So we're gonna go ahead and get started now with our lunchtime presentation. For those of you who are at home that are missing out, we have a sushi platter, prime rib, you name it, we have it right over here. Sous Chef is right around the corner. So for our speaker, we have Mr. Trevor Williams. He is a commercial risk advisor with Baldwin, Kirsten, Sherman Partners, working solely with healthcare clients across the Southeastern United States. As a registered professional liability underwriter, he is passionate about helping healthcare organizations analyze their unique commercial risk profile through a consultative approach in aligning risk management and insurance with corporate goals to augment growth and success. As an advisor, he's responsible for developing new client relationships and leading internal teams to retain existing relationships. In his free time, he enjoys activities such as golf, fishing, hunting, and spending time with his wife. Thank you, Greg. All right, everyone. Well, thank you for welcoming me into your conference and I'm happy to be speaking to you. So as Greg mentioned, I'm Trevor Williams. For someone that asked, a registered professional liability underwriter, RPLU, cyber risk and medical professional liability are my areas of expertise with healthcare clients two of their main risks, whether it be physician groups, hospitals, health systems, senior care organizations, it runs the gamut. And so cyber and medical professional liability fall into that expertise. So it's no secret to everyone here that the healthcare industry has very inherent and significant cyber risks. We could spend hours talking about those risks and appropriate risk management measures for physicians and healthcare providers, but today we're just gonna focus on ransomware because it's such a pervasive issue. I mean, you all have likely seen recent examples of over the last year or so of high profile ransomware attacks, like the Colonial Pipeline that was totally shut down, JBS Foods, which is not a very well-known one, but that's the world's largest meat packer, and CNA Insurance Company. So that one hit pretty close to home. And recently within the last six months or so, we had Kaseya, which is a large Miami-based software company and the ransomware that entered their system also emanated to 1,500 of their clients. So it spreads like wildfire. So before we get started or before we get much further, I wanna make sure everyone knows what ransomware is and how it's defined. So the definition, ransomware is a malware that prevents or limits users from accessing their system, either by locking screens or files until a ransom is paid. And the four stages of how it happens, the first stage is initial access. So this happens in one of two ways, either the hacker or bad actor can, you know, it kind of take the back channels to get into a server or system, you know, penetrating firewalls or, you know, any other method that's unbeknownst to us, or the other way that is actually very preventable is human error. So an unassuming or tired employee or provider that gets a malicious email and that looks and feels legitimate, but they click on a link or send information or enter a password, or even sometimes, you know, there's instructions in the email to send money, to wire money to a certain place that, you know, may look and feel like it's from the organization's leadership. And so that's how they get in. And then once they're in, usually they'll spend a pretty significant amount of time just sitting dormant and doing network reconnaissance. So just kind of monitoring the employee's, you know, email patterns and just finding as much as they can out about the system and server and where the confidential information and patient, you know, files are stored and kind of determining their best strategy of attack. The next stage is data exfiltration, which is a fancy word for copying data over to another place so that, you know, when they do make the ransom, it is legitimate. You know, they do have, you know, your data and your arms locked. And then they deploy the ransomware. So oftentimes that'll look like, you know, a lot of all of a sudden, a lot of glitching, maybe the screen goes totally black and the users get a message on the screen that is saying, you know, your system is totally locked down. You're not gonna get access to it until you pay us a ransom of X, most often, almost always in Bitcoin. And so that's kind of how it happens at a high level. So how do we get to where we are today? This just very threatening and pervasive environment. In 1989, a man by the name of Joseph Popp, who's considered the father of ransomware, attended a international AIDS conference in Europe. And, you know, throughout the conference, he was able to collect all the audiences, you know, information and mailing address. And after the conference, he sent out like 20,000 floppy disks, even I'm old enough to remember floppy disks. And so they, you know, they went to physically to each person's mailing address. And some of those people inserted the floppy disks into their computers, like titled, you know, takeaways from the conference or something to that effect. And once they