Raising Tech, powered by Parasol Alliance

15: Cyber-security in Senior Living with Lee Insurance Agency

September 20, 2022 Amber Bardon, Ryan Preuss, and Brandon Buster Season 1 Episode 15
Raising Tech, powered by Parasol Alliance
15: Cyber-security in Senior Living with Lee Insurance Agency
Show Notes Transcript

In this episode of Raising Tech, our host Amber Bardon sits down with Brandon Buster, Director of Sales at Lee Insurance Agency, and Ryan Preuss, Chief Technology Officer at Parasol Alliance to talk about the growing importance of a cyber-security strategy in senior living.

Learn what cyber-security really means, the impact on senior living communities, and what steps organizations should be taking to minimize the frequency and impact of cyber-security threats. In addition, learn what steps your organization should take if your community is threatened.

Lee Insurance Agency make hard times easier as a full-service agency specializing in senior living and other select industries. They thrive on three core principles: Work Hard, Tell the Truth and Have Fun.

Raising Tech is powered by Parasol Alliance, The Strategic Planning & Full-Service IT Partner exclusively serving Senior Living Communities.

Amber:

Welcome back to raising tech, a podcast about all things, technology and senior living. I'm your host, Amber Bardon. And today we have two guests. Our first guest is Brandon Buster from Lee insurance agency. And then we also have our chief technology officer Ryan Preuss from Parasol Alliance . Welcome to the show.

Ryan:

Hi, thanks.

Brandon:

Thank you.

Amber:

Brandon, can you start us off with giving our listeners a little bit of an introduction about yourself? Tell us about your background, your role, and a little bit about Lee insurance agency.

Brandon:

Thanks Amber. So we are an independent insurance agency. We're privately owned. We're based in Iowa. We've worked in the senior living space for about 34 years and , we provide insurance and risk management solutions to our clients. So working with roughly 500 folks across the country in 20 states today, we feel like we have a good grasp on it. We partner strategically with our insurance carriers that have been in the space for a long time, and we truly want, you know, to find what's best for our clients from an insurance and risk management perspective. Me personally, I serve on our leadership team as a director of sales that really encompasses helping grow our organization organically, also looking at acquisition opportunities and in really leading , that charge as we look to continue to grow our organizational footprint.

Amber:

Excellent. And our topic today is cybersecurity, which is a very hot topic right now. There's a lot of things going on in the space with insurance renewals and, you know, potential security, risk events and things like that. So it's also, we're gonna jump into today before we do that. Ryan Preuss, can you give our listeners and introduction about you?

Ryan:

Sure. Well, I'm, as Amber said , the chief technology officer I've been with Parasol Alliance for seven years actually have been working in the healthcare industry for close to 12 years now. So, and have over 20 years experience in it, supporting all things, servers, network and security related .

Amber:

Excellent. So cyber security is a word we hear a lot, right. And it could be used in a lot of different contexts. It could be a buzzword, it can be a tactic to scare people. It can be , you know, used just in conversation, but what does cybersecurity actually mean? Can we define what that term really means and how does that apply to our clients? Ryan, do you wanna start?

Ryan:

Sure. I mean, you know, it's cybersecurity is definitely a far reaching topic, you know, in it's broadest sense. You know, you can break it down kind of , as the name implies that it's, you know , security or securing any kind of technology that you may have or come across with relation to senior living, it involves, you know, protecting your critical systems and services, compromise against data loss or theft, you know, and this generally involves all the normal things that you would hear about like, you know, antivirus software , um, web filtering, email filtering, backup , and disaster recovery, and, you know, patching, things like that, that, you know, all the normal stuff you'd expect to see in an it environment, but it goes a step further and also involves things like, you know, ensuring your community is compliant with regulatory standards like H IPAA, also things like, you know, educating your end users to make sure they're better equipped to identify and deal with, you know, potential threats before they actually become compromises.

Amber:

Thanks for that explanation, Ryan and we actually started taking a look a closer look at cyber security because we noticed a trend starting about last year, about last fall, around this time that suddenly , uh, several of our clients were having their cyber security insurance denied, or they had to put in a lot of new requirements. And so this led our company to take a little bit of a deeper dive into what exactly were the new requirements and how do they affect our clients. So, Brandon , can you share a little bit on what happened in the industry from your side of things that caused the changes in the cyber security renewals?

