The Latest Scandals in Healthcare Cyberattacks with Brian King

Bill Walker (00:04):
Welcome back everyone to Aesthetic Appeal, the podcast for Aesthetic Brokers, where you can get the latest information for your practice, whether it be medical aesthetics, anti-aging, hormone therapy, plastic surgery, cosmetic surgery. Aesthetic Brokers is pleased to welcome on this episode of the Aesthetic Appeal podcast, Mr. Brian King of PCF Insurance. Brian, welcome to the show.

Brian King (00:31):
Thank you. Very good to be here. Bill. I've listened to your podcast and before and very happy to contribute any way I can.

Bill Walker (00:40):
Well, we're excited to have you on the show. For those of you who are constantly looking for ways to improve your business, solidify your practice, and really make it stronger, this is going to be a great episode for you because we're going to go down the path of talking about healthcare providers and their insurance options, and we're going to specifically talk about an article that's resurfaced from this summer that deals with cyberattack. Brian, if you would take us down this path and talk a little bit about, first off, where you came from, how you got into this space, and why you think insurance is possibly something that gets undervalued or maybe less considered as a primary consideration for most practice owners and specifically cyber, cyberattacks.

Brian King (01:35):
Well, thank you Bill. So again, my name's Brian King and I work for PCF Insurance, which is a national company. We've got insurance brokers all throughout the United States, and we provide services across all states in the union. I've been in insurance since I worked in the mail room at my stepdad's insurance brokerage, and so I dunno if you can see me or not, but I don't have any hair left hardly, and what's there is gray. So over that amount of time

Bill Walker (02:07):
I love that haircut. That's a great haircut. And for the listeners too, I think this will resonate as far as having this particular voice on the show for a reason because, Brian really does, you do understand the individual owner of a business and having to make all the tough choices of what do you invest in, what do you don't.

Brian King (02:27):
Absolutely right. And so yeah, a few years back, not a number of years back, a good friend of mine said, why, because I was a generalist in insurance like most people are in the insurance industry. For the purpose of this talk, actually I wasn't really going to hit on this, but this actually brings up a good point. There are generalists in insurance industry and then there are specialists in insurance industry. I happen to be a specialist in the healthcare industry and so are my associates. And that's important because we read the articles about the industry, we follow the claims, we read the insurance forms, and no two insurance forms are created equal. And so we've seen as we review cyber liability policies and medical malpractice policies, contracts that don't protect positions very well, but are rather designed to provide some coverage but mainly protect the insurance carrier for losses or to mitigate insurance carriers for losses.

(03:30):
And of course all contracts will do that, but some are written in favor positions more than others, and that's part of what a specialist, in theory, can do for your practices, provide a better policy. And typically it's the same cost, sometimes a little less, sometimes a little bit more. But the point is if you're going to pay money to fund a liability, you want that liability to be funded should there be an episode. And so most practitioners really worry about the bottom line profitability, about the EBITDA. Maybe they're going to sell in a year or two or three or four or five. Or there's day-to-day operations, they want to keep the profitability up. And so it's my experience that price, we often shop by price, all of us. I want to get the least expensive home warranty I can. I want to find the cheapest plumber and I want the cheapest insurance policy I can get because all those things are going to keep money in my operating account and keep my assets healthy.

Bill Walker (04:45):
This is a great point you bring up about the idea of cost and expertise. And I think that's absolutely something that resonates in the aesthetic space is look, you could go to a discount, low grade, low skillset, low quality of goods to get a neuromodulator. Or you could go to someone who's really credible, has a significant experience and is specialized and knows what they're doing to get the exact result that you want. Why would you go someplace that isn't a healthcare insurance expert? Just like I tell our clients, we're not the cheapest and we're not the most expensive, but the bottom line is we charge a fair price for what in the end we want is an exceptional uncommon result for our client.

Brian King (05:43):
Well, I appreciate that. I couldn't agree more. In the same, if you have a malpractice event and you're going to go get a defense attorney to defend you, do you want to go get someone who handles real estate transactions every day are the construction industry or do you want someone that handles medical malpractice defense cases?

