COVID-19: A Regulatory Update Webinar

When COVID-19 came upon us in 2020, society adapted to the pandemic. And, it continued to adapt as witnessed by the eventual development of treatments and vaccines. OSHA is no different in the fact that they had to adapt and continue to adapt to this outbreak. Just as the pandemic has evolved through time, so has OSHA's approach to workplace controls and compliance as applied to COVID-19. Join us to review the latest updates on OSHA and their approach to keeping workers safe from this coronavirus.

Register now

OSHA Health & Safety Updates on COVID-19

Author Information: National Risk Control

Due to the COVID-19 pandemic of 2020, OSHA has spent considerable time and resources developing health and safety requirements designed to help keep employees safe. Since the spring of 2020, they have been working on their approach in the workplace to compliance specific to this outbreak outlining acceptable workplace PPE and engineering controls such as adequate ventilation guidelines and respiratory protection. In the subsequent months since the initial guidance issued for the pandemic, OSHA has continued to develop controls and their application. They have expanded their scope to include consensus standards with information from sources such as CDC guidelines and FDA for authorized/approved devices such as surgical mask use.

On October 30, 2020, OSHA issued information on workplace protection from airborne related sickness for Long-Term Care health workers. This document ties their approach to the virus back to their hierarchy of controls and as such can be used for all aspects of the Healthcare Industry. This is a comprehensive approach based on the need for up to date Industrial Hygiene controls such as ventilation, personal hygiene, etc. on to administrative controls and PPE. Their focus continues to be that the use of PPE is lower down on the list of controls. Abatement and engineering controls for hazard elimination remain preferred.

OSHA has outlined a hierarchy of respirator type and use as well. Cloth masks are not acceptable for use by employees. It is, however, recommend that facilities require the use of cloth masks at a minimum for patient, resident and guest use at all times. It is stated that KN-95 respirators are in this category if the user has not had rigorous fit testing for this device. These devices are of foreign country manufacturer and differ from and N95 primarily by the ear loops used to secure them, and they are not NIOSH approved. N95s use two head straps for securement and have been approved by NIOSH.

Surgical masks are being allowed for emergency use authorization situations where bodily fluids may become airborne such as from coughing, etc. They can be allowed in times of emergency and shortages. If allowed, ensure your Respiratory Protection program has been updated to define if and when this use is acceptable.

N95 and above respirators remain the gold standard for use. There are now processes to sterilize this equipment for re-use. Extended wearing periods to allow use over multiple days if structural integrity, etc. is maintained are also an option. N95s carry an expiration date. In emergency instances expired N95 respirators are being allowed as long as some basic criteria is met such structural integrity is maintained, etc. The expired equipment has been placed in a "respirator hierarchy" just below a current dated respirator and above surgical masks. Again, ensure your program has been updated and allows for these policy changes if you are extending use or must use expired equipment.

Federal OSHA has jurisdiction in 22 states currently. Therefore 28 states have programs that meet federal law at a minimum but may have additional requirements under their jurisdiction. COVID-19 has produced and probably will continue to produce changes to compliance efforts. Additional information may be applicable to your locale - please contact your local OSHA office for more information.

Ransomware Incidents are Changing the Way Cyber Insurers Select Risk: How Can You get Ahead of the Process?

Author Information: Trevor Weyland

The recent rise in ransomware attacks is focusing attention on healthcare organizations' computer system security defenses and their ability to resist attackers'demands and threats. If the correct measures are not in place, organizations are vulnerable not only to attack and extortion demand but also to substantial forensics and data restoration costs and business interruption losses.

The cyber insurance market has generally been a profitable sector for insurers1, with margin to be made (especially in the small and middle market sectors) from simple market share. However, the growth in ransomware and business email compromise attacks has changed that and, as underwriting results have deteriorated in 2020, many cyber insurers are now focusing more on risk selection based on the security posture of the systems and the recovery measures in place.

