Insurance Company Refuses To Sell Insurance
We were called out recently to perform a HIPAA Security Risk Analysis. In chatting with them it turns out that they recently applied for cyber-liability insurance and after a preliminary inspection of their answers to the questions on the application, the insurance company declined to provide coverage.
It appears that the agent and the underwriter were not at all impressed with the level of security on the client network.
This is a first for us. We have never heard of an insurance company declining to insure as a result of no Security Risk Analysis.
But, I am going to bet that we see more of this behavior from more insurance carriers before too long.
In a similar vein, Santa Barbara, California-based Cottage Health System, a nonprofit organization that operates a network of hospitals in Southern California, suffered a data breach involving about 32,500 confidential medical records between Oct 8, 2013, and Dec. 2, 2013.
A class action lawsuit was filed against the system in January 2014, and a $4.1 million settlement received preliminary court approval in December 2014, according to the complaint.
Columbia Casualty, a unit of Chicago-based CNA, which had issued a NetProtect360 claims-made policy to Cottage that was in effect from Oct. 1, 2013, to Oct. 1, 2014, agreed to fund the settlement, subject to a complete reservation of rights.
Columbia later sued Cottage Health to recoup the $4.1 million payout citing that the “Failure to Follow Minimum Required Practices” exclusion in its cyber policy—applying to losses from, among other things, the Insured’s failure “to continuously implement the procedures and risk controls identified in the Insured’s application” precludes coverage for Cottage Health’s losses.
The case in ongoing.
Your takeaway? Make sure you understand the questions on the insurance application and that you have conducted a thorough annual Security Risk Analysis of your business, have remediated all of the problems found, have created Policies and Procedures for your staff to follow, have trained the staff on your Policies and Procedures, and have documented that your staff is following the Procedures you have in place. While these are the HIPAA requirements, all businesses should closely follow the same steps. And, pull out that old insurance application and review your answers BEFORE you have a claim.
New Security Service (MSSP)
When I started this company 14 years ago, I started it with what is now known as the Managed Services Provider (MSP) model. This is where we charge a flat fee for a negotiated set of computer help and hardware services.
With the advent of EVERYTHING and EVERYONE being connected to the Internet these days, securing the information on our computer networks has become more and more difficult.
When your staff needs access to the Internet just to perform the most basic parts of their jobs and when they are not well trained in how to spot phishing and other malicious emails, you run a risk of one of them infecting your network. Couple that with all of the data breaches (Equifax 146 million) from hackers and it becomes time to step up the game.
And, if you are saying “I am too small to be a target”, then your belief system needs some adjustment. If you have money in the bank or customer credit card numbers or customer social security numbers, you are certainly a target of hackers, regardless of the size of your organization.
What we are talking about here is that a data breach is going to affect the income stream of the business owner. And, not in a positive way. If you lose all of your client/customer data to a hacker, are your customers still going to trust that your business is the right choice for them? Probably not. No customers = no $$$$$.
SafeBreach, a provider of Breach and Attack Simulation, released the third edition of the Hacker’s Playbook Findings Report, which measures enterprise security trends from the point of view of an attacker. Among the findings: Malware infiltration success rates in excess of 60 percent, and the ability to successfully move laterally once onto a network as high as 70 percent of the time. So, 6 in 10 times, the hackers get in. Probably because the newest employee does not have the most basic of security training.
As a result, we are moving our business “up the stack” to the next level. We are adding a Security component to the Managed Services mix, with more features and benefits than the level of Security we already provide.
That next level is called an MSSP in the Information Technology industry. That stands for Managed Security Services Provider.
An MSSP can provide all of the services of an MSP (and we will continue to do so) along with things such as:
- Security Awareness training for staff
- Dark Web searches to see if your company credentials are for sale
- Full disk encryption of hard drives, Cloud Backup and Disaster Recovery
- 24/7/365 deep scanning of firewall logs for intrusion attempts and anomaly detection
- 24/7/365 deep network scanning for currently compromised machines
- Files and folder security to make sure your staff is not snooping on your business
- Network Penetration testing
- Incident Response
- SIEM (Security Incident and Event Management
- 24/7/365 Security Operations Center (SOC)
Stay tuned for more details. The MSSP Program will be available in the 1st Quarter of 2018. This program will be an add on for existing clients. For those folks who already work with an MSP, this is an opportunity to layer on another level of service not provided by your current IT folks.
Less than half of healthcare IT professionals (48%) expressed confidence in their organization’s overall level of cybersecurity, according to Future Proofing Healthcare: Cybersecurity, a survey of 101 healthcare provider organization IT professionals conducted by HIMSS Analytics and sponsored by Commvault.
This trepidation around data security is understandable because healthcare information is a huge target for cyberattackers as the information found in healthcare systems is worth much more than information in other business systems, said Michael Leonard, senior director, healthcare product management, Commvault.
Interestingly, healthcare IT professionals are feeling more confident about specific components of their data security efforts such as firewall protection (73 percent expressed confidence), data backup and protection (65 percent), file encryption (53 percent) and malware/ransomware security (53 percent) than their overall level of security (48 percent).
Who Can You Trust?
A team of security researchers at the Kromtech Security Center has discovered a massive trove of personal data belonging to more than 31 million users of the popular virtual keyboard app for phones and tablets, AI.type, accidentally leaked online for anyone to download without requiring any password.
Apparently, a misconfigured MongoDB database, owned by the Tel Aviv-based startup AI.type, exposed their entire 577 GB of the database online that includes a shocking amount of sensitive details on their users, which is not even necessary for the app to work.
"...they appear to collect everything from contacts to keystrokes."
The leaked database of over 31 million users includes:
- Full name, phone number, and email address
- Device name, screen resolution and model details
- Android version, IMSI number, and IMEI number
- Mobile network name, country of residence and even user enabled languages
- IP address (if available), along with GPS location (longitude/latitude).
- Links and the information associated with the social media profiles, including birth date, emails, photos.
"When researchers installed Ai.Type they were shocked to discover that users must allow 'Full Access' to all of their data stored on the testing iPhone, including all keyboard data past and present," the researchers say.
So, the app mined all the data on the phones, sent it to a server in the “Cloud” which was misconfigured by a human to allow unfettered access to 31 million user’s personal data.
It happens that easy. There is nothing you can do about it. You must understand what you are doing when you give FULL permission to an app.
No one needs an app that badly that they need to give it full control of their device.
Is Your Drone A Chinese Spy?
Maybe. The United States Department of Homeland Security (DHS) has recently accused Da-Jiang Innovations (DJI), one of the largest drone manufacturers, of sending sensitive information about U.S. infrastructure to China through its commercial drones and software.
A copy memo from the Los Angeles office of the Immigration and Customs Enforcement bureau (ICE) has begun circulating online more recently, alleging "with moderate confidence" that DJI drones may be sending US critical infrastructure and law enforcement data back to China.
However, the bureau accessed "with high confidence" that this critical data collected by the DJI systems could then be used by the Chinese government to conduct physical or cyber attacks against the U.S. critical infrastructure and its population.
The memo goes on to specify the targets the Chinese Government has been attempting to spy on, which includes rail systems, water systems, hazardous material storage facilities, and construction of highways, bridges, and rails.
The memo, marked as "unclassified/law enforcement sensitive," was dated back to August this year, but was recently published by the Public Intelligence project.