inserted it, you know, their computer is locked down and encrypted. So his demand was $189 to have the, you know, system access given back, which today is pennies, but that is how it started. And so unsurprisingly, they were easily, justice system was able to track Joseph down through, you know, through the mailing system really, and apprehended him. He stood trial, but surprisingly, he was not charged because of insanity, pleaded insanity, so he got off. So, you know, like I said, the initial strategies were to just get in there, infiltrate and encrypt as much, you know, of the system as possible. The lower cost demand started at $189. Today it's to the tune of tens, hundreds of thousands, and even into the millions, depending on the organization and how successful they are. And then where we are today is the, it is so sophisticated that even a novice hacker or bad actor can go onto the dark web and basically arrive at a site that looks and feels like an Amazon marketplace for ransomware. They can buy like whatever package of encryption data that they need for a stated price in Bitcoin. They get, you know, easy to read instructions on how to deploy it. And if they're even, if they're having problems with, you know, attacking another organization illegally, they have a customer service function where they can, you know, get someone on the phone or chat and have them walk through, oh, this is how you should do it. This is how you, you know, can get the most bang for your buck. So that toolkits develop ransomware as a service is what that stands for. And that is what it is. It's a service nowadays, which is, it seems crazy and it is, but that's one of the reasons why we're seeing so much activity going on because it's easy to do, you know? So now we're having these mass attacks and the trend now, especially for healthcare providers and the financial services industry is called double extortion, where not only are they holding your system and your server captive, where you can't access or do anything or perform your business functions. They're also over here holding, you know, the confidential third-party data, like patient data or, you know, financial data. And it's a double threat. You know, if you don't pay the ransom, you're not only going to not get access to your system, also the confidential data is going to be released and you're going to be liable for a large class action lawsuit. So those are the trends. So in 2021, some alarming statistics I pulled were specific to healthcare. 600 separate clinics, hospitals, and organizations were attacked. And by the way, this data is coming from a public database. So it's where the organizations are either forced to report that the attacks of its 500 individuals are more affected or they just choose to report it. So, you know, safe to say that there are a lot more like smaller attacks and smaller organizations that are not included in here. So $20.8 billion is the total cost of ransomware attacks for healthcare. And that's encompassing the, you know, the ransoms that are paid. But for the most part, the costs that really exceed the ransoms are those costs that the organizations have to pay on behalf of themselves to mitigate the effects. So, you know, the first thing you have to do, call in a forensics firm, see what happened, why it happened, and what are the steps to take to, you know, get your data back if possible. You know, steps to restore your data. You've got to hire a third party firm to do that and help restore your data. Any business interruption losses. And then of course you get to the legal fees, battles, and regulatory fines and things like that. So that's the total cost. 18 million patient records affected nationally, which is a 470% increase from 2019. Leading states, not super surprising here, California, Florida, New York, and Texas. I mean, most populous and, you know, have a huge healthcare presence in those states. 15.6 million in ransoms were demanded and the average 47% increase in average ransom demand between quarter one and quarter two. Yeah. Yeah. Maybe. So I know probably no one in here is an IT professional. I'm not either. I'm in sales and insurance, but, you know, these are some takeaways that, you know, if you're in leadership in your organization that you might be able to take to your IT team or, you know, chief information security officer, they're probably already doing most of this. But again, it's to help protect not only your data and your income, but, you know, other, your patients as well. So planning, I mean, most, really every organization is going to have an incident response plan for hurricanes or fires or tornadoes or, you know, physical security issues, but you need to also have one for cyber and you need to test it to make sure it's effective and that it works. Cyber insurance, which I'll cover later. And then, you know, working with different vendors, whether that be the, you know, EHR, EMR vendor, cybersecurity vendors, definitely even legal counsel, making sure that they are protecting themselves and therefore you with, you know, risk management measures and, you know, even some contractual obligations there. So preparing for a potential attack, it's