Welcome, the American Society for Gastrointestinal Endoscopy appreciates your participation in our Thursday Night Lights online series. This presentation is entitled Scoping Out Cybersecurity in Your GI Practice. My name is Eden Essex and I will be the announcer for this presentation. Before we get started, just a few housekeeping items. There will be a question and answer session at the close of the presentation. Questions can be submitted at any time online by using the question box in the GoToWebinar panel on the right-hand side of your screen. If you do not see the GoToWebinar panel, please click the white arrow in the orange box located on the right-hand side of your screen. Please note that this presentation is being recorded and will be posted within two business days on GILeap, ASG's online learning platform. You will have ongoing access to the recording in GILeap as part of your registration. The slide deck for this session is immediately available for download via the handouts box in the GoToWebinar panel. Now it is my pleasure to introduce our host for this discussion, Dr. Joe Vacari, Chair of the ASG Practice Operations Committee. Dr. Vacari is a practicing gastroenterologist with Rockford Gastroenterology Associates, which he joined in 1997 and for which he formerly served as the managing partner. He currently is Clinical Assistant Professor of Medicine at the University of Illinois College of Medicine at Rockford. I will now hand the presentation over to Dr. Vacari. Thank you, Eden. I want to welcome all of you to tonight's discussion and presentation. Recent warnings from federal agencies regarding imminent cybercrime threats have given practice a heightened sense of social engineering fraud. This really hit home when we learned that a practice in our GI community experienced a real-life incident. Tonight we will learn from our expert panel about the tangible impacts cybersecurity have on practices and practical solutions to mitigate cyberattacks. It is my pleasure to introduce our first set of presenters. Adam Radulovic is the Founder and President of XL.NET, an outsourced IT department for small businesses. Adam is the former Director and Co-Founder of Divine Parlano, a software company that broke down communication silos at Fortune 500 companies to optimize knowledge worker effectiveness. Divine Parlano was acquired by Microsoft in 2007. Tim Fitzgerald is currently the Director of IT for the Oregon Clinic, a large physician-owned multi-specialty practice in the Portland metro area. Tim is a member of the Association of Information Technology Professionals, the Healthcare Information and Management Systems Society, the Oregon Medical Group Management Association, and the Portland Area Meaningful Use Council. Nick Maslanka is the Technology Officer at XL.NET and has over 16 years of experience in the small business IT world. He's responsible for the strategic IT leadership for both XL.NET's own internal operations as well as for the majority of their clients. Eden, I believe we have a few tasks before we hand the presentation over to the panel. Indeed we do, Dr. Vicari. First we are seeking three volunteers. If you are interested in having Adam conduct a live search of your domain confidentially, please use the question box to share your email domain name with ASGE staff. You can simply put your email address that includes your business domain in the question box. For example, my name or my email would include at asge.org. The first three volunteers to submit their email addresses will each privately receive an email from Adam during the presentation with live search results. We also have a polling question, so I'll bring that up now. Thank you, Eden. Let's get started. As you can see on screen, we have our first polling question for this evening. We'll give you guys about 30 seconds to answer and then we'll see the results. Interesting. Have you or your practice been victim to ransomware, credential theft, website hack, data theft, other crimes in the past year? 50-50 split. I think with that, we'll now hand the presentation over to Adam. Adam, take it away. Thank you, Dr. Vicari. It's Thursday, 1024 a.m. and our client's business critical website goes down. Now we immediately reach out to the company, football field-sized stadium that houses the website for our client, but the phone's dead. It's not ringing. We keep trying and after about 10 minutes, we finally get through and we ask, what just happened? We couldn't contact you for 10 minutes. Our client's website was down and the company says, we just went through a distributed denial of service attack, which imagine having a retail store and a million cars just surrounded it. That retail store could no longer do business, which is what just happened to this location that housed our client's website. So we said, well, for some reason, the website is still not up. The servers are still offline to which they said, well, you were the source. Their client was the source of the attack. Now a couple of minutes later, I get a phone call from our client that has their website down and it's their business critical website. They transact over 90% of their business to the website. He says, Adam, I just got a strange email. I forwarded it to you and it went something like this, we're DD4BC. We're a criminal organization. To see that we're credible, here's a number of articles you can look and read about us. What you just experienced was 1% we're capable of. We took down the whole data center that housed you and thousands of other companies so you can see what we're capable of. Now what we kindly request is that you send us 25 Bitcoins. At that time, it was a value of $6,000. And if you choose not to respond within 24 hours, that dollar amount will double every hour that you delay paying us. Now you might think that there's someone that can help you. So if you'd like to try, here's FBI's phone number and here's a list of four or five government agencies. Feel free to give them a call. No one can help you. Now we might do bad things, but we're trustworthy. So after you pay us, we'll never come back after you again. In case you haven't transacted in Bitcoin, and they're wonderful in providing their customer service, they said we've provided some links to help you where you can use your credit card to exchange it for Bitcoin. Never my client or I have ever experienced a crack like this before. A distributed denial of service attack to date was only experienced by the largest e-commerce companies in the world. Our client had 24 employees and my client asked, what should we do? My first answer is we've never experienced this. I don't know how to protect you because it takes down not the equipment that you own, but the company where you're housed. Really there's nothing that I feel like is even in your control. So I recommend to pay it. Now we won't have to trust that they won't come back. So we can start preparing for a second potential attack, but pay the money and let's buy us some time. At that point, there's about 18 hours left in that 24 hour clock. He said, well, Adam, we'll think about it. But in the meantime, why don't you see what you can do, what you can do to protect? And I said, well, you know, I'll try. I've not heard of anything except I remember a rumor of how enterprise companies maybe have some service that can help. So I'll try. I hung up the phone immediately called the company that I heard of that potentially can help