Workers’ Comp Ripe for Cyber Attacks
The workers’ comp industry is ripe for cyber attacks, according to insiders. Identity theft, company embarrassment, and even blackmail are potential risks. The threats to an employer can range from reputational damage to criminal charges.
With organizations such as Sony, Anthem Blue Cross, and the Internal Revenue Service recently being hacked, it’s likely just a matter of time before such an incident occurs in workers’ comp. In fact, it may have happened already.
“In many cases where there may have been a threat or even an intrusion, there may still be research going on, or it may not be of the type that requires state reporting,” said Bob Jackson, a longtime security officer in the claims management industry. “My guess is there is some growing level of cyber threat in the workers’ comp industry.”
The workers’ comp industry may one day soon find itself the victim of a major cyber attack, experts warn. While there are no solid solutions just yet, the industry would be well-served to at least try to answer some key questions.
“What information is at risk for the company?” said Jeffrey Austin White, director of innovation for Accident Fund Holdings Inc. “What will the landscape look like in the future as hacking technology gets more sophisticated? Do we need to establish more stringent policies and procedures or start setting aside money for damages?”
“Systems these days are so complex that in order to truly understand the scope of an attack takes days, weeks, or months,” Jackson said.
Information is breached for a variety of reasons, the experts say. Many hackers are paid by large organizations for their efforts.
“We have professional hackers associated with organized crime that are paid professionally,” Jackson said. “We have groups that have an agenda; it may be political or it may be a public values agenda.”
Some hackers seek to embarrass a company, and there are hackers motivated by the fun in doing it.
“I do think workers’ comp is a very rich community for almost all those audiences,” Jackson said. “In workers’ comp, we have information that by itself would lead to identity theft for pretty well every claim being managed.”
“All these hacks are exploiting vulnerabilities that arise from updates to software and the operating system that are ongoing. … Technology is progressing so fast that keeping on top of this stuff requires dedicated resources.” — Jeffrey Austin White, director of innovation for Accident Fund Holdings Inc.
The fact that most states require Social Security numbers for injured workers is one of the key factors making workers’ comp claims information a target for security breaches. Jackson says it goes beyond that.
“This is not spoken of very much but … there’s potential for blackmail,” he said. “Material may have sensitive information about [an injured worker’s] status; that he/she is HIV positive, or the circumstances of an accident may be embarrassing, there may be a chronic disease, or a pregnancy that has not been announced yet.”
A company that has had its information breached may have difficulty keeping its reputation intact. It may lose contracts from clients.
“Most organizations in workers’ comp have contracts which entitle clients to terminate contracts upon these types of breaches without further arbitration,” Jackson said. “I’m seeing that contractual language more and more.”
There are a couple of ways people can hack into an organization’s data. One is a derivative of Bad USB, described as a security flaw that can be put on the firmware of a USB drive and turn a user’s keyboard, mouse, storage device of any USB device into a cyber threat.
Another way secure information can be breached is through external attacks to a company’s website or network. A system called Regin, for example, is sophisticated espionage software that can be used to get inside a company’s firewall and provide access to its internal computer network.
Information can also be breached through mobile devices brought in and out of a company by its own employees or by sending sensitive data through email. “There are also cloud computing platforms and outsourcing relationships,” said Jeffrey Austin White, director of innovation for Accident Fund Holdings Inc. “If you do business with a company that has access to your company or client information, how do you make sure they have the proper safeguards to protect your data?”
Because cyber threats are a moving target, reliable long-term solutions are an elusive goal. “There is no silver bullet,” White said. “All these hacks are exploiting vulnerabilities that arise from updates to software and the operating system that are ongoing. Companies are having a hard time keeping software current, especially when vendor solutions are not compatible with the latest releases. Technology is progressing so fast that keeping on top of this stuff requires dedicated resources.”
White likens the threat of cyber attacks to natural catastrophes and suggests the industry try to figure out how to prepare for these digital disasters as they are bound to happen. Both experts say the industry needs to at least develop policies and procedures for the emerging threat.
“The industry would be well-served to gather together [just] as high-tech industries have done, and create a forum for sharing concerns, solutions, and issues that sometimes are unique to the workers’ comp environment,” Jackson said. “I just don’t see that evolving. There’s such fear of sharing with your competition that you may have an issue or not know how to evaluate. People don’t want to talk. That’s unfortunate.”
In the absence of such a solution, Jackson says organizations would be well-advised to employ security officers who are aware of the needs of the business and have a strong working relationship with key personnel.
“When issues come up, they have authority and the relevance to go to the business and say ‘we need to make this change and use some [particular] tool and here’s why. Let me explain why this will reduce risk to the organization,’” he said. “They should have a business-to-business dialogue rather than imposing what seem to be random tactics. If the business is engaged and understands why [the security officer makes a recommendation], the business will embrace it and support it.”