not even really potential, it's when, when is it going to happen, not if. You know, having an emergency communication channel that's not tied to your work computer, whether that be texting or calling or, you know, a different channel. Backup process development testing, make sure your backups are protected and that they work. And security awareness training, this is a huge one. So many of you within, if you work for larger organizations, might be tested or simulated with phishing attacks every so often. I know at BKS, we do. Every month or so, at least I'll get an email that, you know, if I've just ordered a package from UPS, it'll say, oh, this is from UPS, or, oh, this is approving your time off request. And there's always a link in the email, but something isn't right about it. And it's your job to catch it. And if you don't, if you click the link and fall into the trap, you get a big red X, you failed. And, you know, it's fake, but that allows the organization to track, you know, what percentage of my employees are being tricked and maybe they need additional training and, you know, or even disciplinary consequences because it's such a huge issue. And I find that a lot of clients I talk to, the other part of security awareness training is education. You know, they'll have annual or semi-annual sessions on what to look for in cyber, but they may not deploy the actual simulated phishing and attacks. And that just prepares all the employees for, I mean, you know, attacks don't come at, when you're most alert, they come at five o'clock on a Friday when you're really tired and worn out and not suspecting. So protecting the organization with multi-factor authentication, which I'll talk about in a little bit, that's the huge trend right now in insurance and even being able to get insurance. Behavioral learning, that really applies to like IT, more training your computer to detect, like if you only send emails from eight to five and all of a sudden an email gets sent at 3 a.m., you know, the computer can recognize that. And then reviewing and restricting access rights. Not everyone needs complete access to the whole system. So proactive risk management. And then the cyber insurance market environment, which is really tumultuous right now. Again, many of you, you know, you might be on, you know, healthcare organization's leadership team and have some say in this, but maybe not, it's probably handled elsewhere. But just so you know, or anyone in private practice that, you know, has an independent group, limits are being reduced. It's just hard to find cyber insurance right now. Whereas even a few years ago, as a broker, I could easily go on and answer five questions, you know, number of records, revenue, website, and boom, get a cyber quote, find it and issue it, easy. But those have mostly gone away. And it's hard to get the limits you need. The retentions are being increased. And of course the premiums. So we have a stat here that this may by now be even too low. Q1 cyber coverage premiums increased on average 18%. It's probably closer to 30% right now or more. So, like I said before, the emphasis is placed on multi-factor authentication, especially on your email, any backups, and definitely your EMR and access to any confidential data. EDR is a technical term, endpoint detection, where, you know, hackers can get in. And then, you know, COVID has caused a lot of uncertainty in the market, especially with people working from home. And then of course the, you know, large and frequent ransomware attacks and overall cyber claims are, you know, really stemming to a profitability issue for the insurance carriers, which is leading to the premiums. So I'm not gonna go in depth into the cyber insurance policies, even though that, you know, you all might enjoy some great bedtime reading for an insurance policy, but just some things to look out for. Again, if you're, you know, on the leadership team or have any say in this process is cyber insurance is divided into two categories, first and third party risks. First party risks, as I mentioned before, often supersede the third party that everyone thinks of in costs and claims activity. So hiring the forensics firm, data restoration, business interruption, social engineering is another word for phishing. And typically hiring these firms runs about $500 an hour, which can easily add up. Third party risks apply to any costs you're paying on behalf of someone else, not yourself. So legal damages, defense costs and regulatory fines for the most part make that up. And then the question is, you know, where does ransomware fit in? It's really both because I'd say it's probably mostly in the third party or first party section because you're paying the ransom on behalf of yourself and you're paying out costs, you know, to mitigate it on behalf of yourself. But of course, you know, if confidential patient or employee data gets released, then you get into the legal and class action lawsuits and regulatory environment. So some relevant exclusions and conditions to look out for, you know, cyber insurance policies are complex legal contracts like any insurance policy and every one is different. It's contrasted with, you