here and describe their service. Think of a P.O. box when you send mail. The reason why people use P.O. boxes sometimes is to keep their address private. And this service worked in the same way. So the tackers would then go through a P.O. box, which would decide which actual inner traffic belongs to you and send just the healthy traffic to your website. So I gave the company a call. Someone picked up. I said, I need help. Our clients are being attacked by a criminal agency. And the first thing that they responded with was a DD4BC. I thought it was really strange. I'm calling this company called CloudFlare. And how did they know that my client was experiencing an attack from a criminal organization called DD4BC? So I asked, well, how did you know? Well, we've had a slew of these last couple of weeks. And the good news is we can absolutely help. I said, great. And how much does it cost? It's $5,000 a month. And I remember my client has 24 employees, $5,000 a month. I was assuming it might be a little bit out of their price range. So I said, is there any other options? Is there a lower cost offering you might have? He said, well, if you've had experience implementing our solution, you can do the self-implementation for $200 a month. I said, all right, I'll give you a call back. I talked to my client. I called my client. And after I gave the first option of $5,000 a month, he had some colorful words for me, which I assumed meant no for that offering. And then I said, well, if we buy some time, we can figure out that $200 a month most likely. But the level of implementation for this, it would probably take us a planned 40 to 80 hours to do it. And now we have about 15 hours left. So if you could pay that ransom, just buy us some time to allow us to do this implementation without causing any negative impact to your environment. And my client, I think at that point had a lot more faith than us and how we could figure it out in 15 hours. He said, you know what, we're not going to pay. But go ahead and purchase that $200 a month solution. And I know you'll figure it out. That's probably the worst thing I could have heard. So it's just now all on us to see if we could save and that Friday, that next immediate day was their busiest day of the month. So I knew it was a tremendous amount of business that they would really suffer if we didn't succeed. Luckily, we got three of their staff to work with three of our staff overnight by 630am before they opened for business at seven. We thought that everything was up and running. Seven o'clock came around. We're still okay. We're about an hour from that 24 hour clock, a couple of hours from that 24 hour clock. That 24 hour clock came 1024am on Friday and nothing. And we could see some level of tax from foreign countries coming through. But it looks like that solution was successful. 15 minutes later, we got another email from DD4BC and they said, we see you've maybe chosen to ignore us. So we're going to give you another day. Make sure to pay up in the next 24 hours or we'll do as we said we would. And that was the last time that we heard from them. So lessons learned. This was a new lesson for us. The lesson learned for us is we need to have a process of how we acquire these lessons, how we gather them, and then how we apply them on an ongoing basis. And this lesson in particular was the PO Box type solution from a company called CloudFlare. Just a little explanation on Bitcoin. I think by now most people are familiar. It's a decentralized anonymous digital currency. And it was created in October of 2008. And the way that Bitcoin's come into existence, it's complex mathematical calculations that do what's called mining, which is basically a computer doing massive amounts of computations for some period of time before it produces a Bitcoin. And a Bitcoin today is valued at almost $31,000 and it fluctuates quite a bit. When this occurred with a client, it was $240. We have now the next polling question. So what makes criminals more money? Illegal drugs or cybercrime? Okay, that was a lucky guess considering the name of the presentation today. But you're right, a tremendous amount more. Now does it matter for small, medium businesses? Two-thirds of small, medium businesses were breached in 2020, and you probably won't be surprised because earlier today we did that poll that half of you have experienced some level of breach in the last 12 months. And a good chunk of breaches aren't even detected. So I'd assume it probably is two-thirds, and some of you are maybe not aware of being compromised. By 2025, it's going to be a $10 trillion industry. With that, I think we're ready for the next case study. Off to Nick. Thanks, Adam. Let me get out of my bunker after hearing that one. So I have a little bit of a different story. One of our clients, just to give you some backstory on them, they run a large number of consumer shows throughout the year, and they're all done between December and March. And this represents about 70% of their revenue for the year and about a significant percent of their net income, so it's go time. Around Thanksgiving through the end of March, it's make or break. So when I get a call in early December from one of their VPs, the call was that they had lost $450,000, and they didn't know where it went. Now, I had to have him tell me again. I couldn't believe it. I could not believe that you could just lose $450,000 quickly. So what happened? Well, about four months earlier, somebody in their accounting department who had their personal cell phone and had their company email on it was at a Starbucks or a Dunkin' Donuts. He was at a coffee shop, and somebody happened to be on that Wi-Fi sniffing around and seeing devices that were out there. This person had his name on the phone, and somehow this hacker was able to target him specifically through a social media post, which then led to his cell phone getting compromised. From there, the hacker learned a little bit about him and sent a specific email to him to his work email address. At that point, he had this employee's company email credentials. He didn't stop there. He spent the next four months learning how our client does business, who they do business with, and other employees in the organization down to the organizational chart. So they were able to detect who else was in the accounting department, use similar social media attacks, and they were able to ultimately obtain the credentials of half of the accounting team. From there, they learned who they do business with, including a major contractor who builds the shows for them. They created a brand new domain name that had one character different than the actual vendor. They created mailboxes of people with the same names of the contacts of that vendor. And using the encrypted and secured mailboxes, they redirected legitimate emails to and from our client from this vendor into a separate folder that the users couldn't see. And they started interacting with our client, pretending to be the vendor. They waited until it was their show season and used a legitimate PO number from our client's accounting system to submit a payment request for $450,000 for legitimate work that our client was actually paying to get done. The dollar amounts matched, everything matched. The difference is about a month before that payment, our client got a request in email from the vendor saying, hey, we changed our bank information. We need you to submit payments