Last month I renewed my Company’s cyber liability policy and to my surprise, I received a 26% rate increase.  I was flabbergasted!  Of course, I went back to the company asking them to reconsider their rate, but they stood firm on the price.  I decided to do a little research on the average cyber liability premium increase for 2022, and I found the following.  “Rates experienced a significant uptick following the Colonial Pipeline and Kaseya attacks in the summer of 2021. As a result, it has not been uncommon for firms to experience a 100-300% increase in premiums.”  I quickly accepted the new rate and counted my blessings.  Thus, I wanted to pass along five areas that I focused on to keep our rates low.

  1. E-mail Phishing Attacks: According to HIPAA Secure Now, phishing emails are a leading cause of security breaches, since they exploit a human-related vulnerability. According to the IBM Security Services 2014 Cyber Security Intelligence Index 1, 95% of all data breaches are a result of an employee or human-related error (e.g., phishing). In addition, according to the Verizon Data Breach Investigation Report (DBIR) 2, 92.4% of all malware systems are delivered via email.  Therefore, Hovis & Associates implements weekly cybersecurity micro trainings and bi-monthly phishing simulations.  If an employee does click on the phishing simulation, a training tutorial pops up to guide them on how not to be “hooked” in the future.  Informing your cyber liability provider of such programs and sharing simulation reports are important data for the underwriter.
  2. Ransomware Attacks: One of the most dangerous and common types of malware is known as ransomware. A new edition of NCC Group’s Monthly Threat Pulse report showed that the number of ransomware attacks are on the rise. The report details that ransomware attacks grew by a staggering 53% in February alone.  Ransomware is most often delivered in the form of a phishing email that will lock out all files on a computer or possibly the entire network and demand a ransom payment for the decryption code to unlock the files.  Ways to mitigate ransomware attacks are to enable a reputable, anti-virus software across the entire network, ensure that your back-up technology is recording and working properly with intermittent check-ups, implement a recovery solution and policy, and deliver a proper training program to all employees.  Short and quick training simulations more often keep this topic at the forefront of the mind and are implemented with more success.
  3. Accidental or Intentional Data Loss: Data loss is also known as data leakage.  According to HIPAA Secure Now, some common threats that result in data loss are improper media disposal, insider threats, improper access to ePHI, loss or theft of devices containing ePHI, system vulnerabilities, and a lack of employee security awareness.  Ensuring that you acquire a certificate of destruction for all disposed media, applying portable device policies for your organization, implementing a job- or role-based access matrix, enabling two-factor authentication at the computer’s login and on all available platforms, and encrypting all devices at the hard drive and email levels will greatly decrease the potential for data leakage.
  4. Patch Reports: Implementing patches and updates on a weekly basis will keep your system up-to-date and will decrease any potential threats. All critical updates should be applied immediately and in addition to your weekly patches and updates.  Run a system report of your programs showing that they are up-to-date and include this with your cyber liability renewal application.
  5. Annual HIPAA Audit: According to HHS, a HIPAA audit program reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  This will include a review of your administrative, physical, and technical safeguards.  Usually, it is best for a third-party to administer this evaluation and to supply a report of their findings and remediation suggestions.  All findings should be remedied within 60 days.

If you are a Medicare Agent and would like more information on how to fulfill your annual compliance requirements, register for our in-person and virtual event HIPAA, Medicare Compliance & Cyber Security or click the “follow” button at the top right of the invite to get notified of future eventsLicensed agents only please. We make Medicare SIMPLE!