Epidemiologists and virologists know that pathogens often mutate into new strains, forcing our immune systems – and vaccine development – to adapt. A recent cyber attack on a key entity in the healthcare supply chain has shown a disturbing evolution in cyber risk. As a result, healthcare organizations will have to adapt and expand their efforts to mitigate cyber threats.
On February 21, a division of UnitedHealthGroup, Change Healthcare, was struck by a ransomware attack. Change Healthcare is the largest healthcare payment platform in the U.S., acting as a clearinghouse for pharmacy and medical claims and payments. Recovering and reconnecting the platform has taken several weeks, and as of this writing, was continuing.
The attack on a linchpin of the healthcare industry’s payments infrastructure has disrupted patient care as well as provider operations. A large amount of data also was taken during the attack, but it remains unclear whether any records in the breach include protected health information, which is subject to data privacy laws, such as the Healthcare Information Portability and Accountability Act (HIPAA).
The attack is among the most serious in recent history, but it’s far from the only ransomware incident involving healthcare. Healthcare organizations of all sizes are targets for cyber criminals. A 2023 survey of more than 650 U.S. healthcare organizations by the Ponemon Institute found that 88% had experienced at least one cyber attack in the prior 12 months, with an average of 40 attacks per facility.
See also: Cyber's Evolving Threat Landscape
A good time to take action
Amid evolving cyber threats, growth in cybersecurity regulations and a changing insurance marketplace, healthcare organizations should take action now – to strengthen their cyber risk management programs and improve their protection.
Attacks like the one on Change Healthcare are likely to continue. Data breaches in lieu of, or in addition to, data encryption, also are likely. Perpetrators of other ransomware attacks have increased their extortion demands by threatening to release sensitive data on a victim organization’s customers or employees. A high-profile example is MOVEit, a 2023 ransomware attack on a widely used file transfer application. The MOVEit breach involved data breaches from at least 1,000 organizations around the world, including hospitals, universities, government agencies and global corporations.
The healthcare industry continues to attract cyber criminals, for multiple reasons. These include the industry’s dependence on technology systems, volume of sensitive data and the severe consequences of disruption to healthcare facilities. Indeed, healthcare experienced the most cyberattacks of any U.S. industry during the first half of 2023, according to a report on cybersecurity insurance by the National Association of Insurance Commissioners. The NAIC also noted the healthcare and public health sector had the costliest data breaches in 2021, averaging more than $9.2 million per incident. Notably, healthcare experienced the highest average data breach cost for 11 consecutive years, dating back to 2011.
Large data breaches are becoming more frequent for the healthcare industry, according to the federal agency that tracks them. The U.S. Department of Health and Human Services’ Office of Civil Rights found a 93% increase in the number of large breaches overall between 2018 and 2022, and a 278% surge in such breaches involving ransomware during that period.
The frequency and severity of ransomware attacks in healthcare are concerning. Consider the financial and operational impact of just a few attacks, as noted in the 2023 Hospital Cyber Resilience Initiative Landscape Analysis, conducted by HHS, the Centers for Medicare & Medicaid Services and the Healthcare & Public Health Sector Coordinating Council:
- A California-based nonprofit healthcare company experienced a ransomware attack and data breach in May 2021 that resulted in an estimated $112 million expense from lost revenue, remediation and fines. The company separately paid $3.5 million to settle class-action litigation arising from the data breach, and several of its owned hospitals were forced to turn away patients.
- A university healthcare network in the Northeastern U.S. had a ransomware attack in 2020 that caused at least $21 million in damage. The healthcare network disclosed the impact of the event to warn peers: The ransomware attack shut down 1,300 servers, infected 5,000 endpoints and hundreds of applications and required working without email for 25 days (and without radiology systems for 40 days).