to a new bank. Our accounting had practices in place to go through multi-step verification. Our client should have called to verify, hey, are you sure you want us to change that? But at the time, because it was their busy season, they overlooked it. It was a vendor of a longtime relationship. They didn't think twice. Luckily for them, about 20 minutes after they remitted that payment, the accounting person on my client's side had just had a family incident happen. And our vendor called them to see how she was doing. That's the only reason our client found out they had just made a $450,000 payment to a fraudulent account. So what happened? What do you learn from this? How do you prevent something like this from happening? Well, the biggest piece of it, the biggest thing you can do, as close as you can get to secure these days, and just to be clear, there is nothing that you're going to get 100% secure. It's an unfortunate reality of the connected world in which we live. It's something called multi-factor authentication. You all have it when you log into your bank. You should have it when you connect to anything that's accessible on the internet. Your personal email, your work email. If you have a web portal that your patients log into or your clients log into, it doesn't matter. If it has anything sensitive in it, you should protect it through multi-factor. There are a lot of ways you can do that these days that don't require you to go through a four-step process every single time you log in. Technology has come a long way. The next step is having those accounting practices in place that actually protect against this. The ironic thing is in the next three months, we had three other clients run into the same exact type of threat. The client I'm talking about today is the only one who got breached because they weren't following their own process. You need to train on this process. You need your team to know about it, and you need to have logs to audit it to make sure that it's being followed. The next piece is security training. Hackers don't just target technology these days. People are a heck of a lot easier to hack. It's just the nature. We're trusting. Human beings are trusting to each other. Instead of going after technology that can be hardened, they go after people. With social media connected these days and everybody being able to connect to work and stay on your phone, it's harder than ever to keep it safe and to keep your work and your personal data separate. Having security training in place helps your staff and empowers your staff to know what to look for. The last piece is the value of having cyber insurance coverage. One of the reasons that our client was able to recover the majority of that money is because they had cyber insurance coverage, and that coverage paid for a response team who deals with active hacks day in and day out, who actually, just like Adam's example, they were familiar with the entity who was executing the hack. They knew exactly who to look for, and they knew how to go after them. It prevented our client from losing over almost a half a million dollars. With that, I'll pass it over to Tim. Thank you, Nick. I have another similar story. Our story, like Adam, I remember the date. It was March 9th of 2018 when we experienced our breach. I remember it because we were returning, myself and our operations manager were returning from the HIMSS conference. It was a Friday. We were just heading back. As we were going to the airport, we started getting Skype messages, text messages from various people asking, is there something going on? Which is a big red flag and difficult to do from a cell phone. We started scrambling to figure out the facts, started to try to figure out what medication steps we could take right now, and got our security people involved, got our network admins involved, talked to HR, started communicating internally that there was indeed something going on. We figured that it was a breach, and indeed it was. Basically what happened was a single phishing email was successful at getting through to a user, capturing a password, and that user from outside got into our network and started actively looking for ways to monetize the breach and to expand their access. this was all happening very quickly. It was very scary for our users. We had people calling and messaging, not knowing what to respond or asking who was doing something. So the two stories that get passed around frequently in our company, one was that this hacker who'd got in started Skype messaging people within the organization, similar to what Nick was describing, trying to put together our org chart to figure out how they could monetize this breach. They were actively engaging other people via Skype to give up passwords, including our own IT people, which was very scary. And by the time that all started happening, we had a good idea of what was going on. And our IT people were not quick to give up their passwords, so that was terrific. And so the other scary story that gets passed around our company is that the first mitigation step we did, obviously, for this user had been compromised, was to reset the password. So first thing, we reset that password. Immediately, that user received a phone call from outside of the organization saying, I'm from IT, we're trying to unlock your account, what is your new password? And so luckily, by that time, everyone was involved, and she was scared enough to hang up the phone, but it really put a sense of fear into that person and to everybody about how quickly the situation developed and how easily it could have been much worse than it ended up being. So after we got through that initial mitigation phase, we started in with the phone calls and with the recovery. So one of the first things that we did was engage with our staff. So we started the communication plan internally, and we had already been looking at this product KnowBefore to really tighten up our engagement with users on phishing threats. So that was a key takeaway for us from this event. Engagement with management and leadership on these risks. So we also use KnowBefore for that. So once a month, we go through our dashboard reporting on our security stance in general, and a big part of that is where we're at with our testing. So we're constantly asking our users to train and test. The one thing that we learned, the multi-factor authentication, as we learned from as we went through our cyber insurance and got involved with our forensics people and the legal team, the one thing that they recommended was the multi-factor authentication. That basically our attorneys said, people that use multi-factor authentication consistently don't have these types of breaches. And then the last lesson learned was the role of cyber insurance. We had never used our cyber insurance before this incident. And it was vital in getting us back on track. So all of the things that we hadn't really thought through, they helped us with and gave us a solid plan to work with. So they looked at our mitigation plan that we had done so far and suggested additional items that we could do. They looked at our, they helped with the forensics for the attack. They did a legal assessment, they did a risk analysis, looked at our security stance and helped us all of our internal and external communications about the event. So that's, so we did learn a lot, which was great from that incident. And I think that's it. Thank you for sharing