Bill Walker (06:06):
That's right. I couldn't agree more.

Brian King (06:09):
So if you'd like, let's turn to cyber liability.

Bill Walker (06:13):
Please. I want to reference this article. So this is a summer article. You can find it on LinkedIn actually for everybody. It was written by Beth Kucher. Small practices are still reeling from the Change Healthcare cyberattack. The AMA is weighing its next move and what is dated June 13th, 2024. And for everybody out there, you can look this article up and it'll be a great backdrop to this podcast because I was floored. Brian, I could not get over how many small groups, how many small individual practices can be held hostage and how often they're held hostage for just the right amount of money that you would be like, oh, there's no way they're going to charge this much egregious. But talk to this point because it was enlightening when you explained this to me.

Brian King (07:05):
So first thing we should all know is that cyber liability attacks, 46% of them are on small business owners, 46. 2023, there were 12 billion reported losses in cyber losses across the United States, 2 billion in California alone.

Bill Walker (07:30):
Wow.

Brian King (07:31):
Some of these are state sponsored attacks and that's what they originally thought that the one that you're referring to, Change Healthcare, they originally thought it was a state sponsor, but I think as it turned out it was from outside of our nation, but more of a group rather than a state sponsored. But we see China, we see Russia, and they aren't just targeting the Apples or the massive corporations. Those are hard for them to get into. It's easy for these guys to come after base hits.

Bill Walker (08:07):
And why is that? Talk to us about why is it so much easier for them to target the small successful but smaller independent practice?

Brian King (08:16):
Absolutely. Because the resources aren't there to hire an in-house IT personnel to consistently be looking over your system. While physicians, and I'm not saying this to pander, are brilliant people and some of them are brilliant in technology. I know a few of them that I talk to them and they just go, right, I mean right over my head, they're depth of knowledge even protecting their own systems. But for the vast majority, we're very busy. We may or may not update our software. We may or may not train our people well enough to identify phishing emails. There are so many ways to be damaged by a hacker, whether it be to your system directly by as mentioned, phishing, quishing and all sorts of other different -ings that they can get into your system with. Or even, and this is why this is the Change Healthcare, systems that you depend on to do business. So if you use an EMR for instance, Bill and all your medical records, all your patient's medical records are stored in the cloud on that EMR and they're taking hostage for a month, what do you do? You're done. You're closed down pretty much for a month until you can get back into those healthcare records because you can't practice medicine without access to their healthcare records.

Bill Walker (09:56):
So you bring up a really great point too is, so for backdrop, Brian, some of our clients as they migrate into a transaction and they join like a private equity backed portfolio of companies. They might have at that point, they might have the resources to provide a chief technology officer or a chief information officer who's doing this kind of hardening and protecting. But as the individual, they're still month over month, year over year, the chief executive officer of their practice and they've got to make the tough calls. And it's hard to do all of those functions like you're talking about at every turn, every nook and corner and cranny with the staff to make sure the staff are educated and they're probably following best practices as well. Because it's not a primary mission set for them in their practice, I would imagine.

Brian King (10:51):
Right. Well, remember, a friend of mine has a great line and he says, it takes one wrong click to close your practice. You click a, heck, we get it in the insurance industry, we get these emails, click here, here's that contract you're looking for, here's that policy you're looking for. And we've had to become very diligent in our industry even because they come after us as well. Heck, I've gotten text messages from supposedly, of a prior brokerage that I worked at, from supposedly the president of our brokerage. And we have tech people all over the place reminding us. And of course, thankfully I thought to reach out and go, is this you? They're like, no, that's not me. Someone got my data. So to go back to your original question, the smaller practices are easier to, yes, smaller businesses are just easier to get at because they're not as sophisticated.

(11:54):
You've got employees that may not be in a hurry, may not be as educated as they need to be, and it doesn't even have to be a cyber breach Bill. You have HIPAA violation if privacy is breached. So it can be your employee data, someone walks out with some files, some employee data. It can be an upset employee. It can be an employee that leaves and wants to go start their other shop and brings patient data with them. That's a violation of HIPAA and you are at a practice owner is a fiduciary for that data. And they have to keep it safeguarded. So if that happens, that can lead to all sorts of, and it's discovered, it can lead to all sorts of regulatory problems.