Brandon:

Sure, absolutely. I'd love to. So it's probably several years ago when you know, cyber security that buzzword started really coming around, we'd start seeing compromise or, or hacks to some large financial institutions, large hospitals, insurance carriers decided, Hey, there really is a true risk and true exposure here. Let's create a product that we can go and offer folks, you know, to help them protect from that exposure. So you start with Lloyds of London. One of the largest insurance carriers in the world , uh, came out with a couple products and then before long, we would see a handful of carriers jumping into the industry. Didn't really know how to price it because there's no empirical data to show what claims would look like. Right? So when you price an insurance product, that's you look at the exposure actuarily and then you charge a premium that you believe is adequate for that exposure. You know, there were no deductibles, early on premium was super inexpensive. You had carriers coming in trying to buy folks' business by offering just insanely inexpensive premiums. And then over the last couple of years, we have seen just a , a ton of, claims. So you have claims frequency and claims severity are two things that will drive a rate, right? Frequency is number of claims. Severity is the damage per claim, right, or, or, or the economic or non-economic damages or the, the amount that a carrier would have to pay out on behalf of a client for damage is sustained. And so in the last couple of years, we've seen an kind of an exodus of folks just getting out of the industry, cares that, that spawned up and start offering, you know, monoline, cyber, reliability coverage, their , they got handed. They didn't have it priced accordingly. They didn't really understand their product. And so they left and exited the market. And those that remain standing today believe that they've priced it accordingly from day one. But now, as , as you mentioned, Amber, they are implementing additional requirements. So as an example, some carriers would only ask three or four questions on what's called a supplemental application to put coverage in place several years ago. Some of those carriers, supplemental questionnaires are two and three pages today. Some of the carriers are implementing penetration tests. They're working with third parties , such as yourself to do some of those tests to actually run an assessment. And they're requiring that assessment to be provided before they'll offer coverage or before they'll renew coverage. So MFA , uh, is, is a big kind of a buzzword acronym. I , in the space that cares are saying if we don't have proof of MFA being implemented, we will not offer coverage. In fact, we will non-renew , and we can't even price policy for it without, without MFA in place. And so those are some of the things we've seen the last couple of years and quite honestly, our insureds don't really, truly understand the impact. So they kind of look to us from an insurance perspective. And of course, look to folks such as yourself from a security standpoint. So I think it's imperative today as we work with our clients, helping them understand the true exposure and then giving them the tools and resources to put in place. So we can then offer them the right coverage at the best price to make sure that you know, that they're covering that exposure.

Amber:

That's really interesting. I was actually really curious to kind of know some of that behind the scenes . So I was wondering, was the insurance agency reacting to a bunch of new claims and incidents, which you just indicated, or was it more like preparing for possible future risk? And it sounds like this was based on actual increase in claims and severity. Can you tell us anything about what those claims have come in at or what they were for?

Brandon:

Yeah. I actually have some claims scenarios as an example, some of the coverages that a cyber liability policy will protect is network security and privacy, privacy breach, response, business income, or loss of income. So if you can imagine your operating systems compromised, you can't bill, whether it's private bill, whether it's Medicare, Medicaid, if you can't bill to get your reimbursement that's revenue that you're losing while your system's down are compromised. And so those are some of the coverages that are provided multimedia insurance, extortion, terrorism, you know, as you guys know some of those buzz word buzzwords from your side, but as an example, you know, a network security and privacy breach, a financial institution's employee's laptop containing sensitive client data went missing. Multiple lawsuits are pending by individuals with data had been compromised. The Graham leach Bailey regulatory investigations ongoing as an example right now, total defense costs incurred 700 grand. Wow. Just, just because an employee lost his or her laptop that had sensitive data that required us to go out and hire a , a forensic auditor to, to try to dig in and understand where the breach happened, stopped the breach and put protection in place. You know, there's multimedia liability where an online manufacturer, accurately compared product to a competitive product. It was done online lawsuits ensued because it was done online. It was done from a website, was determined that it , it , it was a cyber security related cyber liability related offense , 375,000 for defense costs . Now, keep in mind. Most of the , the expense incurred is defending the policy holder or the insured from allegations or compromise that happen to their system. And on top of the defense cost would be that forensic auditing charge. And my understanding across the country, you're looking at three to $500 an hour for an forensic auditor to come in, you know and do their job to understand where the breach happened to do that analysis.

Amber:

Wow. That's really interesting to hear those specific examples. I wanna dive into what specifically communities can do to protect themselves and what , sort of the high touch items that they should ensure they have. But I'm just curious, do you have any numbers about the like percentage of increase in claims over the last few years?