Understanding vulnerabilities
To be sure, hospitals and other healthcare organizations are aware of the risks that cyber events can pose to patient safety and their balance sheets. Yet, a vast number of healthcare entities remain vulnerable because they continue to run antiquated systems. In the Hospital Cyber Resilience Initiative report is a disturbing statistic: 96% of hospitals are using operating systems or software with known vulnerabilities, and that includes medical devices used in delivering patient care.
The report found hospitals have made significant progress in implementing email protection systems, but urgent improvement is needed in various areas, including: endpoint protection systems, identity and access management, network management, vulnerability management and security operation center and incident response. With incidents such as Change Healthcare occurring, hospitals should accelerate their efforts and fix vulnerabilities as soon as possible.
Four ways to enhance cyber protection
Healthcare organizations can take steps now to enhance their level of protection against cyber events. Here are four actions to consider:
- Analyze your organization’s cyber risks. A cyber attack that encrypts the network and steals patient data, in addition to a ransom demand, can be devastating. Understanding the risks and quantifying vulnerabilities is a critical first step toward resilience, for healthcare and every other industry.
- Assess risk in your supply chain. As both MOVEit and Change Healthcare demonstrate, the financial impact from a cyber attack on key suppliers and service providers can be severe. How reliant is your healthcare organization on third-party technology providers? What could happen to your organization if one of them was shut down for a week or more by a cyber incident? Answering questions such as these is important to building an effective business continuity plan and minimizing disruption to healthcare operations.
- Explore options for cyber risk mitigation. Knowing about a vulnerability is only the first step. Next comes deciding on the best ways to mitigate or eliminate the risk. With cyber risk, various cyber security measures can reduce the possibility of loss. With key suppliers, contractual risk transfer and tighter vendor requirements regarding cyber risk management could be useful.
- Revisit cyber insurance coverage. With the Change Healthcare attack, many healthcare organizations have put their cyber insurance carriers on notice for potential dependent business interruption claims, including net income loss and extra expenses. At the time of this writing, it remains to be seen if the associated data breach will increase these loss amounts. Now is the time to review cyber insurance policy terms to ensure that the limit, retention and breadth of coverage is appropriate.
See also: How to Build a Solid Cybersecurity Program
Cyber insurance market conditions continue to be competitive
Currently, the supply of cyber insurance coverage exceeds demand. As a result, healthcare organizations now have strong opportunities to negotiate more favorable terms and conditions for their cyber insurance policies.
Insurance prices have eased after multiple years of steep increases and tightened capacity due to record levels of ransomware claims in 2020 and 2021. Better underwriting practices and improved insured cyber security controls have attracted new insurance carriers to the market. The additional capacity helped stabilize prices in 2023. Competition has led to an easing of the tight terms and conditions that prevailed in prior years. Exploring the market can pay off in at least three distinct ways:
- Obtaining higher limits. Healthcare organizations may be able to purchase more cyber coverage than in the past given more carrier participation in the market.
- Reducing premiums and retentions. Competition and capacity available in the cyber marketplace mean healthcare organizations can potentially find lower-cost policies and shrink the size of their self-insured retentions, too.
- Removing sublimits, increasing overall coverage. More cyber insurers are willing to remove sublimits on certain coverages if healthcare organizations can demonstrate strong cyber security controls. This can lead to an increase in overall protection for cyber exposures.
Not taking the time to strengthen cyber risk management can lead to other risks for healthcare organizations, the most serious being degradation of patient care. The Ponemon Institute’s 2023 survey found different types of cyber threats directly affected healthcare organizations’ delivery of care. For example, 77% of respondents with supply chain cyber attacks reported the events disrupted patient care, up from 70% in 2022. Similarly, 69% of organizations with a business email compromise (BEC) or spoofing attack reported a care disruption, and 68% reported problems for patient care resulting from ransomware.
Taking advantage of opportunities in the insurance marketplace can strengthen healthcare organizations’ risk management programs, improve resilience and bring certainty in today’s volatile cyber risk environment.