Cyber risks and health care – and what everyone needs to know

Pete Reilly, Hub International: ©Hub International

There’s been a surge in large-scale cyberattacks against health care organizations this year, disrupting services and putting lives and private patient data at risk. It’s also intensified public pressure for the industry and regulators to do a better job of hardening defenses.

The early August cyberattack against facilities across five states run by Prospect Medical Holdings shuttered services at various emergency rooms and primary care clinics, and necessitated a reversion to paper records until data control and recovery were effected.

It was a continuation of escalating cybercrimes against the industry this year. By June, more than 300 cyberattacks and health data breaches had been reported to the U.S. Department of Health and Human Services. The two largest alone affected more than 14 million people.

The industry needs to put better controls in place. But providers also need to get up to speed on today’s cyber risks and grow a better understanding of the evolving insurance marketplace. Here are some starting points.

Four favored cyberattack ploys

Cyber crooks are creative in finding new and different ways to get what they want. They have a lot of patience, often lurking in a system for months – over 200 days on average – before pulling the trigger. And victims don’t even know their defenses have been breached until the worst happens.

Among today’s most common ploys:

• Social engineering. This is a broad category for cyber attacks like email phishing that trick people into sharing information, downloading software or visiting websites that end up compromising their personal security or the security of their company.
• Funds transfer fraud. Compromised business emails are typically the path to this crime. One tactic is for criminals to assume the identity of an executive and direct an employee responsible for an organization’s finances to transfer money to what is actually a ghost account. It’s a long game and uncommon for stolen funds to be recovered. The FBI believes some $2 billion is lost annually to this type of fraud.
• Invoice manipulation fraud. Through social engineering attacks, criminals gain access to legitimate credentials and authentic email accounts. They can wait, watching transaction emails going through and then spoof them to change banking information or payment instructions on the invoices – to go to accounts they control. By the time it’s discovered, the account is closed.
• Ransomware and extortion. Ransomware attacks – where the provider’s network is breached and locked, and it must pay up or permanently lose access to its stolen data – had slowed in 2022, thanks to better defensive measures and law enforcement efforts. They now are now escalating again. With extortion, criminals threaten to publicly release the data they have collected.

No one is immune. Health care organizations are a trove of sensitive data, both health related and payment cards. While large companies are particularly vulnerable as big centralized pools of information, smaller operations don’t escape notice either. Smaller organizations may think they are too small for cyber criminals to worry about are less prepared for breaches. They should think again: One study found that almost 60% of ransomware attacks were against small- and medium-sized businesses.

Insurance considerations

The market for cyber insurance has been under pressure in recent years. It’s gotten more expensive as cyber attacks, losses, and claims have intensified. Still, if premiums have gotten heftier, that’s nothing compared to the cost of recovering from a ransomware attack. Plus, carriers have stepped up their risk management requirements of health care clients, which has helped to strengthen the industry’s defenses.

It’s important to look at specific, individual cyber risks and exposures, rather than standard benchmarking measures. Being aware of some nuances of cyber insurance also helps. Here are some pointers.

1. Invoice manipulation may not be part of the standard cyber policy, so always check. Coverages tend to be sub-limited. It’s key to follow provisions of the policy, particularly for callbacks. Not every carrier has amended this coverage to require callbacks on questionable transactions. But, stringent internal controls are essential to offset the risk of callbacks to legitimate parties – and not to the bad actors.

2. Some concerns may carry dual coverage against data breaches, through both the cyber policy and crime policy. It’s rare to see the full coverage limit for cyber breaches on a crime policy; cyber is unique in providing both first- and third-party coverage.

3. The U.S. maintains a sanctions list against parties or individuals known to be behind malicious cyber activities. Should a provider network be attacked by parties on the list, insurance will not cover the ransom payment.

4. There is some crossover between cyber, and kidnap and ransom (K&R) policies. Should a health system get hit with a ransomware attack, for example, the K&R policy might provide additional coverage. Bigger organizations are more likely to have this.

Pete Reilly is the practice leader and Chief Sales Officer of global insurance brokerage Hub International’s North American healthcare practice.In this role, he directs and coordinates HUB’s health care planning, growth and strategic initiatives. He also works with other leaders and experts within HUB to develop and introduce proprietary products that will help healthcare organizations and providers across the care delivery spectrum.