that, Tim. I think at this point, Eden, if you wouldn't mind refreshing everyone how they can enter questions. My pleasure. Thank you, Adam. As a reminder, questions can be submitted at any time online by using the question box in the GoToWebinar panel on the right-hand side of your screen. If you do not see the question box, please go to the white arrow in the orange box located on the right-hand side of your screen. And our first question is, can VoIP, I think that's voice over internet protocol phones, be hacked? A patient states that they called my office, dialed the correct number and was connected to another doctor's office. Is that possible? How can I prevent it? That's a great question. I don't know if Tim or Nick, you wanna answer that one? I can give a summary of anything with technology can absolutely be hacked. You can have alternate caller IDs relatively easily spoofed with voice over IP and the whole voice network underneath is really voice over IP anyway now. Yeah, we frequently see those spoofed caller IDs. That's a common problem for us. So yes, I would say that it can be hacked in a variety of ways. And the question, what you can do to prevent it? I don't know if there's any recommendations. This is Nick. Unfortunately, just like the email protocol, the voice over IP protocol was created before we really need to worry about security. So in the same examples, just like a number of the examples we had earlier, a lot of it goes back to empowering people. So I think in this case, if it's a patient's phone, I would, without knowing specifics, I would say, hey, just make sure that there's a bulletin on your website, have your standard greeting so your patients know exactly what to expect. So that way, if they get something different, then that will already tip them off that something isn't right. It may not be preventable, but there's ways that you can ensure your patients know who they're contacting. And our next question is, well, they give a bit of a scenario. They say, fortunately, this wasn't me, but my next door neighbor's company experienced an attack. They went to pay the ransom and the hacker was already gone. They could not apparently fulfill the transaction. And the company was at quite a loss. What would you be your recommendations in the future if I had such an experience? I can tell you what I tell others. To date, I haven't seen one hacking group not honor their exchange of money for decrypting what they've held ransom. You have to make your own decision. In October of last year, our government gave some guidance that there's a couple of flagged hacking groups that you're basically not allowed to provide ransom money to, even if you're held hostage. So you gotta be a little more careful. I recommend working with your insurance company. They're very well-versed now in how to handle hackers and which groups they can work with and which ones they can't. Adam, if I can also add on to that, the best way to protect against ransomware attacks like that is through effective backups. If you have backups in place, not only at your office, but also at a separate protected location, you're able to insulate your data from the fallout from that attack. Excellent, gentlemen. Our next question is, do cloud services create new cybersecurity threats or cybersecurity issues? They sure do. I mean, our phishing expedition was through Office 365 Cloud, which many people use, and I would say that's a definite yes. And our next question, it's actually three different questions. So I'll ask them all at once, and if you need me to repeat them, you just let me know. What about biometric authentication? What about encryption for patient records? If that is recommended, what is the best way to go about getting everything encrypted? So the questions that were, hit me with the first question again. Sure. So the first one is, what about biometric authentication? As long as it's in combination with other factor, the more, so if you have a private password plus that, it absolutely reduces your risk significantly. So when you've heard the previous case studies, two of the three talked about have two-factor, multi-factor authentication. This would be considered, biometric would be a second factor. Yeah, and we use biometric. An easy one for our doctors is a touch ID on the cell phone as another way to approve that second factor. That's easy. It's common, they're used to it, and it works well. I believe second question was something around encryption. Yeah, and I don't know if maybe Tim can start with this and hand off. What about encryption for patient records? Are you doing that, Tim, or? Yes, that's kind of a baseline for patient records. As far as the best way to do it, I think that would really just depend on your own environment. There's a few different ways to go about it, but I don't know. I wouldn't have one to recommend specifically. And finally, so they all kind of, three questions work together, but if that, I think they were asking if you would use biometric encryption as part of your patient records, and if that was recommended, what's the best way about getting everything encrypted? So I think I heard you say, Adam, that anytime you add more layers, it's gonna be a good thing. Correct. And it probably depends on what software they're currently using with their patient records. It's probably, I'm guessing if there's an option with that provider to do the encryption at rest, is how you phrase that. Yeah. Wonderful. Well, that is the last question that we've received for this segment. If you'd like to move to the next segment. All right, let's kind of bring it all together. So the first, I want to review some of the high-level risks. Your IT or security process is really the first starting risk. You need to have a way of gathering these lessons. Today, you've heard a couple. And then once you've acquired them, you need a way to predictably apply them and check them through audits and controls to make sure they're still relevant. Two, most of you on the call are probably not part of Fortune 500 companies with unlimited budgets. And you're working with a limited budget, so you have to figure out, what are my highest risks that I need to address first and how do I get them prioritized? And then your third, two of the three stories involved a staff member accidentally and unknowingly exposing the whole organization. So it's the training assessment of your staff. So let's go through some steps of what we can do on the next slide. Number one, I don't know if we beat this one enough. Cyber attack insurance, I recommend at least $2 million worth. I had a friend of mine that last week has a 30 million year business. He got hacked. They were down for a week and their total loss was $4 million from it. So it's probably one of your most used, unfortunately, insurance policies. So security risk can't be eliminated. I think you heard that from Nick earlier. All you can do is reduce your risk. Like a school of fish, you wanna be a harder target than everybody else, swim a little faster. And just get this insurance. It's a really inexpensive insurance. I'm glad we have Michelle coming up a little bit to educate us after this. Two, Nick mentioned it in one of the questions and answers, off-premise backups, which means that your backups are not accessible to the internet and they're somewhere separate. This is because most hackers have gotten a lot more adept at hacking. They know if they're gonna hold