know, property or homeowners where you have a lot of the same policy forms and conditions, but each and every cyber policy is totally different. Some of these can be removed or negotiated with extra premium or information, but obviously important to, if you see one that sticks out at you, you have to negotiate it before coverage begins. So obviously there's tons and tons more exclusions and conditions, but these are really the most applicable to what we're talking about today. Authentication is one you should definitely look out for because it's basically says if you don't make an attempt to authenticate the bad email you received by a phone call or another means, if you don't make an attempt, then there's no coverage. That's one that can definitely be negotiated off. Prior knowledge, that's pretty self-explanatory. If you know about an incident before coverage begins, it's not going to be covered. Consent applies to, you know, consent to settle, but also consent to incur costs. So I've seen in insurance policies that, you know, in the first 48 hours of an event happening, you can incur whatever reasonable costs you need to mitigate it. But after that, you're expected to, by then, have the insurance company involved and have them, you know, working on the process on your behalf and, you know, approving or denying fees. And then blacklisted organizations, for the most part, that's going to be terrorists. So you know, there usually are exclusions for those type of organizations if you're affected by them, especially the larger, you know, health systems that might have big targets on their back. So you know, even though that's an exclusion, it's just all about proactive communication, working with the carrier, potentially the FBI, and, you know, law enforcement to work through these issues. So when, if it happens, report it ASAP to the response team hotline. And that may be one of you, by the way. You might be on the front lines, the first to notice something going wrong with the system. And so on every cyber insurance policy or, you know, the IT team will have access to this. There's always a response team hotline number that's 24 hours a day. Having them involved ASAP, because the longer you wait, the more expensive it becomes. So it's a third party that the carrier contracts with, that all they do is handle incidents like this all day, every day. Yeah. And they're approved, you know, to work on this. It may be tempting, but don't pay the ransom until it's authorized, because that may result in no coverage. Keeping track of all pertinent information, that includes, you know, how much income, how much of your income has been affected by the, you know, downtime in business. And working collaboratively, like I mentioned before, with the response team and the legal team and IT, just all parties involved need to work collaboratively. So this is a real life story that one of my clients experienced. It's a specialty physician group with 35 doctors in Florida, and 300 employees, so good size, but also not like the Advent Health and Bay Cares of the world, you know, Cleveland clinics. So they, and they had fairly good security protocols, but I mean, it's not a great, not a good thing that they, that this happened to them, but they did do everything right. Notifying everyone immediately, getting, you know, all parties involved, and working collaboratively. So it ended up being worth about a million dollars in total cyber claim value, 400,000 of that was from the demand that was paid. And 600,000 was from all the other, you know, ancillary costs that I had alluded to before. So again, you know, one of the themes is that it's not just the larger organizations that are targets, oftentimes, it's the smaller businesses that may not have the cybersecurity without paying it, and secondly, I'm not sure how much they get paid, so maybe you're going to go over all that? Well, no, that's a great question. You're right, it does sound like they always get paid, but that's not always the case. Sometimes it's a bluff. And sometimes they make the demand and it looks like you're locked down, but you're really not. And then, you know, it's like, then, no, I'm not going to pay because I have access to all my data and can kick you out. And other times, you know, you get a real specialist to come in and, you know, if the hacker isn't super sophisticated or experienced, then they actually can't have methods of retrieving the data and making you whole again without paying the ransom. But... Chairman, just to follow up on that, I know several of our hospitals, state organizations, and the AOAs have gotten hit with this, and a lot of times, the boards of directors are divided. You know, half of them, I'm not going to pay one blank bread set to those, but at some point, as it lingers, and you're having to dispose of the membership that their data has been exposed and includes a credit card, then, you know, after about three or four days of ruminating and cracking your back open, you end up making a business decision. Because the cost of holding the principles, you know, might be prohibitive to the ongoing business operations of the organization. And I can imagine, if it's patient