Health, Higher Ed Most Vulnerable to Cyber Attacks
As cyber risk management comes of age, more data and better analysis are leading to new realizations. One is that health care and higher education are the most vulnerable sectors, followed closely by financial services.
Another is that the vast majority of security breaches could be forestalled using simple measures, such as ensuring all updates and patches to software are installed and tested.
However, studies are starting to show that cheap, low-tech email attacks remain stubbornly effective despite expensive, high-tech protections.
All of those ideas were advanced and detailed at a fast-moving panel discussion May 11 in New York, sponsored by brokerage Crystal & Company.
Actuarial data is still thin in cyber, but Christopher Liu, head of cyber risk in the financial institutions group at AIG, said that “institutions in health care and higher education are the most hazardous classes of insureds. That is because they have the most sensitive information and that there is high turnover. Also, they usually do not have big budgets, so security is often not well supported.”
Financial institutions, especially asset managers, are the second-most hazardous class, Liu added.
“They have the same attractive information, plus they have money.”
Mitigating that, they also tend to have better funded and supported security, and they have heavy government regulation. That both keeps them on their toes, and also means greater external surveillance. Several panel members noted that firms became aware of breaches when regulators noticed unusual activity.
“We find that we deal primarily with three areas,” said Austin Berglas, senior managing director at K2 Intelligence.
“Those are: unpatched vulnerabilities in software, misconfiguration of internal systems, and misplaced trust by employees. We get called in to handle a breach, and 99 percent of the time we find the vulnerability is unpatched.”
Berglas explained that the software companies race each other to send out new versions that often are not completely functional or secure. So they send out patches. “Windows does it every week on ‘patch Tuesday.’ But users don’t have any regular schedule or system for installing and testing patches. We find unpatched vulnerabilities dating back as far as 1999.”
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.” — John F. Mullen, managing partner, Lewis Brisbois Bisgaard & Smith
The challenge of unsecured configurations between systems was dramatically demonstrated with the infamous attack on retailer Target, which came through the air-conditioning vendor. But Berglas emphasized the persistent and pernicious problem of simple phishing.
“It is estimated that 30 percent of individuals within a company will open an email, and 13 percent will click on an attachment, even if they have been warned not to,” Berglas warned.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing email by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense. Now they are inside, with credentials, and you can’t detect them.”
The quickest and easiest thing that any company can do, “is to look for unpatched vulnerabilities in public-facing systems,” Berglas urged.
On the same theme, John F. Mullen, managing partner of the law firm Lewis Brisbois Bisgaard & Smith, stressed that “security goes way beyond IT.
“This is not just about the tech guys. Cyber security tends to get pushed downhill.” And that tends to mean lack of coordination on all fronts.
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.”
Similarly, “insureds have to know the coverage that they have bought. Is there a mandated forensics group? Outside counsel? If so, go meet with them. If you have options, vet them,” Mullen exhorted.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing e-mail by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense.” — Austin Berglas, senior managing director, K2 Intelligence
He expects the cyber insurance business to triple or quadruple in the next five years, in terms of premium spending.
Cycling back to the theme of internal responsibility, Paul Miskovich, senior vice president and global practice leader of cyber and technology errors and omissions coverage at Axis, said that 67 percent of cyber claims presented to his firm involved insider activity of some kind: clicking on a phishing email or failing to install a patch or use a firewall. Further, 25 percent of claims involved third parties such as vendors.
For all the focus on the breach itself, Miskovich added that “regulatory costs can be more than the costs of the breach, especially if you don’t have documentation of your security policies and protocols.” That includes documentation that the policies are in place and are rehearsed.
Noting previous comments that many losses are traced to breaches that have gone undetected for years, Miskovich said that a new area within cyber insurance is full coverage for prior acts.
Navigating the Picket Line
Last year saw a significant increase in college students protesting everything from racial and gender discrimination to sexual assault and cultural appropriation.
College risk managers must strike a balance between allowing students their say and keeping them — and others — safe from harm and keeping college property safe from damage.
Last May, Columbia University student Emma Sulkowicz walked across the graduation ceremony stage carrying a mattress — as she similarly did around campus during the school year — to protest campus sexual assault. According to the Washington Post, Sulkowicz said she was raped in her dorm room in her sophomore year, but her attacker was cleared in a school hearing and the mattress symbolized what she said was the university’s flawed handling of her complaint.
Yale University students in November clashed with faculty over the issue of ethnically insensitive Halloween costumes, leading Yale lecturer Erika Christakis to resign after criticizing protestors for not allowing free speech.