you hostage that you might have backups. So while they're in your environment after breach, what they typically look for is to find your backups and any off-sites that they can get access to. And they'll orchestrate an attack at the best time and first wipe all your off-sites and your backups they can get access to before encrypting your environment. So make sure your backups are off-premise and not accessible. Do an annual fire drill. And the fire drill is not when the hackers hack you. Let's just do a fire drill, do a simulated attack. How do we act? Let's say we got hacked right now. What's our plan? How do we go through it? Just like we all did in grade school, time it and then just grade to see what worked well and what didn't. The next component, and here just mentioned maybe a little bit less, I won't go in great detail, but I wanna highlight it so you're aware of it. Have a standards-based information security policy. There's really only two major standards out there that most other regulation is based on. NIST 800, which is a national standard, and then ISO 27001, which is an international security standard. As part of doing this information security policy, you're gonna wanna put together an incident response plan, which I believe Tim talked about how that got enriched with the help of the insurance agency, a security standing out procedure and a change control SOP. So step two, again, apply those lessons. The two that I bolded on here, if you don't take anything away, you get cyber attack insurance and you do these two things. Implement two-factor or multi-factor authentication on any of your critical important systems, especially email and remote access, and make sure that you have advanced security training for your staff. And then here reference know before a number of times. Oddly, Tim and I didn't know each other at the time that we got aware of know before, but it's a really amazing solution how you drive down risk in your organization and how you do assessments on a regular basis to see how likely your staff is to fall victim. The other two components, the center of information security provides your 20 top most breached controls to if you put these 20 in place, you'll take care of about 98% of the risk. And work with IT security firms, maybe to get a penetration vulnerability test, see if they can enrich the lessons that you have with some best practices to help mitigate and reduce your risk. And two, you gotta audit, you gotta keep testing. Security is more of a process than buying just a magic bullet that's gonna get rid of your risk. You gotta continuously recur these audits and tests of your security posture. All right, I think we're ready for the next. I know it's daunting. Here's my email. If you have any questions, shoot me an email, try to help you as quickly as possible. All right, so dark web, if you've ever heard the phrase, is that hidden internet that's mostly comprised of people that wanna do illegal things and not be caught. What I have open here is an organization that has access to a lot of the dark web. They're basically anonymously going into these locations where hackers are transacting business and selling people's private information. We're able to do a live search on any company, really any domain that I put in here. I'm able to see, and I'll show you what level of data I'm able to see by doing our own company, excel.net. And again, if anyone would like their own company search in this fashion, you can shoot me an email. And for the first five people that shoot me a note, I'll privately send you back what is right now on sale with your company data in it. I'll acclimate you a little bit to what type of things you can see. You'll see the date that it was compromised. You see the email address, see me in there as well, where this data breach happened. This is Apollo. And in many instances, you'll be able to see the first four letters of the actual password. The number of times I've done this, and I've probably done the search five, 600 times, 100% of the companies that have been in business for two years, we've been able to find passwords of at least one or more staff members in their company. So if you'd like to break that 100% streak, shoot me a note and I'll send you back what we found. The point here is you cannot rely just on a password anymore to protect your valuable data. You have to implement two-factor authentication. Okay, next polling question. Do you carry data breach insurance? Yes, no, don't know, which I've gotten enough. And what is it? Impressive. I typically see around 10 or 20%. This, even though it seems low at 35%, it's certainly better than I've seen in the past. Now it is my pleasure to introduce our next speaker, Michelle Hooper. Michelle owns Illinois Select Risk, an independent business insurance brokerage with particular expertise in nonprofits and professional services. Consulting with clients to make them insurance-ready is a key part of the consultative work Michelle offers. Assisting organizations with establishing procedures and educating them on what makes an attractive client to the insurance carriers is part of building a risk-aware business. Michelle, the proverbial floor is yours. Good evening, I'm Michelle Hooper and I am an independent broker and I will be talking to you about data breach insurance. So if our previous panelists haven't totally terrified you at this point in time, I hope you'll tune in and listen about cyber insurance, data breach insurance, privacy insurance. A lot of the terminology is very different between the industry experts, but it all about means the same. If you said yes, that you already carry cyber insurance, don't tune out. There's still valuable information to be had towards the end of this very brief presentation. For those of you that said, no, I don't know, or what is it? I have a feeling that a lot of the no's have to do with one answer. And that is, I have an IT guy. I got an IT guy who I hire, or I have a vendor. We're gonna skip that for a moment and we're gonna move on to a very important point, which is who is responsible for the data. Regardless who hosts it, regardless of who's supposed to be the gatekeeper, you are the data owner. On this slide is a real life example of involving a hospital and the IT vendor made the mistake, but look at the bottom of the slide. The hospital is ultimately the one that had to pay for outside legal support, forensics, the bylaw notification services and credit monitoring, and wasn't yet investigated by the OCR. So again, regardless, you are the owner and you are on the hook. And if depending on an IT vendor or your own internal IT security is what you think is the best answer in protecting your risk, I'm here to tell you that the major causes of claims can't be controlled by your IT department or your vendor. As the gentlemen before me have said, about half the data breaches or the problems come from insider negligence, stolen or lost media, employees actions, Nick brought up an excellent example of an employee who didn't follow protocol, improper disposal of records. And by the way, cyber insurance does cover paper records, which I know in the health field, there's still a plethora of records in paper form. So dumpster diving, fax machines that are retaining the records of anything that was faxed, copiers that may have a copy to email feature, all of that stores data. And then the hacking, the viruses, the malware and the ransomware that the gentleman talked about before. So with this info in mind, why don't you have insurance if you don't have it? We've already talked about the fact that one of the biggest dismissals of why you need insurance is I have an IT department or a vendor that takes care of it, but they can't control your employee errors. Or we're a small practice. 