Business Owners: Red or Blue Pill?

The Choice: The choice is yours. Continue to read this article, and you choose the red pill. The true nature of existence will be revealed. Leave now, and you’ve chosen the blue one. You will remain blissfully ignorant. This article isn’t intended to terrify you. However, at the end of it, you might wish you’d chosen blue instead. Sometimes truth is a bitter pill. 

The Ransom: In July, 2019, on a sticky summer’s day in Rockville Center, NY, the IT administrator for the school district had a message pop-up on his monitor: “Your data has been encrypted.” He frantically pulled the plug on the infected computer.  He limited the damage, but key files were being held for ransom.  Fortunately, the school district had cyber insurance. The insurance company paid almost $100K to get the decryption key from the attacker.  

A Different Result: Contrast this with the recent ransomware payment by University of California at San Francisco (UCSF) of $1.14M, where they did not have any cyber insurance to pay the ransom.  The cost of the ransomware and recovery came from the university’s pockets. 

Cyber Insurance: Cyber insurance is protection against the CONSEQUENCES of cyber attacks. This includes data breaches, and ransomware.  The insurance covers the costs of:  the investigation and forensics, notification and identity recovery for clients, restoring compromised data, and system downtime.  Some policies cover losses from social engineering and, like the policy held by the school district mentioned above, cover the cost of a ransomware attack.  Like other insurance policies, some items are not covered, such as the loss of future profits and theft of intellectual property.  

Just a Piece of the Puzzle: You may consider cyber insurance a part of, but not a replacement for, your cybersecurity business strategy.  Insurance companies have been known not to pay out if they find negligence on the part of the insured. Covered companies are supposed to implement industry best practices, policy, and training.  Some underwriters will require company-wide training programs prior to issuance of the policy. 

What About Me: You might be wondering, “Does my business need cyber insurance?” If you lived in a flood plain, would you get flood insurance?  Your business “lives” on a cyber flood plain. One out of every five cyber attacks are against small- and medium-sized businesses.  Of those that suffer an attack, over 60% cannot recover from the residual financial loss.  So, it’s not only big companies that need it.  Small businesses have been flooded right out of business from cyber attacks, when not properly covered.  

Transfers Risk: Cyber insurance transfers the financial component of cyber risk from your company to the insurance carrier.  If your organization deals with a reasonable volume of Personally Identifiable Information (PII) or Protected Health Information (PHI), you should look into insuring it.   The cost of an attack could shut your doors.  So, if you are a health provider, a utility, or a government organization, it would be sensible to get a quote.  If you run an AirBnB or a small-repair shop, you may be OK without it.  Several local organizations have been impacted by cyber attacks, so don’t think it only happens in the big cities.   Calculate the risk. If your company was attacked, what would be the impact?  There could be stiff penalties from the Department of Health and Human Services — or worse, government scrutiny! So, is your organization prepared for the risk of the cyber world?  Would you be like Rockville Center or  like UCSF?  Consider the options, then … choose wisely.

The Dangers of Unencrypted Email

Postcards from War: Recently, I was reading some of my grandfather’s faded postcards from World War I. I happened to read one in which he mentioned being released from quarantine: March 11, 1918, Fort Lewis, Washington – the Spanish Flu pandemic.

Then & Now: Postcards were how our grandparents sent brief messages over long distances. They are the antique analogs to modern email. The messages and attachments you send via email are every bit as private and secure as that dusty, old postcard.

Is This Normal: Recently, a close associate of mine, I’ll call him “John”, was required to take a defensive driving course. The business providing the service asked John to send a copy of his driver’s license. John promptly took a picture of his driver’s license in beautiful, high-definition color and attached it to an unsecure email. He didn’t even question it.

How It Works: Let’s look momentarily at a seemingly benign example to illustrate what happens when you hastily click the “send” button. Say you work for a medical practice and you send an email from your office to a patient. Here’s what happens:

  1. The email leaves your computer.
  2. It travels on your Internet Service Provider’s (ISP) network.
  3. It arrives at your mail server – a server you probably don’t control.
  4. Your hosted email provider then forwards a copy of the email to the patient’s mail server, probably webmail, like Gmail.
  5. A copy of the email languishes on the mail provider’s server.
  6. It then takes the last leg of the journey to land on the patient’s personal computer.

Everybody Sees It: As you can see, at any of those points, the email (like a postcard) can be read by anyone with access. That means, if any of those computers storing a copy of the emails is compromised, so are the emails. All of them.

Unsecure By Design: Email is by design, unsecure. That is why you should never, (let me repeat, EVER) include any important, private information in any email, not just the protected health information (PHI) of patients. Unencrypted email is simply the wrong medium for transmitting sensitive data.

From the hhs.gov website:

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.

For Healthcare: Now, I’m not a HIPAA lawyer, and this is not legal advice, but basically, if you are a medical practice, you know that much of your communication with patients is over email. In fact, many prefer it. So as long as you warn the patient that your email communication is over unsecure media, and the patient acknowledges, then you may be absolved of the consequences of a PHI breach … maybe. You can even get patient acknowledgment with (ironically) a simple email waiver form that the patient signs and returns to your office, over email.

Secure Options: If you only send PHI through your Electronic Medical Record’s application, it may take care of the encryption for you. But if not, there are email providers that will encrypt your emails. If you use Microsoft Office 365, there is a tier that will allow you to encrypt email. Other email providers like ProtonMail offer encryption capabilities. A Chrome extension even exists allowing you to encrypt Gmail. It can be a little inconvenient because you have to think up a strong password for each email, then you have to deliver the password to your patient by calling or texting them. If emails containing sensitive data are sent infrequently, the risk is lower. You decide whether you’d rather go through the effort or experience a breach.

You don’t have to protect sensitive data forever. Its value degrades over time. Conversely, that little postcard my grandfather hastily scrawled over 100 years ago is ever more precious to me.