Bill Walker (12:43):
And so talk to me if you would, three things. One, let's talk about what are a couple of garden variety best practices that you would recommend anybody that's listening to saying, that's a great tip, thank you. I want to consider doing that for my employees to have a best practice. I would like for you to maybe touch on, maybe there's hidden costs, when you talk about HIPAA violations, talk to me about potential hidden costs that aren't ransomware. And then three, go to the core of this podcast with regards to if you would, about ransomware and kind of how a lot of that plays out and how you view it as you brief people and educate people with regards to offsetting your risk because of the nominal cost perhaps of what I'm assuming would be the cyber type coverage, those kinds of things.

Brian King (13:40):
So listen, the very first best practice you need to have, and this may be a little bit too on the head. My opinion is you just have to say and accept you need cyber liability insurance, and I know this is not exactly what you're looking for in this question. I'll get to some best practices because I'm going to go through, should you have a breach regardless of what kind of breach it is, what the federal reporting requirements are, if you'd like a little later on in the podcast Bill.

Bill Walker (14:13):
Sure, that'd be great.

Brian King (14:14):
As soon as you start looking at these, what you're supposed to do, should you be breached, you will realize beyond all other costs, you're going to need to hire people. It's going to cost you a ton of time and you're going to wish you had it. You're just going to wish you could dial one phone number and you've got people taking care of this for you.

(14:36):
Okay? So that's number one. Number two, you have to use multifactor authentication. So talk to your IT person, hire an IT person to set that up on your devices, in particular your mobile devices. Number three, don't use your phone for exchanging any kind of personally identifiable information. No pictures, no communication with a patient about anything that is personally identifiable, which is practically anything. Lastly, I'll bring in one other thing is especially if you're in the aesthetic space, if you're posting pictures of before and after and you see that they have a authorization sign, but their identity is obscured. In those photos, there's oftentimes metadata and hackers can go in and pull that right off the internet, and it doesn't even take a hacker actually, pull it right off the internet and they've got patient information from the photo that you posted. You should also use a password manager, a sophisticated password manager. And there's a lot of advice out there that's kind of conflicting about how often you should be changing passwords, et cetera. But everybody seems to believe that encrypted password manager is invaluable.

Bill Walker (16:06):
Well, now I'm just thinking about my other two questions where it was like, okay, we've put in some best practices, we've taken necessary precautions, we've done our fiduciary responsibility, our medical responsibility, and we've still got zapped. And so now it's like what are the potential consequences if you don't have coverage?

Brian King (16:30):
Let's go to the worst case scenario first.

Bill Walker (16:32):
Okay, nuclear option. Nuclear option. Got it.

Brian King (16:35):
Worst case scenario is jail. The worst case scenario is you, something happened and you decide you're not going to do anything about it because you're realizing that the financial consequence is going to be too great and you may as well wait to see if something bad happens.

Bill Walker (16:54):
Alright, I don't want to do that potentially, I don't want to go to jail.

Brian King (16:56):
Potentially lock at the door and some very bad things can happen. Some states are tougher than others. Texas and California are two that will come and get you, if you are not, you're supposed to within the first 30 minutes of discovering that you've had a breach, begin the process. First process, the first step is notify your IT team and next is notify your breach response team who's got,

Bill Walker (17:26):
Which is the owner of the practice and the owner of the practice.

Brian King (17:29):
I mean, you can go, right,

Bill Walker (17:31):
Who's my third call? Do I get a third phone a friend? Do I get a third line? What's my third strike here?

Brian King (17:37):
That's right. In fact, you can go, there's the Federal Trade Commission, you can breach it, not breach it, you can Google it, data breach response, Federal Trade Commission. And I encourage people to look at it because as soon as you start looking at it, you go, uh-oh, I'm not going to have any of these things. I wouldn't even know how, who to who call by step two.