43% of cyber attacks are happening on small businesses because they assume you're vulnerable. So they're looking for your very small size. We don't use a payment processor for our credit cards or we use a payroll service. Again, you are the owner of the data regardless of who's processing it. And if you wanna get into the weeds and the size for font in your contract, you're gonna see very quickly, they're not taking responsibility for anything. Well, we don't do any business over the internet. Well, do you do online banking and bill paying? That's kind of over the internet. Well, we don't have thousands of records. Maybe not, but you have enough between your employees, both current and prior, your patients and every financial transaction that you make all carry some kind of protected data. Well, our employees would never be fooled. Clearly we've already seen that that's happened and not that they're foolish. The smartest people in the plan are getting fooled by really high quality legitimate types of scams. And we have top notch security, there's no such thing. So have I covered off most of the reasons why those of you who haven't purchased insurance or don't know if it's for you, did I cover pretty much everything? Well, hopefully that I did. Those are all big assumptions and there are assumptions that are incorrect assumptions is why you don't need cyber coverage. Here's a very simple view of a data breach. You've got the immediate problems that you need to dive into. That's time, that's money, and that might be your practice being temporarily unable to work with patients. Then there's the longer term things. My big question to you is if you don't have an insurance program that's taking care of this, who is gonna manage and coordinate all of these things and all of these things on your behalf while you're still trying to run your business? The most important thing to take away from this presentation today is you own the information, you need to read your IT contract, which will probably frighten you into thinking, into understanding what you didn't understand before, and that financial protection for these types of cyber problems is available through specialized insurance. Now, for those of you that said yes, this is the part where you need to turn back in. What to look for in a policy. Definitions are critical to coverage. There are some really rinky-dink insurance products out on the market, and there's some very good, robust coverages. This first one right here, computer systems. Employee-owned computers and devices. Nick spoke to this earlier. There are companies out there that don't provide protection. If that data breach occurred as a result of your employee using their own laptop, their own computer, their own iPad, or their phone, there is no coverage. So you need to make sure your policy discusses employee-owned devices. Since March 2020, cyber claims stemming from employee devices have exploded. More companies are getting up to speed and are adding endorsements and expanding coverage, but depending on what you have right now, you might not have it. The other definition you need to look for as an employee. Who is defined as an employee? Seems really straightforward, right? Well, no. There are some products out there that if you were the owner of your own practice, and it's Dr. Michelle Hooper, and my name is on the business, I'm not covered for actions that I perpetrated. So my business might suffer because I was the person who caused the problem. Again, those tend to be some of the rinky-dink type of policies out on the market that are very cheap. So you need to be careful about that. One thing, and I'm so glad Nick brought this up, was social engineering, cyber fraud, and fraudulent instruction. And the critical, critical part of your business is to follow those processes. One thing you need to very much pay attention to in your policy is does it include coverage if an internal procedure was not followed? There's a lot of products out of the market that will not include it. You were supposed to call when that vendor said, we're changing our bank, and you were too busy and you didn't do it. Sorry, there's no coverage. Or do you have a no-fault coverage where the product is written because they understand people are stressed and working under deadlines and making some assumptions or having a bad day? This is very, very important when you're looking for the definitions in your policy. And then silos of limits. If you buy a $2 million policy like Adam talked about, is it $2 million for claims and then a separate limit for cyber crime and fraudulent engineering and a separate limit for notification and legal and fines and penalties? Or is it one bucket of money to handle every type of expense and potential claim payout that you have? So the final question that I have for you, if you don't have coverage or you don't even know if you have coverage, so what would you do if you opt out of insurance and think that it's not really worth your time or your money? How much money are you gonna put aside on your balance sheet in reserve to pay and respond to potential breaches? What vendors have you already identified and have in your electronic Rolodex to handle forensics of how this hack happened? Who's gonna provide the notification services to the patients that were impacted and your employees that may have been impacted? Who's gonna be a good cyber attorney to handle any potential fines and legal issues? And what would be the very first action that you take? Or you can have insurance in place and you call your carrier or you call your agent. And with that, I am gonna turn it back over to Adam for our final Q&A. Thank you, Michelle. So we have an offer for the security training that you heard both Tim and me reference. It's called Know Before. And the offer is for up to 50 staff members, 2,000 per year, extra $25 per year for additional staff. And this cost includes of all the initial setup. So whoever is on your IT department or if you don't have somebody, we'll make sure it gets implemented and set up the right way for you to start assessing and seeing what the level of phishing weaknesses are with your staff and the ability to sign training for that staff. And you can contact the ASG customer care team at 630-573-0600 for more information and get set up. I think now we're gonna open it up to questions. And our first question is, I would like to check with our principal owners tomorrow. Can I have the email so I can respond tomorrow? So did you wanna, I think Cheryl's interested in responding to the offer. So if you can just contact ASG customer care or she might be wondering if you can do the, she might be seeking permission cause we haven't been getting too many volunteers, Adam, for our little test that you were gonna run. Is she able to contact you tomorrow and you'll give her that consultation? Okay. Yeah, that adam.xl.net. And then Adam, we did send you one email address. Was that one that worked for you? Or I'm not sure. Unfortunately it wasn't a work email, that's a personal email address. So the domain, which is after the at sign, needs