run.” And what that process might be is a threat actor trying to launch encryption, right? So having a tool that identifies that as anomalous behavior, and actually stopping it is wonderful. And you can also look to tools on the network level, as well, to identify, you know, odd user behavior. “This admin doesn't normally log in at 3 a.m. and try and move laterally to different systems. I'm going to cut off their access, or at least I'm going to alert on that so that the real users can identify that and shut down that account.” So, all this to say, there are tools that can be purchased that can really help an early identification of threats, and even potentially stop threat actors. But they're only as good as who's looking at it, who's monitoring it, and we're talking about small companies, small health care practices, you know. Your ability to have the whole 24/7 SOC, Security Operations Center, probably, probably not going to have that, right? So, it's about identifying a really good managed security services provider who has a 24/7 SOC that's helping you monitor your EDR and being your partner in security that might be able to help you catch that. The other thing is putting in roadblocks for the attacker. So, when a threat actor gets into your system or has credentials, all they want to do is try and escalate or elevate their privileges, to get the keys to the kingdom. So, they're trying to go after admin credentials, administrator credentials. And if you protect admin credentials with MFA, if you have good security practices where you're not reusing credentials, and you have really good protections and controls around those credentials, you're going to make it harder for a threat actor. They're going to have to put in a lot more time to try and get the level of access that they want to your systems. And they may stop where they're at and move on to some lower hanging fruit. And then when we also talk about mitigating against a threat actor, particularly in the ransomware context, how good your backups are, how recent they are, and how well protected they are, will really be what saves you in that circumstance, as well. So, not just having a backup strategy and thinking you’ve got good secure backups - really thinking through, “Do we have multiple copies of backups in different media, and one of which at least is off site, offline, so that if a threat actor gets in and starts encrypting data, they a.) can't get to at least one version of our backups, and they can't delete them or encrypt them as well.” Because if they can, you're between a rock and a hard place, and you're potentially going to have to pay ransom.
Joel Fuhrman, 6:11: Over the course of my 11 years of doing this, you know, the response to that question, “Can we protect from every attack?” I think, I think the response has changed, and they've done a 180. When I first started doing this, you'd see the CSOs of the world basically say, they would take offense to even looking at, like a cyber liability product. Because, you know, if I'm doing my job, then this isn't necessary, you know? And we have all these measures in place. And so that's not going to happen. Now that we've seen some very sophisticated attacks, nation state attacks, security, vulnerability, exploitation, things like that. I think just about everybody, every CSO, would say, “No, we can't protect from every attack. We can mitigate, we might be able to, to even eliminate the damage that can be done. But, no, we can't protect from every attack.” I think that's the, the response that you know, that that you'd hear more often now and then that's the correct one.
Anthony Passalacqua, 7:14: So how important is it to have like, let's say, a response plan? So, we were talking a little bit about, like the backups. And we were talking a little bit as well about different CSOs and individuals like that, who are saying, you know, if I'm not doing my job appropriately, then you shouldn't have really anything to worry about, as long as I'm doing my job appropriately. What's kind of your advice to those individuals? Is there any way for you to kind of bring those topics up in a way that may help them to understand that it's not necessarily a question of if you'll ever get breached? But it's a question more of when are you going to possibly get breached?
Lauren Winchester, 7:52: Yeah, I think that's a great point, right? Though, I will say the more and more Information Security folks that I talked to nowadays, that I say that they're all more aware that everybody's a target. It's … they can have the best tools and but it is really a matter of when. But um, yeah, I think talking about incident response planning is really key and also required, right? Especially within health care. HHS is definitely going to be looking to see if you had an incident response plan in place, if you were the victim of a cyber-attack and they're investigating, right? So really key to look at this from not only a need to have it from a client standpoint, but there's a reason you need to have it. It's very useful to have thought through this - the action of building your Incident Response Plan, through business continuity plan, and your disaster recovery plan. Just going through that exercise will highlight so many things to your organization that are needed, that it's the exercise in and of itself that's going to help you fare so much better, should you be the victim of a cyber-attack. So, when we talk about incident response planning, what's really key to that is, who's on your Incident Response Team? What stakeholders within your organization would be involved should you have an incident? And what are their roles during that incident? And start to talk through it as a group. What are our roles? What will we be doing? Put pen to paper about that. And you may have ancillary members of the Incident Response Team that, you know, if employee data is involved, we're going to involve someone from HR on the team. So, every company listening, you know your organization best, you know your stakeholders best. So, you can determine who's going to be involved in it. And making sure you don't silo just to IT/IS because there are, certainly within health care, incidents that involve, you know, paper; that involve people speaking in elevators about patient data, right? So, it's not always going to necessarily be a data breach that was related to the computer systems. And so, the Incident Response Plan needs to respond to more than just computer system attacks. And then when we talk about business continuity planning and disaster recovery planning, that obviously has meanings outside of cyber-attacks for health care organizations. However, at all, both of those plans should absolutely envision or work within the cyber context as well. So, whether our EMR goes down because of a failed update, or it goes down because a threat actor is in it and we need to turn it off, has the same implications for, “How are we going to conduct patient visits. How are we going to continue operating?” And so there needs to be that discussion of whether it's a cyber-attack or some natural disasters or something else, how are we going to, to recover? So again, it's really I think, more the exercise of going through those discussions that really prepare an organization, not just the form and the template that you're using.