The stakes are high for both insureds and insurers. Coveware's Q3 2020 blog2 reported average ransom payment of $233,817 and 19 days average downtime (ranging from non-available machines to total standstill), to say nothing of the costs of forensic investigation and data restoration. And the latest trend in ransomware is for the attacker to make a follow-on demand in return for not releasing private data to the public, itself leading to data breach situation with its consequent costs of notification and regulatory scrutiny from The Office of Civil Rights (OCR) and states' Attorneys General.

The OCR has confirmed that ransomware infections are reportable breaches under HIPAA, unless a Covered Entity can clearly demonstrate that there is a "low probability that the PHI has been compromised". If a malicious actor gains access to electronic Protected Health Information (ePHI) and encrypts data, then this is a disclosure that is not permitted under the Privacy Rule, and the same applies to access to unsecured ePHI.

The ransomware problem exists for healthcare organizations of all sizes. Large organizations typically have better defenses through larger budgets, but attackers realize they can make larger demands with no added risk of being caught. Smaller organizations don't have the resources to pay large ransom demands, but their systems can be less sophisticated and easier to breach.

So cyber insurers are asking new and searching questions of insureds of all sizes about their defenses and their ability to recover data, and in some cases insurers are applying minimum standards for quoting.

Those insurers are looking for insureds that have invested in the appropriate measures that deny attackers access to their systems, prevent a successful attack from reaching critical data and systems, and which are able to successfully recover segregated and recent back-up data so that there is no need to pay the ransom in the first place. The right defenses in those three areas can essentially defeat the ransomware attacker's demands and protect the ongoing integrity of the insured's business operations.

This aligns directly with the insured' own interests, of course, and the rise in ransomware losses has focused attention on the key measures that make a material difference to your risk. This means that risk managers need to understand, in advance of negotiating insurance terms, what questions insurers will ask and how to prepare the organization to give the correct and best responses.

Insurers' questions vary and will be more technically specific than we can address here, but risk managers should increasingly expect the basics to include confirmation that the following measures are in place:

  • Denying attackers access to systems
    • Secured remote access to your systems, particularly in light of the tension between the increased risk of ransomware caused by COVID-19's remote work environment and an organizations' efforts to facilitate network access by their users
    • Employee training; ethical phishing testing of employees,
    • Antivirus and malware prevention tools o Up to date patching
    • Pre-screening of emails for malicious links/attachments o Intrusion prevention systems
    • Endpoint protection, detection and response products
  • Preventing a successful attack from reaching critical data and systems by moving laterally across the network
    • Multifactor authentication (MFA) on as many systems as possible, including VPN, email, back-ups, privileged/administrator accounts o Identity and access management
    • Network segmentation
  • Successfully recovering data
    • Encrypted back-ups
    • Segmentation of back-ups that are properly isolated from the rest of the system
    • Back-up cycles that are frequent, appropriate and tested
    • Create and regularly test your Incident Response Plan

The above measures are clearly good risk management - you want to protect your systems from intruders, and you want to have secure backups to ensure your ability to restore systems and not be held to ransom. Insurers see this the same way, and are beginning to truly value (and underwrite to) minimum standards of protection and investment in security.

As the cyber insurance market continues to tighten, reflecting the worsening loss experience, insureds can take steps to prepare and present themselves to insurers to show that the right defenses are in place, for their own protection and to secure the best possible terms for insurance coverage and access to the breach response services that will help respond to an incident.

Talk to Gallagher about how to prepare for insurers' questions about security measures in place. You can also watch Gallagher's webinar on "Managing the Ransomware Crisis: Critical Steps to Take Right Now".

Author Information:

Sources

1 Fitch - industry statutory direct loss ratio for standalone cyber insurance in 2019 was 47% 
2 Coveware 

Disclaimer

Gallagher provides insurance, risk management and consultation services for our clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/ or operational strategy in response to national emergencies (including health crises), we do so from an insurance/risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general informational purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient’s industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organizations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher Risk Management Services, Inc. (License No. 0D69293) and/or its affiliate Arthur J. Gallagher & Co. Insurance Brokers of California, Inc. (License No. 0726293).