Comp sector faces security risks as it shifts onlinePosted On: Apr. 1, 2020 7:00 AM CST
As many workers compensation processes move online amid the COVID-19 pandemic, organizations are more vulnerable to cyberattacks, experts say.
Companies involved in the sector hold significant amounts of personal information for claimants, including health care details and Social Security numbers, which make them an attractive target for hackers, they say.
With government-imposed and voluntary office closures forcing more procedures involving legal disputes, benefits applications, communications and medical treatments into a virtual environment, all comp organizations should enhance their security controls and employee training, they say.
“Today’s threat actors are hoping to attack while all companies are distracted with COVID-19 and the challenges of relocating staff,” said Delray Beach, Florida-based Rita Wilson, CEO of Tower MSA Partners LLC, a Medicare secondary payer services provider for comp insurers.
And the industry has been hit by some high-profile breaches in the past. In 2017, SAIF Corp., Oregon’s state-chartered comp insurer, and Kentucky’s Workers Compensation Fund suffered cyber breaches. In June 2019, six health care companies — some of which treated occupational injuries — experienced cyberattacks during the same week. In July last year, Corvel Corp. announced it had suffered a “security incident” that forced the managed care firm to temporarily shut its systems.
“I think historically workers compensation has trailed group health in terms of technology,” said Ms. Wilson. “Now there’s a very definite, very focused effort on technology looking at telemedicine, artificial intelligence and integrated platforms between claims systems.”
Breaches in the workers comp sector are often seen as potentially exposing a significant amount of valuable data because claimants’ records can include personal data, protected health information and biometric data, said Stephanie Snyder, Chicago-based senior vice president, commercial strategy leader at Aon PLC.
Personal health information tends to be among the more expensive data files sold on the dark web, said Nikki Ingram, Schaumberg, Illinois-based cybersecurity risk engineer at Zurich North America.
In the workers comp sector, the likelihood of a data breach often depends on the security controls a company has in place, including the security controls of third parties where information is shared, said Patrick McCrann, Cleveland-based chief information security officer at AmTrust Financial Services Inc.
“I would really look at any type of workers compensation information, whether it’s held at a corporation or with a (third-party administrator) … even with the insurance carrier, wherever that data is held, it’s incumbent upon whichever organization to make sure they’re adequately protecting it,” said Ms. Snyder.
Access to sensitive information should also be restricted because the most common cause of data breaches is employees, she said.
“Unfortunately, humans tend to be the weakest link,” said Ms. Ingram. “It’s easier for the unsophisticated attacker to go after the human element.”
But phishing attacks, where employees typically are tricked by scam emails, can be sophisticated and targeted, she said.
During the coronavirus pandemic, data and map images, purportedly from the Centers for Disease Control and the World Health Organization with links that look like they are connected to legitimate news sites, are increasingly being used as bait by cyber attackers, said Ms. Wilson.
“Attackers are opportunistic. … They are going to use the things that are on people’s minds to try to attack people,” said Wesley McGrew, Starkville, Mississippi-based director of cyber operations for security firm Horne Cyber, a unit of consulting firm Horne LLP. “There are already coronavirus phishing scams and scam websites.”
Employers should encourage employees to report suspicious emails and perform phishing exercises with varying degrees of difficulty to raise awareness among employees, Ms. Ingram said.
“Training is absolutely critical,” said Ms. Wilson. “You can do everything possible within your system, but one phishing email gets through and someone responds to it, now you have someone in your system.”
If a data breach occurs, organizations should engage an incident response coach — who is typically a legal expert — which ensures that information around the breach is legally protected.
“An interesting trend we’ve recently seen, which is just starting but hopefully stops, is where organizations make the decisions not to pay the ransom, and hackers are turning around and publishing the information on the internet” rather than just holding the data for ransom, Ms. Snyder said, which broadens the scope of the attack to a true data breach that includes the computer forensic costs, business disruption costs, regulatory fines and penalties, breach notification, credit monitoring and litigation.
Regulatory changes relating to telemedicine made since the onset of the pandemic have eased some of the pressure on organizations holding personal health information. On March 17, the U.S. Department of Health and Human Services stated it will waive penalties for violation of the Health Insurance Portability and Accountability Act in connection with a good-faith use of telehealth during the COVID-19 outbreak.
“Insurance companies are likely to see an explosion of claims during this period … (except) for breach of medical information under HIPAA if it’s in the context of obtaining telehealth,” said David Katz, partner in the Atlanta office of Adams and Reese LLP. “Anyone who has written coverage for those types of breaches may see a decrease actually.”
More insurance and risk management news on the coronavirus crisis here.