In January, Ithaca College president Tom Rochon announced his retirement after an uproar over his handling of an incident during which two white men used racially charged language to refer to a black student participating in a roundtable discussion, among other incidents, according to NPR.
Then there is the example of Princeton University students demanding the name of Woodrow Wilson, former president of the U.S. as well as namesake of a school at the university, be removed because he held racist beliefs.
VIDEO: PBS looks at events in Mizzou, Yale and beyond as campus protests stir fresh questions about free speech.
Many of these movements have gone beyond the traditional expression of discontent and are actually taking administrations to task, asking them to intervene and police what they view as improper behaviors, said Bertrand Spunberg, practice leader for executive risks, Hiscox USA in New York City.
At Mizzou, Yale and beyond, campus protests stir fresh questions about free speech
Some administrators are pushing back, he said. Oberlin College student protestors in January presented president Marvin Krislov with a 14-page list of demands that included, among other things, the immediate firing of some Oberlin employees and curriculum changes, including that students of jazz “should not be forced to take courses rooted in whiteness,” according to Inside Higher Ed.
“If these demands are not taken seriously, immediate action from the Africana community will follow,” the protestors’ letter ended.
Krislov rejected the demands “because he believed that the nature and format of those demands ran counter to the kind of ‘collaborative engagement’ that should exist between the school and its student body,” Spunberg said.
“Schools are trying to maintain that collaborative engagement by making sure they listen to students without giving in to the public relations fear that they are going to do or say something that angers students, donors or other stakeholders,” he said.
There’s “an interesting tension at play here” as institutions try to balance free speech and social or racial sensitivity, Spunberg said.
“As colleges and universities try to find the right balance, it’s reasonable to expect that we may see claims at both ends of the spectrum between allegations of undue restraint of free speech on campus and wrongful termination lawsuits by staff who were fired because they said or did something that was viewed as contrary to the student population’s beliefs,” he said.
There’s “an interesting tension at play here” as institutions try to balance free speech and social or racial sensitivity. — Bertrand Spunberg, practice leader, executive risks, Hiscox USA
The biggest challenge for institutions and campus police when there is “spirited discourse” is ensuring that protests remain peaceful, and not devolve into criminal acts of civil disobedience, such as looting, property damage and bodily injury, said Leta Finch, national leader, higher education practice at Aon Risk Solutions in Burlington, Vt.
Many schools have policies for student protests, and instructions for campus police to manage those protests, Finch said.
Students typically are protected on campus, but once a protest becomes civil disobedience and crimes are committed, then police have the power to arrest.
Some schools like the University of Missouri have created “safe zones” for students to protest that prohibit access not only to those opposing them, but also media outlets. But Finch said she is “not so sure safe zones are the solution — they add fuel to emotion.”
Risk managers should make sure the institution has adequate coverage for liability and property damage, and should also be aware of the university’s policies and procedures if protests lead to civil disobedience, she said.
“If there aren’t any, they should start asking if they can be developed, because every school is at risk for these types of occurrences,” Finch said.
John McLaughlin, managing director, higher education practice at Arthur J. Gallagher & Co. in Itasca, Ill., said that most university business continuity and insurance programs are focused on a “moment-in-time” event such as a natural catastrophe or even a shooting.
“But what has been happening with recent protests is that they are stretched out over long periods of time, so a school’s crisis response team is constantly on point focusing on one event after another,” McLaughlin said.
Crisis response and threat assessment teams must also consider that threats could come from outside the campus community, he said.
As the teams begin to cover new territory, they must ask themselves how far their investigations and interventions should go, lest their actions be misconstrued and inflame protestors even further.
There are also financial implications of decisions made under pressure from protestors, McLaughlin said.
At the University of Missouri, where student athletes threatened to boycott a football game in support of student protestors, the financial impact could have been significant. Traditional event cancellation coverage may not respond to financial loss from that type of intentional act.
“However, I suspect underwriters will be engaged in some deep conversations about how coverage might be amended to provide at least some coverage for this type of situation,” he said.
Terri Taylor, senior policy and legal adviser at Education Counsel LLC in Washington, D.C., said that student demonstrations can be an opportunity to open a dialogue on campus.
If a school cannot or will not meet students’ demands, it should address what is at the heart of the complaints, she said.
“Students may demand one thing they think will address their concern, but administrators have the opportunity to think beyond the demand and also consider what conditions or policies may be contributing to that,” Taylor said. “That shows engagement, and they could offer something that students might not directly be asking for, but something that could bring up change.”