care data, now you're getting into HIPAA issues and PR issues, that the pressure to go ahead and pay off is even greater than, you know, these small, non-profits. And this is a legal question. I don't have to limit when some lab knows. But, for example, Kepler, if the hospital said, no, we've got IT people who are going to get it back, but then they need that data, does the hospital become liable for not paying them? Or, I mean, even though it was a crime, did it become, like, legally liable? So, for the folks on the call, sorry, I haven't been repeating the questions. The question was, would the provider or the hospital be liable if they decide not to pay the ransom or make a business decision? And maybe they're doing everything right. But the answer is yes. As the provider, as the organization, you are always liable for your patient data. Always. From the patient's point of view, you are holding it. You are responsible for it. And that's the legal system's view as well. Even though it's a crime to infiltrate systems and even maybe it's coming from another state, Russia, China, that's illegal. But you're liable for your patient data. That's what HIPAA says. Yes. So, uh, that's a good question. The question was, is the government doing anything about this? Assuming, yes, they are. Um, I, uh, quick story, I, um, last year went through the class of leadership Tampa Bay, um, this general area leadership class. One gentleman that was in my class was the special agent in charge of the FBI Tampa field office. And he said cyber and ransomware is his number one priority, number one, and that's coming from top line leadership. So, um, you know, yeah, in terms of preventing it or trying to get ahead. I mean, unfortunately, the criminals tend to stay one step ahead, but, um, there, I know that there is a huge focus on that at the government level. Um, there was also recently a proposed SEC rule for public companies that have to, or if it's approved, assuming it will, um, are going to have much, much more stringent requirements on, uh, disclosing their, not only cyber incidents, but their, uh, risk management, security measures and what they're doing to protect from something like this. So, um, you know, in terms of the, the small physician group, um, they, I mean, it's just about getting the right people involved if something does happen and then on the front end, doing the best you can. I mean, not holding any sense back from. Not on the front end for private companies really I don't think. Yeah. Yes. You do, you do bring in the FBI. Yes, definitely. Yes, if you get it, if you get a ransom demand, it doesn't matter what size business you are definitely bring in the FBI. Yes. There's another firm that costs money for that. Yes, yes. I mean, the mafia in Russia, or all the above. Most of the time. So who are these hackers is the question. Most of the time, it is, it is out of state. Russia is a very common breeding ground, or, you know where and most of the time it's not, you can have individuals that do it just for the pure financial upside but most of the time it's groups organized criminal groups that strategize together and deploy it together and share in the winnings. Yeah. Yeah. Question is, what's the guarantee that they are even going to release your data and there is no guarantee. That's what makes us scary. I think they're right, but there may be some of these services that have a way back to the landscape, so that's a big question. A bit of conspiracy about these firms that charge a bunch of money to mitigate ransomware effects that might on the side be doing it themselves to recoup. Maybe, maybe I'm going to be on the lookout for you, though, you seem a little suspicious. So, yes. Oh yeah, yeah, definitely. There's a cost. Maybe it amounts to, I'm just pulling a number out at $10,000 for the toolkit. And then the person, you're purchasing that in Bitcoin. And then, you know, like any business decision they, they, if they successfully get into a provider company, they'll charge much more than that so that they make a profit. So, and the time spent. So yeah, there's definitely a cost to it on the front end. Any other. Oh, should we take some online questions if there are any. It basically is I mean these are questions. I don't. If I did, I would have put it on that statistics slide. But that is publicly available data, you know, and much of the time it will say, you know, is if 500 individuals or more were affected, was it, was the ransom paid or was it not paid? So it really depends on the individual circumstance, of course. Do you write a lot of these policies? Yes. For anyone, I don't care what type of business it is. For anyone that I run into that doesn't have this, it's a huge gaping, you know, deficiency because it's their organization and sometimes personal assets that are at risk. So, I mean, yeah, I don't let any of my clients go without it. So. So a lot of time, the main drivers for cost are revenue and the amount of patient or third party records that you're responsible for. But on average, for a mid-sized organization, probably, and depending on the limit you select, probably somewhere in the $10,000 range. So not much. I mean, for