Cyber Security

Help Me With HIPAA: Ransomware – MSPs and Insurance (Ep 263)

 July 24, 2020

By  Anton Kiorolgo

Ransomware – MSPs, and Insurance

Let’s take a look at ransomware from a couple of different perspectives today. We have discussed how much is happening and how things are changing in these attacks. That process began in 2019 and continues today. But, what if you think you are covered because you have an IT provider who takes care of security for you and an insurance policy you think will cover you if you get hit.  Have you really evaluated your assumptions there? It is probably time to confirm some things on both sides.

MSP guidance from NIST and NCCoE

We may have mentioned this months ago but this group does put out a lot of good information and continue to produce more. First, let’s make sure we cover who they are:The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues. This public-private partnership enables the creation of practical cybersecurity solutions for specific industries, as well as for broad, cross-sector technology challenges.About NCCoE. They have a lot of resources on their site including specific sectors such as healthcare.  The specific project we are interested in is the one for MSPs: Improving Cybersecurity of Managed Service ProvidersMany small and medium sized businesses use managed service providers (MSPs) to remotely manage their organization’s IT infrastructure, cybersecurity, and related business operations. As a result, MSPs have become an attractive target for cyber criminals. When an MSP is vulnerable to a cyber attack, it also increases the vulnerability to the small or medium sized businesses an MSP supports. This page offers guidance to MSPs on how to improve cybersecurity by implementing key security controls that reduces vulnerabilities to cyber attacks.

The NCCoE developed recommendations that will enable MSPs to adopt cybersecurity technologies and techniques to improve security for themselves and their small- and medium-sized business customers. MSPs can apply or customize the recommendations to fit their cybersecurity needs. The publications below offer implementation recommendations, a reference architecture, and details specific technologies/capabilities MSPs should consider deploying.NCCoE MSP Project SummaryHave you ever experienced someone, maybe in the managed service provider business, that told you they didn’t need to worry about their cyber security, because they had it covered?We have no doubt that some MSPs will tell their clients they have this covered and don’t need this new information. But it is always better for all of us if they review this information and document how they are addressing these recommendations for you, their client. If you are an MSP, be proactive and provide a write up concerning this for your clients. It will definitely help make you look good and provide an authoritative reference for why you do what you do.

Below are some of the points covered in this guidance.

Planning is critical. Your plan should include the some of the following details:

What files are being backed up? Is it just some of what you need? Are event logs backed up for forensics to use? What about your cloud services? Many groups learn the hard way that the backup didn’t include accounting or some local folder where documents are stored.

Know your RTO and RPO. Often it is surprising when people have no idea what is backed up, how long it would take to restore it and where would the restore put them.

What dependencies do you need to consider? Are some systems dependent on other systems or information being restored before it can be completed properly? What about encryption keys and digital signatures required to unlock systems once they are restored or to be able to restore them?

Backup files management. What backups are offline and secured? How many versions of your backup are created? What logic is used to create the multiple backup copies?

Develop your written response and recovery policies and procedures. Do you just assume everyone knows what to do? What if everyone you need isn’t available when your emergency occurs?

There is much, much more included in the planning section. That is followed by the Implementation Recommendations and the Testing/Monitoring Recommendations.

We are just scratching the surface on these recommendations. These guidelines are not suggesting anything that hasn’t been brought up as part of a proper formal plan. However, you can bet that all your MSPs don’t have this level of plan in place and they may be making assumptions others are handling it. We encourage you to discuss this with your vendors and we especially encourage vendors to do this work proactively for your clients who trust you to handle their backups. I can not tell you how excited I would be to have a provider give one of my clients information that says we used this as a reference and here is what we have put together!

One important thing to remember in healthcare. You must account for the forensics and potential breach notification requirements under HIPAA. You may need to consider that under some other regulations and contracts, as well. Do not forget to include that in your planning, testing, and documentation.

Ransomware impact on insurance

[39:10] Back in Feb I had set aside an article to discuss in an episode and well, you know what happened. The title: Ransomware Attacks Are Causing Cyber Insurance Rates to Go Through the Roof; Premiums up as Much as 25 Percent really got my attention. This week I saw another article that reminded me how much this one got my attention – Indiana Court of Appeals Holds That Losses From a Ransomware Attack Are Not Covered Under Policy’s Computer Fraud Provision. This certainly brought me back to the first one.

Here is the sad point reported in the first article.Insurance companies are more frequently advising clients to pay the ransom when they have coverage, as that is seen as the least expensive resolution with the lowest amount of business interruption”CPO article: Ransomware Attacks Are Causing Cyber Insurance Rates to Go Through the Roof; Premiums up as Much as 25 Percent

Number 1, this is only making the problem worse for all of us. Number 2, we have often discussed how even making a payment doesn’t mean you will easily be back up and running in no time.  Very few that are hit hard enough to have to pay the ransom are up and running quickly.

The report from these insurance industry folks say the costs are going up between 5% and 25%. As a result everyone is trying to find a way to cut the costs. They included ideas such as having a specific ransomware policy. They suggest that high-risk companies with a history of breaches may even be forced into a policy like this and those policies may only pay out 20% of your total claim. Ouch!

All of this means you really do need to review that coverage and understand clearly what options you may have if you are hit with ransomware or any other attack for that matter.

That brings us to our next article. In it we learn of a case where a company was hit in Nov 2017, which was before they are as sophisticated with their attacks as they are now. The company, G&G, had all kinds of issues with encrypted files and password-protected drives. A real mess. They saw no other option than to pay those criminals.

Guess what happened!?! People always think we are just making stuff up. Well, here you go. The attacker took the payment and then demanded another payment.  In fact, they ended up having to make THREE payments before they were able to get access to everything. We keep telling you paying doesn’t mean you get out of jail quickly.

G&G filed a claim under the “multi-peril commercial common insurance policy” which said that it covered “loss of … ‘money’ … resulting directly from the use of any computer to fraudulently cause a transfer of that property.”   The insurance company, Continental Western Group, denied the claim and said ransomware doesn’t apply to that coverage. Conveniently, the term fraud wasn’t specifically defined in the policy.

It went to court, which is why we are reading about it. This is the appeals court round of arguments and they agreed with the lower court. Ransomware isn’t covered as fraudulent. Here was the quote from the ruling I found very interesting and to the point:Here,  the hijacker did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay a ransom. The hijacker did not pervert the truth or engage in deception in order to induce G&G to purchase the Bitcoin” Indiana Court of Appeals’ Decision in G&G Oil Co. of Indiana v. Cont’l W. Ins. Co.

They aren’t playing around with that clarification. The court clearly sees this as a business decision that the company made, not some fraud brought against them by the attacker.Go to top

While worrying about preventing ransomware attacks we also need to accept the fact that it is becoming more likely there will be an attack. That means the ability to recover from one needs as much attention as preventing one including what insurance coverage you may have to rely upon.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

Subscribe to our newsletter now!