Cybersecurity attacks are increasingly sophisticated with no sign of slowing down, particularly for critical industries like healthcare. This new reality has not gone unnoticed by cybersecurity insurance providers who are upping requirements for liability coverage. However, this has left many organizations unsure how to proceed, especially when up against tight deadlines. Forward Advantage recently navigated its own new set of cybersecurity insurance requirements, so we understand the frustration felt by many of our customers. To help, we spoke with our in-house expert for some practical tips. See below for a recent Q&A session with Corey Wilkins, Cloud and Network Architect at Forward Advantage. We hope you find the information and strategies Corey shares to be helpful. As always, feel free to reach out for more information!
Describe your role at Forward Advantage.
I’m the Cloud and Network Architect at Forward Advantage. We’re a small-to-medium-sized business, so I wear many hats and was tasked with solving these new multi-factor authentication (MFA) and cybersecurity insurance requirements. We want to push the company forward and allow employees to work as efficiently as possible, while also securing the business. This means ensuring the security footprint is as small as possible so we don’t become the victim and can continue working without any interruptions.
Why are cybersecurity insurance requirements changing and what is the effect on customers?
The need for cybersecurity liability insurance stems from all the recent breaches. Fortune 500 companies, medium-sized businesses, and even the government have all been affected. The probability of a security breach, and the associated risk, is so high that it’s nearly impossible for insurance companies to accept without these extreme measures. The requirements are so new and broad that the market is not necessarily prepared. If customers are not experiencing this now, I think they will be within the next couple of years. Insurance providers have caught on that MFA is the new security standard that must be implemented. Organizations can expect to see this requirement, but the lists are complicated and not everyone knows how to handle them.
Can you describe what multi-factor authentication (MFA) means?
MFA means that using just a password is no longer acceptable. It’s too easy for passwords to be compromised, whether from an unprotected system or a phishing attempt to trick someone into providing their password. MFA requires something in addition to a password, such as biometrics or a token where you receive a text or call to verify your identity. MFA makes it much more difficult for someone to compromise your password.
How is Forward Advantage approaching the increasing level of requirements?
Forward Advantage had to put MFA and antivirus protection on pretty much everything – servers, user workstations, networking equipment, firewalls, email, etc. We also had to implement security controls for protected accounts. There are a lot of ways to tackle MFA, such as with Privileged Access Management (PAM) or Enterprise Password Management (EPM) solutions that prompt when a user tries to elevate privileges.
Do you have any tips for implementing antivirus protection?
Organizations should ensure they have antivirus software to help protect endpoints (servers) and work on getting as much coverage as they can with those installed. An insurance provider won’t just accept antivirus on production systems, they’ll want it on development systems too. If something is connected to the network in any way, antivirus protection should be on it.
What are some challenges associated with these new insurance requirements?
It can be difficult to tackle certain aspects of the network. Some solutions are just not designed for these requirements because they are so new. There isn’t a solution that does everything, so you build a tool kit and test it to make sure everything plays well together. It’s important to work proactively on these requirements now. They will be required in the future, and you don’t want to be stuck figuring this stuff out with a tight deadline.
What should healthcare organizations consider when evaluating solutions to meet cybersecurity insurance requirements?
There is no one solution that fits all. You need to understand the technology it will interact with and user processes to minimize disruptions. Consider additional flexibility for future integration points, operating systems, and devices.
Do you have any additional tips for implementing/rolling out these solutions?
This must be a team effort throughout the entire organization, and communication and training are essential. There needs to be clear communication about how these requirements will be implemented and what the workflows will look like. It’s not a matter of flipping a switch because there are hours of fine tuning. Double up on communication with each other and make sure everyone is reporting issues and not just suffering through them. It’s a process so my biggest tip is to not wait until the last minute!
Which of Forward Advantage’s solutions help with cybersecurity initiatives and insurance requirements?
Forward Advantage is an authorized reseller and implementer of Imprivata solutions, including Confirm ID, Privileged Access Management, and FairWarning. Confirm ID provides MFA for many of our customers, but there are other solutions we offer that check off a lot of boxes. This includes Imprivata Privileged Access Management (PAM) and Imprivata FairWarning. PAM provides a centralized way to manage and protect privileged credentials and it integrates with Confirm ID for the MFA portion. FairWarning adds another layer of security with machine learning and artificial intelligence to identify threats more quickly. We also offer Identity Governance and Administration through Imprivata or SailPoint and can help customers determine which solution best meets their needs.
Forward Advantage’s identity experts have 15+ years in the identity and access management space. We are a company with decades of experience working in healthcare with leading EHRs, VDI infrastructure, single sign-on and advanced authentication solutions. As an authorized reseller and implementer for Imprivata, we offer the following to help organizations meet new cybersecurity insurance requirements:
- Imprivata Confirm ID – Simplified multifactor authentication for medical devices, remote access, EPCS and clinical workflows
- Imprivata Privileged Access Management – Security solution for privileged accounts, assets, and tasks
- Imprivata FairWarning – Patient privacy, drug diversion, and cloud intelligence solutions
- Identity Governance and Administration – Solutions and services to help manage identity lifecycles