PRA Newsletter | Third Quarter | Issue VII | July 9, 2019
We're surrounded by technology every day be it laptops, smart phones, computers, tablets, or any other electronic device. While these tools have made our lives infinitely easier, they also pose a threat to our security. Emails, social media, and our computer systems are at risk of being compromised and used against us. Learn more about cyber threats currently affecting the healthcare industry, and be sure to follow us on Facebook, Twitter and LinkedIn to stay informed on Professional Risk and the latest in the healthcare community.
In 2016 social engineering only accounted for 1% of data breaches handled by Beazley. However, in the past several years this trend has grown rapidly.
Social engineering is a leveraging technique characterized by a fraudster impersonating a seemingly trusted source, such as a coworker or an authority within the company, and using their name and credentials to get another employee to disclose classified information or wire funds to a fraudulent account. These deceitful messages are often a call to action and worded to make the matter sound urgent.
For example, you may receive a fraudulent email saying, "Our beneficiary is waiting to receive a pending payment. I am out of the office today, and need your help setting up an outgoing wire transfer immediately. Please get this together as soon as possible, you'll find their account information listed below."
The compelling nature of the email is meant to spur a victim into quick action rather than allowing them time to contemplate the decision or search for alternative solutions. In short, these attacks rely on an employees' willingness to trust and eagerness to please.
While human error is difficult to eradicate, there are simple security measures your company can take to combat this risk. You can read more about social engineering and what precautions your employees can take, here.
Third Party Business Interruption
Business interruption loss is classified as funds lost due to electronic business interruption in the event of a cyber-attack. Another form of business interruption loss occurs when a third-party your practice works with, experiences an attack.
An example of this, is the recent breach experienced by Quest Diagnostics, a widely used clinical lab. Quest Diagnostics filed a breach notice to the U.S. Securities and Exchange Commission stating nearly 12 million patients and customers billing information is compromised. This attack however, was not originally directed towards Quest Diagnostics.
Quest Diagnostics hired Optum360 to handle their medical billing.
Optum360 then contracted with American Medical Collection Agency for handling collections on past-due accounts.
American Medical Collection Agency experienced the security breach and reported unauthorized activity on their web payment page to Optum360 and Quest Diagnostics on May 14, 2019.
In this particular incident, it was a third-party vendor of Quest Diagnostic's third-party vendor that caused this breach.
This is another poignant reminder that vendor risk management is an important part of managing a healthcare facility's risk. You can read more about this specific case here.
If you're interested in learning more about Business Interruption Insurance and some of the important terms associated with this coverage, please visit: Business Interruption Insurance: 8 Terms to Help You Understand What is Covered.
