How ransomeware makes healthcare wannacry.
  

Exposure assessments are essential in any healthcare business to help ensure that resources may be focused on protecting vulnerable areas. This quick “who, what, when, where and how” guide highlights any cyber liability exposures you may have in your business’ network.  

Who can see and/or have access to the sensitive or private information? Also referred to as account provisioning and regular access review, this provisioning ensures that access is provided only when needed. The review also prevents access “creep” where a user may transition to a new role and no longer has the same access capabilities.  

What sensitive or private information is in your custody? Conducting a data classification exercise permits you to determine what information you have on file that is sensitive, as well as its degree of sensitivity. Consider designing a classification system to determine the quantity and severity of sensitive information for which your organization is responsible.

When was the data created or saved on file? As a part of your records retention policy, data should be regularly checked to see if it should be properly and safely deleted or archived. The more “live” data you have, the more data that may be vulnerable to a cyber attack. 

Where is the sensitive or private information located? Database servers, workstations, web servers, laptops, file cabinets, records storage facilities and external hardware are all at risk of being hacked. Implement a data inventory exercise so you know where data is stored. This exercise should not only identify where data is stored, but also the external sources that store data in the event that a laptop or external hard drive is stolen. 

How do you contact individuals whose sensitive or private information is breached? The specifics of how to contact affected individuals and the information that must be provided depends upon the breach notification laws that apply. The applicable law is typically based on where the individual lives – rather than your state of incorporation or where the data was stored. It would be advisable to utilize a breach coaching expert and legal counsel to assist in this type of effort. 

You can never underestimate how critical it is to understand how sensitive information flows through your healthcare organization. Simply knowing where a cyber breach may occur represents the first step  in protecting that outlet. Always be prepared and check with legal and regulatory requirements. 

Please visit www.cna.com/healthcare or contact a CNA representative to see how your business can obtain coverage.