Anthony Passalacqua, 11:12: Yeah, and just again, just for any of our listeners out there, again, who are policyholders. One of the biggest things I'd love to just re-emphasize here is those security risk assessments that I've talked about? Those actually cover such areas such as contingency plans, backup plans, data breaches, like what would you do in the event of a data breach and an emergency plan. And for anyone who's out there, this isn't just for cyber-related events it could be for natural disasters, as well. And so those different areas that we usually cover is pre-breach planning for emergencies, what to do during an attack, and then planning for the post breach. And so that that kind of brings me to the cyber insurance side. I know a lot of people are usually a little hesitant when they hear cyber insurance and it's kind of like this new concept for some individuals to kind of think about, but would either of you want to cover cyber insurance such as how and when to use it.
Lauren Winchester, 12:13: You know, I think it's just this notion of cyber insurance can be so much more than just the risk transfer. So, you know, you can look to your cyber insurance partner to say, “How else can you be helping us?” Right, so here, we've got our in-house scan, we're doing vulnerability alerting, we're sending you scan reports, and we're really viewing ourselves as, as a partner in your cyber security - planning your incident response planning, and then we're here to help you should, the worst thing happen and you need to respond to an incident.
Joel Fuhrman, 12:53: A lot of these incidents more made a reference to it earlier, you know, they can just be that like conversation in the elevator that is, you know, out of HIPAA compliance. It can be a box of files that went missing, you know, backup tapes that went missing thing, things like that. It's not just related to a hack. It deals with privacy in general. So, anything that you wouldn't want to be disclosed publicly. That's kind of the design, the fundamental design of cyber insurance. And, you know, if we go back seven, eight years ago, when ransomware wasn't as common, yes, we were still you know, seeing hacks. But over half of the incidents that we saw were, were those kinds of things, they were accidental disclosure, people sending out mailings to alumni or, you know, members, or what have you, and the mailing label would have a social security number on it because there was a bad mail merge that happened. So, there are all kinds of privacy incidents that still happened today. I know that you know, the hacks and the ransomware get the, you know, get the headlines, but you know, don't forget that that all those things are still important. They can still result in fines and penalties, third party lawsuits, and a cyber policy is built for that kind of exposure as well.
Juan, 14:14: So now that we have been talking about hacking, so we know that hacking is opportunistic and logical. So, in I don't know if you guys are aware of the Cyber Kill Chain. Do you guys have a step along the way of that Kill Chain that you guys enjoy the most? I like the first step. Do you guys have a specific step in the cyber kill chain that you guys enjoy?
Lauren Winchester, 14:42: Yeah, I’m kind of in the same camp as you. I like to try and understand the initial points of entry that threat actors are using and work with policyholders to shore up their systems against that. So, if we know these are the main attack vectors, how do we make sure that policyholders are not the low hanging fruit not the easiest ins, right? But I think the more challenging part of the Kill Chain to tackle is that detection piece, because the quicker a company can detect an intrusion the better their potential outcomes, especially if they're able to detect it and start to take some action before the threat actor has launched ransomware, before they’ve really fully realized the benefit of the banking Trojan they've dropped, right? But that's more challenging. And something that is harder to sell for on the insurance end, you know, how much desire do companies have for us to, you know, get a free tool for them to download and utilize, right? It gets more invasive. And so we haven't really played in that space yet. And, and really, all we can do is recommend different tools and controls to put in place to try and beat up that detection time. But there's so much to solve for, at the front end with what are these initial points of entry that that's where I've been playing the most right now.
Joel Fuhrman, 16:22: For me, I'd say ex-filtration is the part that kind of fascinates me that the most. I spoke about five years ago, spoke to somebody at one of the most sophisticated computer forensics and security companies in the world. And, you know, he was telling me that he knows there will be vulnerabilities that, one point or another, would allow for intrusion into their company. What they can do from there is, is, you know, that's what we've been talking about, right? It’s all these other controls? But, you know, his fear was, was ex-filtration. Once that, once that data is pulled off your system, you definitely have a breach. You know, the traditional model would be you steal that data and then sell it on the dark web. Now, you don't even really need to steal it. Because you could, launch encryption software, which they often still do now. So, the majority of these ransomware attacks that we see, they're pulling data off the system. And, you know, being able to stop that, detect that, may tell you, you know, that's when you find that you have an incident - that is your discovery piece. So that ex-filtration component is something I've always been fascinated by.
Anthony Passalacqua, 17:50: My last and most favorite question to ask everybody on the way out the doors, if you had to leave one piece of advice to our listeners out there, what would it be? Lauren, you can go ahead and take first stab at that one?
Lauren Winchester, 18:03: Great question. Um, one piece of advice. I would have said MFA all day. But I think even more important is, to know where your data is. Go through having a business impact assessment or a security assessment. Understand where the data is that you're trying to protect [and] what your users are doing with that data so that, because if you don't know where it is, you can't protect it.
Joel Fuhrman, 18:34: I think, you know, having somebody either within your organization or without the organization that really understands this, understands the importance, understands what needs to be done, and what your budget is, is extremely important. Unfortunately, there aren't enough of those folks to go around, they're very valuable commodities. And so if that's, if you can't find and retain a person that's responsible for that, if your organization, your organization size doesn't permit it, then find a partner that that does get it. So, go and find that partner, if if you can't bring that person in house, I think that's the one piece of advice I would leave folks with.
Anthony Passalacqua, 19:13: Great. Yeah. And for any of our policyholders out there, if your information is not updated, please contact our 1-800 number and talk to one of our Customer Service technicians. They can go ahead and set you up so that everything is an alliance and when it's your turn to be scanned, your information will be current and updated. So, thank you very much for listening to our podcasts. If you're a policyholder, please feel free to contact us with any questions by calling 1-800-580-8658 or check out our resources at TMLT.org and clicking on our Resource Hub. Thank you both. Thanks, everybody. Thanks for having us.