Brandon:

Yeah, I , I guess I don't have anything factual, but what we try to do internally is we look at our client base and help them understand, you know, what we're seeing. So we're seeing probably about a 40 to 50% increase in frequency. So that means almost double so to speak. So if we had 20 claim before now, we're looking at 30, right? So about a 40 to 50% increase in actual claim frequency. And then the severity is actually becoming a little bit more expensive because of that forensic auditing amount of time required for folks to dive in and dig in and understand where the penetration occurred . So both frequency and severity are increasing and that's really year over year . So we run that data internally looking at the prior year, you know, assessing our client base. So that's a relatively small sample size, but I do think because of the breadth of our client base across the country, I do believe it does give us an adequate sample size to help folks understand what they can expect going forward from an insurance premium standpoint, we've seen some premiums go up to and 300% primarily because folks weren't adequately protected from the security side by implementing, you know, MFA as an example, or some of those other security measures. And they didn't have, you know, an approved assessment done on their behalf to show some of that security and or vulnerabilities to their system.

Amber:

Yeah, that's definitely in line with what we've seen from our clients. And what we did is we took multiple different insurance questionnaires and we put them together and we developed a score sheet of all the items that we wanna make sure our clients have at least discussed or aware of, even if they can't execute in all those items. So, Ryan, can you talk a little bit more about that and what are we seeing are the top items that are required from a technology perspective?

Ryan:

Yeah, so there's, there's a number of aspects, you know, really the best, the best way to go about it is to make sure you're being proactive. You know, there's from a security standpoint, you know, I mentioned it before, but you, you know, you wanna make sure your end users are getting adequate training around cybersecurity. Also, you know, you want to do regular vulnerability, penetration testing, which scans, you know, not just your external networks, but your internal networks as well. And that will identify, you know, security vulnerabilities or potential entry points, weaknesses in your networks and servers, things that you can, you know, actively address and resolve before they become a compromise, you know, from a , a regulatory perspective, there's the yearly HIPAA security risk assessments. You know, you definitely wanna be doing those, and those will help you identify again, weaknesses , um, in line with the HIPAA regulations and allow you to plug those holes. And then, you know, kind of in line with the proactive approach, you know, you wanna make sure you're doing routine auditing of just your security in general. So you want to either partner with somebody who knows the, the ever changing landscape of cybersecurity, or even potentially reach out to your insurer and find out what their standards are, what questions they're gonna be asking when, you know, it's time to renew your policy, because those things are always changing. So that's something you want to be doing at least once a year, just to make sure that you're keeping up with the evolving, you know, landscape of cybersecurity.

Amber:

That's really helpful. And definitely that proactive approach. And I think will help get communities set up to be prepared of the areas in which they may need to make some improvements. Can you speak to any of the specific technology that we've seen that we've had to implement such as the MFA and what is the impact of that?

Ryan:

Yeah. MFA is multifactor authentication. It allows technologies to kind of be more secure to technologies like VPN, you know, things that are, are generally targets for hackers, in a sense, it prevents the bad actor from, you know , easily gaining access because it requires a second form of authentication. Um, and that's, that's probably the most common, you know, the , one of the buzzwords you might hear more and more often, but , uh, there's other things out there like extra security around email, DNS entries, D mark , there's also security related things. Technology called S I E M , which looks for digital fingerprints or behaviors that would identify the elevated use of administrative rights on a network or on a server, you know, kind of, you know , newer technologies that really didn't exist five or 10 years ago that are allowing us a real high level overview of the, you know , technical environment in general and gives us , uh, early warning signs, if there's any kind of risk of compromise or signs of improper use of the administrative or technical systems.

Amber:

I think another thing we've seen that's really important is that end user awareness training. You know, you can make the analogy that you can have all the security that you want, but if, you know, somebody clicks on a link in an email they're not supposed to, that could compromise the whole system. So Brandon, what are you seeing in terms of requirements for that type of awareness or training on the end user side?

