Viewpoint: Recognize and Plan for Health Care Cybersecurity Risks

It’s no secret that the health care industry is a prime target for cybercriminals. Despite efforts to combat ransomware, legal experts have seen a 66% increase in ransomware claims compared to the average over the past four underwriting years^[1]. And data breaches are as common as ever. A 2021 study ^[2]found that from 2018 to 2021, there was an 84% increase in the number of data breaches against health care organizations, impacting 14 million individuals in 2018 and jumping to 44.9 million in 2021.

To help protect from these attacks, knowledgeable claims directors, risk managers, and senior adjusters have an opportunity to help health care clients recognize and plan for the risks associated with cyber breaches and attacks.

Why Hack Health Care?

Cybercriminals are capitalizing on the increasing value of health care data and the industry’s reliance on interconnected systems and devices. Medical records are a virtual treasure trove, containing the patient’s full name, address history, financial information, and Social Security numbers—enough information for hackers to take out a loan or set up a line of credit under patients’ names.

Increasingly, hackers are selling the information for profit on the black market. According to a Trustwave report, a health care data record may be valued at up to $250 per record on the black market, compared to $5.40 for the next highest value record (a payment card)^[3]. Black market buyers have all the information they need to use the information to create fake IDs to purchase medical equipment or drugs, or to file a false insurance claim.

IBM reports that the global average cost of an attack on a health system rose from about $7 million to over $9 million in 2021^[4]. Further, remediating these violations can be far more expensive. High-profile cases provide insight: a breach at Universal Health Services cost $67 million, the University of Vermont spent $54 million to recover from an attack in 2020, and Scripps Health lost $112.7 million.

With the potential monetary impact on the rise, one can understand why cybersecurity has caught the attention of board of directors and C-suite executives at organizations across the country.

By educating health care leaders about the dangers of cybercrime, risk managers and senior adjusters can help them make informed decisions about how to protect their organizations.

Where are Health Care Organizations Most Vulnerable?

Examining how breaches occur can help to establish processes and procedures to mitigate risk.

Phishing, the practice of infecting a seemingly authentic email with malicious links, is health care’s most prevalent cybersecurity threat. When a link in an email is clicked, users are directed to a web page that may look like a login screen for familiar software. Once the user submits their credentials, cybercriminals use the information to access health care systems. In spear-phishing attacks, the effort is personalized to the individual targeted, increasing the likelihood that the recipient will click.

As mentioned previously, ransomware attacks are also a growing threat amongst health care providers. During a ransomware attack, malware is injected into a network (usually through a phishing attack) to infect and encrypt sensitive data until a ransom is paid.

The health care industry also suffers a disproportionately large amount of data breaches compared to other sectors. HIPAA specifies strict requirements for protecting health records and additional sensitive information from unauthorized access, yet health entities struggle with implementing security controls.

In addition, distributed-denial-of-service (DDoS) attacks, which flood targeted servers with fake connection requests forcing the servers offline, pose devastating threats to operations and are an effective tactic as part of a ransom scheme.

Essential Factors

Health care leaders can make informed decisions about protecting their organizations from cybercrime with proper education and awareness. The answer lies in developing a multifaceted defense system.

To avoid the first phishing assault, organizations should:

• Provide security awareness training to your staff, so they know not to click on links or open attachments from suspicious senders and not to examine emails for phishing indicators.
• Provide phishing and spam filtering at the mail gateway.
• Don’t install/run programs unless they’re from a reputable source.
• Prevent end-users from installing software on their own or only allow installation from whitelisted sources.
• Only allow the use of trusted USB drives and don’t allow execution from USB drives.
• Implement endpoint detection and response products to stop malicious code from executing.
• Require strong, unique passwords and multifactor authentication.

To defend systems against initial malware infiltration, consider two important modes of protection:

• Domain name system filtering.
• Next-generation firewalls used to block unauthorized egress traffic.

To thwart malware once it is past initial defenses:

• Reduce access privileges so users have the minimum access needed to do their job.
• Regularly patch operating systems and applications, including web browsers.
• Harden endpoint systems and use endpoint detection and response products to stop malicious code from executing and privilege execution.

Suppose the malware was able to execute and encrypt data. In that case, the following tactics could identify what data was affected, whether it was exfiltrated from the network and whether it could be recovered:

• Encryption
• Audit logs.
• Regular backups and testing of those backups.⁵

Not If, When

Forward-thinking organizations understand that it’s time to take proactive steps. In addition to disrupting operations and eroding consumer trust, the organization and its board of directors could face lawsuits in the event of a breach. As a breach is detected, response time is critical. Therefore, it is vital that health care organizations have a written plan for responding to potential data breaches, which includes whom to contact in the event of a cyber-incident and how that notification process works.

And it is equally vital to encourage health care organizations to invest in a good cyber insurance policy that will cover the cost of ransomware payments and other expenses. From understanding what exposures a cyber-liability insurance policy provides coverage for, to how much coverage is sufficient, one should not assume that one policy type will provide all the coverage needed. Look into D&O and general liability policies to see whether they cover cyber events, as well as cyber policies to see whether they cover board members within the Definition of Insured.

The health care industry is under constant attack from cybercriminals. Some days it feels like the wild west. Knowledgeable insurance professionals can help health care organizations recognize and plan for the risks associated with cyber breaches and attacks.

^[1] https://www.coverys.com/Knowledge-Center/Cybersecurity-for-Healthcare-Providers

^[2] https://cybersecurity.criticalinsight.com/2021_H2_HealthcareDataBreachReport

^[3]https://www.fiercehealthcare.com/hospitals/industry-voices-forget-credit-card-numbers-medical-records-are-hottest-items-dark-web

^[4] https://www.ibm.com/security/data-breac

⁵https://www.coverys.com/knowledge-center/healthcare-as-a-target-of-cybersecurity-issues