Throughout the pandemic companies have had to pivot and adapt, implementing new processes and procedures — sometimes on the fly — often with little or no precedent to follow.

With those changes can come unexpected cyber vulnerabilities, more so as companies work to establish their remote and hybrid workforces. Cloud breaches and other attacks are only expected to intensify going forward.

“Studies show about a third of all health care organizations experienced a ransomware attack in 2020,” according to Ben Statham, senior vice president, information technology with ExamWorks.

“As that trend continues, stakeholders across the workers’ comp industry need to know that all organizations that store personal health information are potentially lucrative targets for bad actors.”

Risk & Insurance® recently spoke to Statham to discuss cyber risks and mitigation measures the workers’ comp industry should be cognizant of.

Risk & Insurance: R&I has been writing about cyber risk for a long time, but things are constantly changing. In broad strokes, how well is the cybersecurity community doing at staying ahead of the threats?

Ben Statham: Over the last 24 months we’ve seen a steady uptick in cyber-attacks and breaches worldwide. Software companies are releasing critical patches to exposed vulnerabilities at an unprecedented rate, which puts pressure on IT teams everywhere to stay on top of and quickly remediate these vulnerabilities.

When a company makes security a top priority, there are typically more resources to deploy a broader range of security tactics at a quicker pace. I would say the cybersecurity community as a whole is really working hard to keep up right now.

R&I: In your opinion, what is the most challenging aspect of cybersecurity right now?

Statham: Finding and retaining personnel is a huge challenge right now in cybersecurity. The increased demand over the last few years for security staff has created opportunity for those looking for a career in cybersecurity. Short-staffed organizations trying to keep up with the work required to keep a company safe are running the risk of employee burnout.

It has become even more vital and resource consuming to keep up-to-date on current security trends, new breach notifications, and the latest vulnerabilities.

R&I: Are there any particular cyber risks for which the workers’ compensation industry is particularly vulnerable?

Statham: We hear about large hospitals and health care systems being breached, but there are also smaller organizations that we may not hear about. Historically, these companies have not had the same resources or expertise as larger organizations to protect data.

Any industry that maintains personal health information (PHI) is at risk, and that data is highly desired by bad actors. The key here is the commitment to protecting that information through education, vigilance and technology.

The balance over the past 24 months has been skewed toward frequent and relentless attacks on all organizations. Identification of a security incident in a timely manner and an organization’s ability to quickly react are powerful tools in preventing the scope from expanding. Minimizing that impact is critical.

R&I: Do you think we really know how serious the cyber threat is within workers’ comp?

Statham: Data can be at risk in every industry.  For example, T-Mobile was recently breached and didn’t find out until after the data was being sold on the dark web. The expectation of transparency and the greatest effort toward protecting PHI and personally identifying information (PII) guides procedures and protocols.

R&I: Do workers’ comp organizations face the same level of threat that health care organizations do?

Statham: Yes, all organizations in the health care space are targets. This niche is very desired by hackers and about a third of all health care organizations experienced a ransomware attack in 2020. Hospital systems need to be operational 24/7, have vast amounts of PII and PHI data, and there are regulatory fines for data exposure. In the case of recent, well-published breaches, these entities were more likely to pay the ransoms to unlock systems, continue care and keep hackers from releasing their data.

R&I: Are workers’ comp organizations generally keeping up with health care organizations in terms of protecting PII?

Statham: I believe this goes back to the size of the organization and how focused they are on cybersecurity. In the past, smaller companies didn’t have the resources or expertise to provide enterprise security protections and controls around PII. The increased attacks have driven all companies to invest more heavily in cybersecurity.

R&I: When it comes to protecting data, where do you most often see workers’ comp organizations fall short?

Statham: Software vendors like Solar Winds, Microsoft, and Kaseya have all had supply chain attacks affecting thousands of customers worldwide so third-party vendor vetting is critical. Outsourcing is commonly used to reduce costs and in some cases provide better service, but there can be added risk.

All companies are increasing their vetting process and tracking vendors. When an incident occurs with a third-party supplier, their clients need to know what data, systems, etc. are impacted.

They also need to be aware of immediate action needed to mitigate potential exposure. This is not just limited to data or systems, it then becomes a business continuity issue. In the example of outsourcing company TTEC, a third-party supplier that provides customer and sales support for major consumer companies, a malware infection affected its ability to provide contracted services for their clients.

R&I: What are the key steps that all workers’ comp organizations should be taking in order to protect their clients and their organizations?

Statham: Skipping over the basics like vulnerability scanning, patch management, anti-virus, firewalls, and multifactor authentication (MFA) that are standards in cybersecurity, there are a couple of key tools that every company should implement.

First, is a security information event management (SIEM) platform that collects logs from every system in the environment. This puts all log data in one place and makes it easier to analyze threats and malicious activity.

Second is an endpoint detection and response (EDR) agent on all systems. A good EDR will detect and can be configured to automatically stop attacks early on. Having this visibility and control over what your systems are doing and who they are communicating with is key to detecting and responding to any security incident.

Having the right tools and visibility is important. Next, an organization needs someone monitoring these logs and events 24/7. This is where a security operations center (SOC) comes into the mix.

The last component is having a team in place that is ready and prepared to react quickly to a cyber incident. In addition to an annual executive incident response exercise, I recommend performing regular technical roundtables where the engineers, admins, and helpdesk know what they have to do. Time is critical during a cyber-incident, so being prepared can be the difference between a security event and a large-scale data breach.

R&I: What about the human element? Do you see workers’ comp organizations taking steps to ensure that their people are part of the solution rather than part of the problem?

Statham: Humans continue to be the biggest risk vector and have a major role in protecting data. Employees need to be part of the security solution and understand their responsibility in keeping the systems safe. Security education is more important than ever and should include continuous phishing tests. Security has become a hot topic in the mainstream news, politics, and global economies. While employees may not fully understand the technical aspects, there is more awareness around security.

R&I: New technologies like AI and deep learning are driving remarkable gains in efficiencies and outcomes for workers’ comp organizations. How do those technologies factor into the cybersecurity picture overall?

Statham: AI and deep learning are the future of cybersecurity. The majority of security right now is reactive. When a new zero-day attack is detected, details of the attack propagate through all security vendors so they can update signatures and indicators of compromise to protect other organizations.

AI and deep learning is evolving to help react faster and automatically neutralize threats. AI will be able analyze and baseline user behavior as well as network activity. This will change how IT teams manage threats and deal with zero-day attacks.

R&I: What advice would you give to an organization that’s interested in taking its cybersecurity to the next level?

Statham: First thing I would suggest is bringing in a cybersecurity firm to have a cyber-maturity and risk assessment completed on your organization’s environment. This helps ensure that an organization understands the risks and areas of concern before putting a road map together. Knowing areas of weakness is a big first step.

R&I: Are there new or elevated threats you see on the horizon that workers’ comp organizations might not know about yet?

Statham: New threats and attack vectors are being announced every day. Today’s safe and secure tactics will probably not be secure tomorrow. Take printing as an example.

Microsoft has fundamentally changed the way users can interact and install printers because of the recent PrintNightmare attacks. They first surfaced in January 2021 and over the course of the year, Microsoft has released multiple solutions and patches to combat a vulnerability in computer printing.

IT organizations are now required to figure out new processes to address threats to long lasting systems that need to be retooled for increased security. &