Brandon:

So from a care perspective, I mean , it's really the good carriers. I say, like the carriers that really, I believe, know what they're doing. They have the right coverages in place. They pay claims. They don't try to deny claims. They're really looking for that MFA because as Ryan mentioned that does help break down. I guess the amount of penetration, maybe not the frequency of penetration, but actually get through because of, of the way that's structured , carriers are wanting and desiring to see an assessment so they can look at and understand the vulnerabilities and then determine does their policy cover those vulnerabilities? And then what plan of correction is the, the , policy holder, if you will, or the insured, what are they willing to do from a plan of correction standpoint to implement some of those technologies or some of those , uh, software as an example, to offset the vulnerabilities that are found through an assessment. So it's kind of a slippery slope because the insureds don't, as I mentioned before, don't truly understand the exposure in the senior living space today with, with COVID and some other barriers staffing, you know, finances are pretty tight. And so we're , we're trying to help them and protect them. But then when we show some exposure through an assessment or, you know, getting an assessment from folks like you, we show that, and then we say, okay, you're gonna have to spend X amount for hardware for software. So then we can go out and, and get an insurance policy for you . That's hopefully gonna save you a few thousand bucks versus the tens of thousands you may have to, you know, from a CapEx to put in. So it's , it's a delicate balance, but I think communication is the biggest. So for us as an insurance agency, to understand what the carriers want and desire, and then help the insureds, understand how it's going to best protect them in the long run to help them justify that potential expense of, of updating and adhering to the assessment. Because really once the assessment's done, they have two choices, they understand what the assessment says, then they have to either adhere to it and put certain things in place so we can best protect them or not. And then that will have an impact on the premium or the amount of carriers that are willing to, to offer a policy, knowing that there's a vulnerabilities that they're not able to, to adhere to. So it is kind of a , a mixed bag. There's, you know, there aren't a ton of things that the carriers are requiring, but again, they do wanna see that MFA in place. And that's almost all insurance carriers today. And then also they would like, and really value and appreciate seeing a thorough assessment to understand where the vulnerabilities are or that certain things are in place against those

Amber:

Vulnerabilities. Yeah, that makes sense. So, Brandon , one of the things that we like to tell our clients is that when you're thinking about security, a lot of times it's a trade off between risk and convenience, right. And some of our clients do, they do choose to go with something that's maybe more convenient, but less secure. So, you know, even if they do everything right, you know, they could still get a cyber security event. Can you walk us through what would happen? Like what's kind of the high level step by step process of what happens if a cyber security event does occur?

Brandon:

Sure. Well, so one thing that we'll do is we'll ask to review any contracts that they have in place, whether they be vendor contracts, hospital contracts, anything in a contract that stipulates insurance related requirements or covenants of those contracts that they need to adhere to. And so when we review those, we're looking for things like, are you notification requirement, legal requirements? So inside those contracts, we'll see it. So as an example, if there is a notification requirement, then they need to know if there is a compromise, who are they required to notify and , and in what timely manner in fashion. So in , in healthcare, the senior living space, if there is a breach they're required to notify, you know, residents, residents, families, vendors that they're working with, whether it be pharmacy, food, service, therapy, obviously if they're working with a , a cybersecurity firm notifying them, but there are certain stringent notification requirements that they have to abide by. And as you are probably well aware, there's a cost to notification because of HIPAA. And because of the compliance from CMS that is placed upon these folks, there are certain requirements there from a notification standpoint. So system goes down, system's compromised. We want to be notified if , if we're working with them on , on liability. So then we can put the carrier on notice, help them understand we can reach out to partners that we have, or the carrier can reach out to make sure that we're getting the proper folks , uh, in place as quickly as possible to assess it. Cuz you guys may have heard of Chronos. There was a year-ish year plus and some change ago that is still having ramifications on some of our clients from an HR perspective, you know, in that business income. So it's then us seeing where's the compromise, what needs to take place today to mitigate any further penetration and then help them understand here are the next steps that have to take place to maintain and keep them up and running. So I know that's kind of a long winded Amber, I apologize, but it really is on a case by case basis. And based on the covenants of any contracts that they have, that we would then have a , a step approach. If this happens, here's how you respond. And we would recommend that they have that in their E.O.P or their emergency operating plan because they will, when , when survey comes in, states will go to that E.O.P and look and see, do have they done hazard assessments and what is their protocol, if and when a hazard were to arise, which also includes a potential cybersecurity breach.

Amber:

Yeah. That's really helpful to walk through that process. And then Ryan on the technical side, what is the typical response or what are the action items that can be done if a breach or an incident does occur and also can data be recovered? Should they pay the ransom? Can you talk about some of those things?