to be a company owned domain. And the one that was listed was a public email address. Okay, so nobody can use an at Gmail or an at Yahoo or anything like that. It needs to be like at ASG.org. It needs to be at target.com, something like that. Correct. So Tim, from your experience, what were the first things that went through your head from experiences you've had in terms of cybersecurity? That made you really, prompted you? Well, we really weren't sure what to expect. So there was from our carrier, luckily I feel like our coverage was very good. It wasn't one of the rinky dink policies like Michelle was talking about. So I was amazed at just the level of detail and the quality of the people that we had responding. So the immediate thing that they did was to look at our mitigation steps that had been taken. So my staff was really good about documenting what had been done. And they gave us really good recommendations to make sure that the event itself was over. And then the other piece that was huge for us with the cyber insurance was they explained to us the notification process, the external notification process, the Office of Civil Rights and our own internal communications, what to share and what to keep internal to our core team that was working on this. Things that I wouldn't have really thought of that it's easy to look back now and know that we needed to do that, but they really helped guide that process and get us where we needed to go. Thank you so much. And now the questions are coming in. So our first question is, what is the first things I should do when breached? Michelle would know the answer. Call your carrier immediately. I second that. That's exactly what I did. It's amazing how much they take care of the whole situation and the level of professionalism they take in account. There's really no way for any of us individually to act the way they do because they handle this day in and day out. And I cringe to think of this, but if you don't have coverage and you're breached, it seems counterintuitive. Don't shut the systems off. If you get law enforcement involved, they can do things forensically while the systems are still turned on that they cannot do when it's off. When you turn it off, you cut off any chance of actually getting any sort of forensic results. So just keep that in mind. Our next question is- Update your resume. That's always a big joke. Our next question is, are there companies that can send fake phishing emails that can test our employees to see if they click on the link? That'd be the know before solution. That's exactly what it does. It does simulated attacks on your staff with the current advanced methods in attempts to trick them into making a click. Once they click, they'll be brought up to a page that says, we got you. You shouldn't have clicked there. And it explains why. And they have the option to configure it in a way to force them then into training, depending on how many times they've been tricked. And it escalates. The first time maybe it forces them into 15 minute training, 30 minute, hour. If they get past that, that probably at some point becomes an HR issue. Yeah, ours is set up to escalate the notifications as well. So the first time that that does happen, but the next one goes to the manager, the next image just gets more escalated from there. Wonderful. Our next question is, is there a reliable rating source for cyber insurance companies? Michelle, maybe you could start with that. I'm not sure what you mean by the rating source. Are you talking about like an AM Best rating? That is easily found on the internet, on the insurance ratings. And a lot of these carriers are, there's just so many layers of who's the parent, but there's a lot of really good carriers out there. Beasley and Hiscox and Axis, a new company out of California, Evolve. A lot of them end up using a Lloyd's of London insurance paper, the paper that's the product that's behind everything. It's just they crafted coverages specific to who they want to target as their client base. There's a lot of ones that will be sold as part and parcel of your professional liability or your general liability. And those tend to be very expensive for not very much coverage. They pretty much just offer you coverage for notification. It won't be fines and penalties. It won't be forensics. It won't be a lot of the important things. So just because you think you have cyber, you need to go back and look at those definitions that I was talking about. What is actually covered. Our next question is, what are the considerations one should have when deciding the amount of coverage that's needed? And can you give any ballpark estimates on cost? I can take the cost one. Every carrier is gonna price their premium a little differently. Some rate on the number of average records that you have, some will rate on revenue, and some will just rate on a very long and involved eight page application with all your security protocols. And that's when you usually have to call somebody in to answer it, which is really frustrating for us as agents. I can't give you a cost. If you are a small organization, maybe a dozen employees, but you're not holding HIPAA records, and maybe you're just doing counseling records, it's probably a million dollars coverage is about $2,000. But the bigger you are, the more records you have, and the fact that your records are either financial or HIPAA related are gonna bring up the cost. My question to you would be, how much money have you set aside if you don't wanna spend a couple of grand? And how high is up in terms of spottings and penalties? In Illinois, if you are considered reckless in not protecting your records, it's thousands of dollars per individual patient record. I hope that answers the question. Very helpful, thank you. And you may know that for GI, we have a lot of small practices that we work with. Sometimes they're solo practitioners. So we have a question about expectations. Should my IT company be providing security training for my staff? Should they have that expectation of their IT company, or is this beyond that? That's a great question. And probably goes into the assumption that most have when dealing with their IT firm. And the assumption is, well, I hired an IT company, so they handle all the security and everything else, right? The truth is, even though they both work with computers, those are two very different disciplines. IT firms and security firms are two different companies, minimally two different departments. Tim, I believe in your staff, you had to designate a previous IT person to be the security manager because it's such a different world. So I would not expect that from an IT firm. It would be great if they made you aware of it. If they haven't so far, you've now been made aware of it. Know Before, very affordable, just like Cyber Attack Insurance. If anything, take those two takeaways and multi-factor authentication, and you'll be far better than before joining this webinar. And if you purchase the Cyber Policy, most of the good carriers out there have all kinds of services. So if that Know Before is out of your reach financially, there are options through some of the carriers that will provide that. There's a lot of free stuff in your insurance policies, and it's kind of incredible how many times policyholders just don't take advantage of it. Some of those carriers can also talk to you about best practices. They'll have a portal. You can go