Bill Walker (18:07):
So this becomes now my full-time job, I'm guessing because it just is, you're the most caring, the most conscientious person in the organization because you're the owner or the founder. So now that becomes your full-time job instead of doing patient care.

Brian King (18:27):
Absolute, absolutely right.

Bill Walker (18:30):
Okay, I get it.

Brian King (18:31):
Let's just assume it's not, so ransomware, if people don't know, is where basically somebody takes your system over, or a system that you are dependent upon over, maybe you don't own that system, like I said, an EMR. And so you walk in and either your system or the data that you need is being held hostage by hack group. And an IBM report that comes out annually says that they're in your system for about six months before you know. So they've gotten in there, they've been logging your keystrokes, they've got all your passwords, not just to, if you've used bank accounts, more than likely they've got access to everything by the time you know they've had access to anything. And that's probably the most important thing for you to realize is again, you won't know typically for six months.

Bill Walker (19:28):
Wow. Understanding that the statistics of small businesses that get exposed to a breach, that get exposed to ransomware, I mean, how costly is this? I'm a 5 million revenue practice. I mean, what's the penalty that people, that these hackers are going to want to try and extort me for? And then what are my options? Let's say that sounds like a crazy amount of money. If I had insurance, what does typically garden variety insurance cost me for this on an annual basis? If I'm a 5 million practice with three or four providers under one roof.

Brian King (20:18):
So far as costs go, I'm going to give you another analogy. So imagine you've got a jug of water Bill and that represents your assets, your company assets. It's not that a hacker comes along and stabs a hole in it and there's money leaking out. It's like they come up and they punch 10 holes in it and it's just pouring out because it works like this. There may be HIPAA fines, that's money out the window. There may be downtime, money out the window. They may hold you captive for money, money out the window. It just goes on and on. Every aspect of your practice, regulatory issues, downtime, you have to notify everybody that may have been a victim of the breach.

Bill Walker (21:22):
So this becomes legal fees, this becomes everything.

Brian King (21:25):
Yes. Like I said, it's like multiple holes being punched in your bucket all at once and you've got to try to stop the bleeding right then. You've immediately lost. Okay, now I want to bring up a point too, Bill. When they hold you for ransom, let's just talk about ransomware for a moment. If they hold you for ransom because they've typically been in your system for a while, they become experts to figure out what to ask you for. If you can somehow pull off $50,000, they're going to ask you for $50,000. They're not going to ask you for 10 million. If you can pay 5 million, they're going to hold it for 5 million. They're not asking for 20. And the reason they do that is they want the money. They really don't care about the data. They want the money, and then they typically do release the information back to you. And the reason they do that is if they stop doing that Bill, no one would ever pay 'em. So they've got this worked out very, very well to make themselves a lot of money.

Bill Walker (22:33):
So an ounce of prevention, an ounce of prevention with a pound of cure.

Brian King (22:37):
Yeah. So now let's talk about the insurance coverage. Here's what I don't want to encourage people to do, and I see this a lot. You can get cyber liability in maybe your business owner's policy a part of it, or maybe you'll see it on your medical malpractice policy in this space, in the healthcare space. We don't, insurance brokers that work in the space don't like that. The reason is those are very, very limited coverages. So we encourage you, save your money on those little coverages. A cyber liability policy, a robust cyber liability policy costs between $800 and a thousand for every million dollars of revenue.

Bill Walker (23:32):
That's a great benchmark. Thank you for that. Okay, so in the grand scheme of things,

Brian King (23:38):
Yeah.

Bill Walker (23:41):
You're talking and that's per year?

Brian King (23:46):
Yes. Annually. Yeah.

Bill Walker (23:48):
So a 5 million practice is at this point, very successful and now you've got to kind of protect what you've built. And we're talking about four or $5,000 a year to protect what could be a seven figure cost of what gets exposed.

Brian King (24:13):
Yeah. So that'd purchase you about, depending on how we design it, you'd be looking at one to 2 million in coverage for $5,000 to $8,000.

