Are cyber attacks really a threat to the workers' comp industry? Should payers start reserving for this? How can the industry "model" for this risk?

After speaking recently with a couple of workers' comp security/tekkie types who scared the bejesus out of me, my answer would be a resounding "YES!!!" It is time for all in the workers' comp industry to get their heads out of the sand, realize the threat to cyber security is growing by leaps and bounds, and figure out how to address the issue.

I've often wondered about computer hackers – what they look like, why they do this, what's wrong with them? My image is of a strange-looking guy with wiry hair and bugged-out eyes sitting in a small, cluttered room staring at his computer with an icky smirk on his face.

Turns out, these creeps are often professionals paid by any number of organizations and for myriad reasons: money, revenge, or just simply, because they can. Sometimes organized crime is behind a hack. Other times, it's done for political reasons. There are those who strive to embarrass a company. And, there are random hackers who are just in it for fun (my creepy wiry-haired guy).

According to a good friend of mine who's a tekkie guru, workers' comp is ripe for any of these. Think about it for a moment: the industry keeps all sorts of personal information on injured workers – including Social Security numbers. Someone who hacks a claims database would immediately have an easy path to identity theft.

There's also lots of potentially embarrassing medical information: a chronic disease, unannounced pregnancy, even a positive HIV status, creating the potential for blackmail. Since workers' comp is involved in payments, claims info may include banking numbers – not only ripe for identity theft, but sufficient information to hack into somebody's bank account.

And what of the potential damages to a workers' comp company that gets hacked? Well, there is reputational damage; who wants to do business with a company knowing that personal information may not be confidential? There is also significant contractual risk. Where contracts used to include all sorts of caveats before a customer could end the association, agreements increasingly say that all services can be immediately terminated when there's been a security breach. Then there is the possibility of civil and/or criminal lawsuits.

We don't really know if, or how much of a problem there is in workers' comp. Why? Because the companies themselves may not even be aware of a breach or, if they are, the extent of it. It can take days, weeks or even a year to truly understand the scope of a cyber attack.

Once hacked, a company's data may still be intact, making it hard to determine what info flowed out. Hackers use encryption too and can worm their way into a company using the same technology the company uses to secure its website! Before an organization is even aware, sensitive info has gone out in an encryption.

Once a company is aware and goes public with the news that it's been hacked, it opens up a big can of worms. Obviously, a company wouldn't want to say anything until it knows precisely what has happened and what to do about it. At that point, the organization needs to get the PR/spin experts involved to make sure the message is contained as much as possible. Company personnel need to understand what, if anything, they can say and to whom. Lawyers also need to be included in the discussions.

Hackers can get to a company's info in several different ways. As one tekkie friend explained, there's something called BadUSB – a security flaw that can be put on the firmware of a USB drive that can turn a user's keyboard, mouse, storage device, or any USB device into a cyber threat. It's totally undetectable and can sit dormant for a while and spread to many computers within an organization – capturing snapshots of computer screens, keystrokes, analyzing the network and sending the information encrypted outside the organization to the hacker.   

There are also external attacks to a company's website or network. Regin, for example, is a sophisticated espionage software that can be used to get into a company's server and provide access to its network.

When you consider that companies like Sony and Target, with all their money and resources, can't protect their data, what chance does the workers' comp industry have?

Here's one idea: get industry representatives together and create a forum for sharing concerns, solutions and issues unique to the workers' comp environment. That suggestion came from the senior vice president of  IT for one of the largest companies in the workers' comp system. It's a fantastic idea! Just as high-tech industries have shared their concerns to address cyber threats, so too can our industry.

By creating a safe harbor for sharing information in an industry that is a rich target, we could develop the trust necessary to speak freely and share risks and solutions that could help everyone.

Unfortunately, as this wise person also pointed out, that may not be likely to happen anytime soon. The intense competition and fear of sharing with 'the enemy' is probably too great for most companies in the workers' comp system to even consider the idea.

In the absence of what is obviously the most viable solution, organizations could at least engage security officers and make sure they have strong, positive working relationships with others throughout the company. This allows for dialogue so smart decisions can be made that best benefit the organization, rather than having a security officer who just "says no" a lot.

Cyber security is also an issue in which we may want to involve the government. Consider that with TRIA there is federal backing for recovery from a physical terrorist attack. Cyber damage can be just as bad, so why not have a government backstop program for cyber terrorism?

There are no easy answers to the risks of cyber attacks. But we know the issue is growing exponentially and it's only a matter of time before some workers' comp-related company gets hacked, resulting in massive financial damages to an organization and individuals. It's time for us to deal with it.