Compounding: Is it Coming of Age?
The WC managed care market has generally viewed the treatment method of Rx compounding through the lens of its negative impact to cost for treating chronic pain without examining fully the opportunity to utilize “best practice” prescription compounds to help combat the opioid epidemic this nation faces. IPS stands on the front lines of this opioid battle every day making a difference for its clients.
After a shaky start cost-wise, prescription drug compounding is turning the corner in managing chronic pain without the risk of opioid addiction. A push from forward-thinking states and workers’ compensation PBMs who have the networks and resources to manage it is helping, too.
Prescription drug compounding has been around for more than a decade, but after a rocky start (primarily in terms of cost), compounding is finally coming into its own as an effective chronic pain management strategy – and a worthy alternative for costly and dangerous opioids – in workers’ compensation.
According to Greg Todd, CEO and founder of Integrated Prescription Solutions Inc. (IPS), a Costa Mesa, Calif.-based pharmacy benefit manager (PBM) for the workers’ compensation and disability market, one reason compounding is beginning to hit its stride is because some states have enacted laws to manage it more effectively. Another is PBMs like IPS have stepped up and are now managing compound drugs in a much more proactive manner from an oversight perspective.
By definition, compounding is a practice through which a licensed pharmacist or physician (or, in the case of an outsourcing facility, a person under the supervision of a licensed pharmacist) combines, mixes, or alters ingredients of a drug to create a medication tailored to the needs of an individual patient.
During that decade, Todd explains, opioids have filled the chronic pain management needs gap, bringing with them an enormous amount of problems as the ensuing addiction epidemic sweeping the nation resulted in the proliferation and over-consumption of opioids – at a staggering cost to both the bottom line and society at large.
As an alternative, compounded topical cream formulations also offer strong chronic pain management but have limited side effects and require much reduced dosage amounts to achieve effective tissue level penetration. In fact, they have a very low systemic absorption rate.
Bottom line, compounding provides prescribers with an excellent alternative treatment modality for chronic pain patients, both early and late stage, Todd says.
Time for Compounding Consideration
That scenario sets up the perfect argument for compounding, because for one thing, doctors are seeking a new solution, with all the pressure and scrutiny they’re receiving when trying to solve people’s chronic pain problems using opioids.
Todd explains the best news about neuropathic pain treatment using compounded topical analgesic creams is the results are outstanding, both in terms of patient satisfaction in VAS pain reduction but also in reduction potentially dangerous side effects of opioids.
The main issue with some of the early topical creams created via compounding was their high costs. In the early years, compounding, which does not require FDA approval, had little oversight or controls in place. But in the past few years, the workers compensation industry began to take notice of the solid science. At the same time, medical providers also were seeing the same science and began writing more prescriptions for compounding – which also offers them a revenue stream.
This is where oversight and rigor on the part of a PBM can make a difference, Todd says.
“You don’t let that compounded drug get dispensed when you’re going to pay for it without having a chance to approve it,” Todd says.
Education is Critical
At the same time, there is the growing, and genuine, need to start educating the doctors, helping them understand how they can really deliver quality pain management to a patient without gouging the system. A good compounding specialty pharmacy network offering tight, strict rules is fundamental, Todd says. And that means one that really reaches out to work with the doctors that are writing the prescriptions. The idea is to ensure that the active ingredients being chosen aren’t the most expensive sub-components because that unnecessarily will drive the cost of overall compound “through the ceiling.”
IPS has been able to mitigate costs in the last couple years just by having good common sense approach and a lot of physician outreach. Working with DermaTran Health Solutions and its national network of compounding pharmacies, IPS has been successfully impacting the cost while not reducing the effectiveness of a compounded prescription.
In Colorado, which has cracked down on compounding profiteering, Legislative change demanded no compound could be more than $350.00 period. What is notable, in an 18-month window for one client in Colorado, IPS had 38 compound prescriptions come through the door and each had between 4 and 7 active ingredients. Through its physician education efforts, IPS brought all 38 prescriptions down 3 active ingredients or less. IPS also helped patients achieve therapeutic success (and with medical community acceptance). In that case, the cost of compound prescriptions was down to an average of $350, versus the industry average of $788. Nationwide IPS has reduced the average cost of a compound prescription to $478.00.
Todd says. “We’ve still got a way to go, but we’ve made amazing progress in just the past couple of years on the cost and effective use of compound prescriptions.”
For more information on how you can better manage your costs for compound prescriptions, please call IPS at 866-846-9279.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with IPS. The editorial staff of Risk & Insurance had no role in its preparation.