Bill Walker (24:27):
I get why this is becoming such a more talked about topic over the last couple of years.

Brian King (24:33):
Bill, statistically we all have fire insurance on our homes. Really statistically now it's far more likely you'll be a victim of cyber, some sort of a cyberattack then you will have a house buyer by leaps and balances. And it gets worse every year, exponentially. I want to make one more point too, if you don't mind, Bill.

Bill Walker (24:56):
Please.

Brian King (24:58):
Again, I cite the IBM cyber report. And the reason I do this is, I think with good reason, people can sometimes be a little cautious to listen to information from say the insurance industry from insurance broker. We have a vested interest that you buy insurance from us. So I really like to go, look, let's not look at what CNA has to say about this. Let's go outside, CNA insurance, let's go outside of the industry and let's look at what the world says. Let's see what IBM says about it. Healthcare records are nine times as valuable to hackers as financial records. So if you're a hacker and you want to get bang for your buck, you'd go to low hanging fruit, but get a ninefold return on the work that you put in as a hacker if you went to healthcare companies. So it's not necessarily just this nefarious act, although it sure feels like one, it's the most profitable act, the most profitable action for them to take is against healthcare companies.

Bill Walker (26:16):
Hence why, another reason why it seems like everybody, all the good, the bad and the ugly, all love to be in healthcare.

Brian King (26:25):
That's right. That's right.

Bill Walker (26:28):
Well, Brian, I am completely refreshed by the information you guys provide. I've sat down and had a chance to speak with Brian and the leadership at PCF before, and it was a very good team. Really educational on my part of learning a ton from you all about the exposures and the risks in the industry. I have gone and read that report and I find there's a lot of value and a lot of the third party recommendations that they give as reading assignments. It was inspiring to think of people who are looking to help practice owners protect what they built. I really liked the fact that you guys do have a healthcare tilt to how you look through the lens of protecting and how you think about risk assessment. And so for our listeners, any closing comments that you would have for them to think about and you want to share with them that we haven't covered already?

Brian King (27:38):
Yeah, sure. So I would just say, and everyone knows this, but I just kind of like to state it. First of all, we appreciate what you do doctors, I know that you don't always hear that. We are aware of physician burnout. We aware that you guys work very hard. So first of all, thank you for what you do very much. I get a little emotional talking about it. My family's had contact, fortunately or not with physicians through the years and I'm sure we all have with health issues and my family's really benefited from that industry. So you have an ethical, as you know, an ethical responsibility of your patients' health, but also remember to their healthcare data. This is a trust issue that they have in you just like this, their personal health. And this is a way that should the bad guys come to the door that you can immediately call in the calvary, put an end to it.

(28:44):
It is a way to protect your legacy, your reputation. I mean, people love you until they think that you hurt 'em. And I would hate to see for any of your clients and any listeners here that put in all this hard work for all the right reasons to turn around and feel like they've done injury and now feel that they're not worthy of trust, their patients don't trust them anymore. So one thing that PCF will do for any of your listeners, Bill, is we'll provide a free cyber assessment and it comes with a quote. So all we need is the name of and address of your practice and your estimated annual revenue. We'll come back to you with a list of quotes and coverages and I think it's about an 18 page cyber report that benchmarks you against the industry. So you'll get a score 57, you're in the 57th percentile, you're in the 80th percentile, you're in the 46th percentile, uh-oh, and it will show you for your IT team where you need to shore up.

Bill Walker (30:12):
Thank you for that, Brian.

Brian King (30:14):
Our pleasure.

Bill Walker (30:15):
For all of our listeners. I appreciate that a ton. If you're looking in the space of people that I vet and I trust, Brian King is one of those people. He's a trusted voice and he'll give you an honest assessment. I can definitely attest to that. So for everyone, thank you for listening to this episode of the Aesthetic Appeal podcast for Aesthetic Brokers. And thank you to our very special guest, Brian King, PCF insurance. They definitely care about physicians and protecting their patients and their own reputations. Thank you, Brian.

Brian King (30:54):
Thank you. I'm very honored to have been here. And Bill, always good to see you.