like an Advent Health, they're spending, you know, hundreds and hundreds of thousands on their cyber insurance. But even though the $10,000, you know, from a business perspective may not seem like a lot of money, it's my job to come in at renewal and deliver the bad news, saying, you know, we've canvassed the entire marketplace, but the best we can find is an 80% increase. And it's, then you have to look at potentially reducing limits or increasing retentions or just stomaching it because it's necessary. Thank you very much. Yeah, thank you all. Any questions? I know we just applauded, but from the cyber crowd, any questions? Yes. You know, I hear the dark web. What is that? Or how do people get there? I don't know how to get there. So one, I don't know how to get there. The one statistic I do know is the internet is like an iceberg. So everything that we see, everything that's publicly available for us to access is about 20% of the internet. The other 80% is the dark web. So there was this article I recently read, and I really am trying to find it, it was fascinating because it told the story of this young man who lived in England. He became actually a star in the fact that he somehow created whatever to save a huge hacker issue. So his final story is he did that, but to get there, he was a young man in England, you know, was kind of a loner, just kind of that whole thing. He was really into the computers, his parents were kind of half paying attention because, you know, parents don't know what's going on with these computers. He ended up getting exploited, essentially, because he was smart enough to figure all this stuff out. These guys on the internet found him, and then they kind of befriended him. Although he never really got really personal information about them, they got personal information about him. So of course, they use that. They ended up sending him, of course, like Adderall through the mail, and then other things that a young person of, you know, 17 to 19 years old might like, sending him that. So of course, they had his address. And then, you know, so he kind of got pulled into the black web that way, innocently, of course, this is his story now. And they would ask him questions like, if you were to do this, how would you do this? And things like that. Well, somewhere along the line, he figured out like, oh, I'm probably not doing the right thing here. But of course, by then he was so pulled in. And then, you know, fast forward 10 years later, he was actually being celebrated at some nerd conference in Vegas of these people who like are the heroes of saving the world because they go against these hackers. But the FBI was waiting for him in Vegas. And when he was getting ready to leave, they pulled him and then he, you know, had to go to court for all the things he did when they had, you know, he had his fingerprint on him. So I mean, it was a really interesting story, just kind of showing how this kid got pulled into it, whether willingly or unwillingly, I don't know. But it's they're exploiting these young minds to, you know, pulling them in. And if I find it, I'll keep looking. Now, if I find it, I'll share it with you. Yeah, I had a patient who was probably early 30s. I don't remember what I was in for. But I said, Well, what do you do? He said, I'm in government contract. And this is in Central Valley of California, there's no little government contract with the DOD. And I said, Oh, well, where's that? He said, Oh, I work online. I'm up in Sierra. And I said, What do you do? And he said, Well, I do cybersecurity. I said, Oh, that's interesting. How'd you get into that? It was sort of like this story. He said, Well, you know, I was a teenager. And I started doing this stuff and playing around. And I'm on the internet. They said one day, two guys knocked on my door. And they told my parents, hey, we want to see so and so. And they said, Well, you know, basically, you can either come to us, or you can go to jail. Yeah. And he said, it was, it looked like a pretty good deal. Yeah, for going to jail. So he'd been doing it for a number of years. And I thought, is this really true? Or how much? You don't know, right? But that is true. That that's how that's a lot of times how the government recruits the best cybersecurity experts, because they'll even hold contests of who can hack the most sophisticated company or government who can hack our government, bring in contests and have a big prize for the winner. And then of course, it, you know, offer them a good salary to come work for us. So yeah, or if they get caught, so, okay. So I did find the article, it's the Red Redemption, the Red Dead Redemption, two fans horrified after hackers invade game. Oh, nevermind. I'm sorry. But it's this. Oh, it's the same guy, because I was at a like Comic Con conference. His name is like Tyler something. I'm sure. Nevermind. Nevermind. Yeah. All right. Thanks so very much. Dr. Giovinko here. Okay, we're, we're actually running ahead of schedule yet again, but we'll see if our panelists are here for the next session.

ransomware

healthcare

cybersecurity

incident response

Trevor Williams

cyber insurance

data breach

multi-factor authentication