on, you can answer some questions, and they'll say, yeah, that's the red flag. That's a problem. You're okay there. So in trying to figure out what money you have to spend, sometimes that stuff comes free with a good policy. And we did get a clarification. Michelle, going back to you, we had the question, is there a reliable rating source for cyber insurance companies? And the person did want to clarify they're looking at the rating of the quality of the product, not the financial strength of the parent company. So would you have any additional information there? Nope, I'm sorry, I can't. What really is, it comes down to the definitions. It comes down to the robustness of the coverage. And right now there's so many claims being paid. I would think, I don't know, Adam, what do you think? In another six to eight months, there's going to be some Yelp reviews, so to speak, of cyber policies out there. But right now it really boils down to the definitions of the coverage. And if your broker has never heard of them before, probably not a carrier that you want to go with. I'm sorry, I can't be any specific with that. A lot of this stuff is all emerging every day, every week, the changes that are going on in that industry. And I understand the source of the question, kind of to what Michelle said, where I usually guide people. If your broker hasn't started to educate you on it, it's probably a little bit of a red flag for me. The reason why a lot of them haven't focused on it is, as Michelle mentioned, it's a really low cost coverage to get, which should be surprising, not everybody has it. And that broker usually doesn't make a significant amount of money on selling those. The commission from selling you something that's $2,000 or $3,000 a year isn't significant for them. So I'd first find an insurance broker that kind of cares and wants to educate you on what's available. Your question about ratings, it's going to go down to the language and what exclusions probably are in that insurance policy. The more exclusions, the worse probably that policy is. So you want it as inclusive as possible, because you're not going to be able to think of all the scenarios, and that landscape of security is changing daily. And our next question is, how do we deal with the risk presented by our electronic health record vendor? And I just want to note that, again, a lot of these small practices out there, sometimes they're cloud-based and sometimes they have their own server. So can you address that with both scenarios there with your EHR vendor? Tim, this is me. Start there. Now, at that point, I'm out, and these guys will have to. Yeah, that's kind of a tricky one. We work with our vendor to make sure that we're following best practices. Like Michelle was saying, contract language. We make sure we're doing our part by staying up-to-date with operating systems and all of the stuff that we're doing, and we rely on them for some of that security. But it really is just having that conversation with your vendor and getting a sense that they take security seriously and that they are taking actions to show that as well. If you're, oh, go ahead. I was going to say, security in one word is proactive. So don't assume that any of your vendors or anybody who's associated with technology in your firm is going to come and tell you that you need to do X, Y, or Z next. Ask them on a regular basis, minimum quarterly. Reach out to account reps or support if there isn't an individual person you work with on a regular basis for vendors, and ask them, what are your current standards for security? What is coming next? What should I be doing? It's all about being proactive. Thank you. It doesn't have to be with an asset question because honestly, the IT world is so scary and the terminology and the acronyms are just flying at you all the time. When Nick's saying to have that conversation, you may have to find somebody to have that conversation on your behalf if you don't know, if you don't feel confident in what you're asking about. There's a lot of IT people out there and like Adam was saying before, there's people who present themselves as IT professionals and really what they are is a glorified help desk. How to network the printers and the fax machines and everything else. That is not an IT person. But if you don't know, find somebody who knows who can ask on your behalf. And I'm going to ask Dr. Vacari to come in. I think he has a little question for the panelists. As we've done throughout our webinars over the last year, we'd like to end the question and answer session with a pearl from each of our presenters. So Michelle, let's start with you. Quick pearl that you find could be informative for our audience. When you go to buy cyber coverage, make sure you understand the definitions and the policy. Thank you, Michelle. Tim. I would say all of the stuff that we've seen and these stories that we've heard are scary, but it is manageable. All of these things are manageable. Great, thank you. Nick. Be willing to change. If you stay exactly how you are in a very short period of time sooner than you think, you're going to be insecure. Thank you, Nick. And Adam, wrap it up for us please with one last pearl. Don't assume anything without evidence. Excellent. Thank you very much, guys. Before I hand the presentation back to Eden to close out tonight, I would like to thank each of our panelists for participating in tonight's illuminating session. It was very informative. I'd also like to thank the audience for taking time out of your busy schedules to participate in what I thought was really an outstanding discussion. So thank you. Eden, with that, I'll send it back to you to wrap things up. Thanks, Dr. Vickery. I just want to go back over the Know Before offer. And there's something I want to note. I want to note a testimonial from ASGE. We actually use this service to make sure, you know, our members, the member data that we have that's so valuable is safe. So part of why we wanted to bring this to you is we're using the product ourselves. So again, you can subscribe to Know Before security awareness training and monitoring at a cost of about 35% less than if you were to procure this independently. So again, more information is on screen. If you haven't downloaded the handouts, the slide deck does include this information as well. We just always like to remind you, we've got a lot of great education coming up in the practice arena, quality, safety. Our APP course last year was just absolutely gangbusters. And we're going to do that again. We've got the coding webinar series, always popular. So do visit the website and check out our education calendar for things that you and your team might find interesting. And again, this is the contact information for the presenters you saw tonight. It is in that slide deck. So please do download it from the handout section so that you have this information available to you. But of course, the ASG customer care team as always is available to you. So in closing, I want to thank you for your participation in our event tonight, scoping out cybersecurity in your GI practice. This concludes our presentation. We hope this information is useful to you and your practice.

American Society for Gastrointestinal Endoscopy

webinar

cybersecurity

GI practice

data breaches

cyber insurance

proactive security measures

two-factor authentication

security awareness training

financial impact

improving cybersecurity