Ryan:

The answer here really depends on what kind of, what kind of measures were in place prior, what kind of prevention was in place prior to that compromise? You know, obviously from an it standpoint, the first thing you want to do is isolate any systems that were compromised, you know, remove them from any shared network resources or, you know, prevent them from being able to communicate with any other computers to kind of stop the spread. So that's the first step is kind of triaging, you know, identifying and isolating the infected devices. And from there it's evaluate what was affected, you know, what data was affected, if any, and how was it affected? Did it get copied off? Did it get encrypted? You know, and, and then you start taking steps to, to remediate clean up the infection, restore the data. You know, if, if you're , you know , checking all the boxes, you should have a backup and disaster recovery system in place. In which case, you know , the disaster recovery system could just potentially take over when you isolate those affected systems and you could have very little or no downtime and the backup system you can use to restore those affected systems. And if, if all the systems are set up and in place and, and working correctly, you know, you'll definitely minimize the impact and the cost of recovering from something like that. But on the flip side, if you don't have those protections in place, it can be a very lengthy and costly process to recover. It could ultimately mean a lot of downtime and a lot of lost revenue.

Amber:

So definitely prevention and awareness in that assessment front is really key. Absolutely . To minimizing the , the damage . Yeah . Yep . Well, Brandon Ryan, this information has been really helpful. I think this will be really useful to our listeners. Brandon, is there any final words of advice you'd wanna give before we wrap up? Yeah ,

Brandon:

Absolutely. Thank thanks for that. Cause I was gonna interject, but I wanted to let you finish. So just as I think through some of this, as I mentioned earlier, and I think you guys are aware , uh, a lot of facilities don't quite know and understand their vulnerability and their exposure, what I am seeing , uh, which is probably a Testament to what you guys are doing. That being Parasol and the industry is they're partnering with an it provider, a cyber security firm that's helping protect them. So one of the things I'm seeing is that a lot of folks believe that because they're partnering with the firm that they're protected and they don't necessarily need the cyber liability because it's extended through their contract. And so that's one of the contracts that I would review , uh, because there are what called first party coverages and third party coverages and not all policies offer both first and third party . So real quickly, a first party coverage is something that happens to you internally. A third party coverage is a breach that happens to your system through a third party access, whether it be a vendor. So let's say your partner with a pharmacy, you're doing electronic billing, the pharmacy's compromised. And then somehow through your connection with them, it penetrates your system. That is a third party coverage. And sometimes if third party coverage is , is deemed to be the culprit, an insurance carrier could deny claim because they're not offering third party coverage. And so it really is important to understand the difference between first party and third party . What is your it provider, if you're , if you're sourcing that or partnering with that, what are they covering on your behalf and what are you responsible for on your own independent of that contract? So I would just kind of close with that to help folks understand what they're contracting to entails. Are they getting a , a qualified assessment and make sure they're sharing that assessment with their insurance provider so they can get the best coverage for the best price , uh, as it pertains to cyber liability.

Amber:

Yeah, that's really excellent advice. And would you say that for most companies out there in the world in general that a cyber incident is not a matter of if it's a matter when

Brandon:

Absolutely. And, and the kind of the crazy thing, statistically speaking, there are more cyber incidences in smaller organizations than larger because most of those smaller organizations have an invested financially into being secure, but they think that they're, they're not targeted, but they are again, that's just from what we see , when I look at claims, we're seeing more claims from smaller entities than we are the larger corporate entities. We just hear about the larger corporate entities, more on the news because they have an appearance of a larger impact.

Amber:

Yeah, definitely. And that is something that we're starting to see that awareness with our own clients as well. I think for a long time, the industry maybe felt like they were immune or they were too small, but that's definitely changing. Ryan. Do you have any last words of advice you'd wanna give our listeners?

Ryan:

Well, sure. Yeah. From a technical standpoint, cybersecurity should really be a foundation, a major component of the it culture. You know, it's not something you want to just revisit once a year or think about after you've had a , a scare or an actual compromise. It should be part of every decision that's made from an it perspective and built into every process and system in your environment. Again, it goes back to that proactive component. You don't want to be reacting to cybersecurity cuz at that point it's too late. You want to be on top of things and you want to be proactive and, and be ahead of the game.

Amber:

Yeah, that's, that's great. And that is something I tell our clients a lot along with, you know, the security versus the convenience, but that we wanna really view all technology decisions through this lens of security so that we're ensuring that that's built into the foundation of what we're doing. Well, Brandon and Ryan, thank you so much for joining us today. This was really insightful and great information.

Ryan:

Yeah .

Brandon:

Thanks for having me

Ryan:

Happy to be here

Amber:

And listeners, thanks for joining us today. You can tune in next time for our next episode. If you have any ideas on topics you'd like to hear us discuss or you'd like to come on the podcast, please visit our website at parasolalliance .com and let us know. And thank you for listening.