Cybersecurity is an urgent concern for healthcare and aging services organizations—and the organizations that insure them. In a survey of healthcare cybersecurity professionals, 89% said their organizations experienced cyberattacks in the past year, at an average of 43 attacks per organization. Successful attacks often had negative effects on patient care, such as poor outcomes from delays in tests and procedures, longer length of stay, more complications from medical procedures, more patient transfers, and even higher mortality in some cases.
Serious patient harm has been reported. For example, a cyberattack caused severe brain injury and death in a newborn because providers and staff missed tests that would have helped detect a nuchal cord, according to a lawsuit filed by the baby’s mother. And in a ransomware event, a three-year-old received a large overdose of pain medicine because software for calculating doses was offline.
Cyberattacks can disrupt operations and cause revenue loss as well. Among healthcare organizations affected by ransomware, 86% experienced outages or disruptions, 25% had to halt operations, and 60% said the attackers leaked sensitive data. In another study of healthcare organizations affected by ransomware, 90% lost business or revenue as a result. One hospital closed partly because of a ransomware attack that prevented it from submitting claims to insurers, Medicare, and Medicaid for 14 weeks.
The total cost of a cyberattack can be high. At healthcare organizations that experienced cyberattacks in the past year, the most expensive attack at each organization ranged from $10,000 to more than $25 million, with an average of $4.4 million. Costs included direct cash outlays, direct labor expenditures, indirect labor costs, overhead costs, and lost business opportunities.
In addition, violation of federal or state laws related to information privacy or data breaches may lead to regulatory action. Particularly relevant laws, regulations, and standards include Health Insurance Portability and Accountability Act rules, the Cyber Incident Reporting for Critical Infrastructure Act of 2022, and state laws, which may address health information privacy and security, breach management and reporting, or other matters. Consequences may include financial penalties or settlements, corrective action plans, criminal charges, or lawsuits brought by state attorneys general.
Private lawsuits are another potential outcome. Such suits may allege negligence, breach of contract, or violation of privacy or consumer protection statutes, among other causes. In addition, class actions are becoming more frequent. Class actions are lawsuits in which a claim is brought on behalf of a group, which is described as a class of people. Because class actions can incur high-dollar total damages, they may be more financially burdensome than regulatory fines. However, those affected by a breach may face a barrier to private lawsuits. Federal circuit courts are divided on whether simply a heightened risk of future harm is enough to give a plaintiff standing to sue or whether they must show that their information has already been misused or faces an imminent risk of being misused.
Key cybersecurity resources
Fortunately, resources are available to help provider organizations strengthen their cyberattack preparedness and response. Following are some of the most important.
NIST’s Cybersecurity Framework. To help organizations that are part of the national critical infrastructure, including healthcare, the National Institute of Standards and Technology (NIST) developed the Framework for Improving Critical Infrastructure Cybersecurity. As of this writing, NIST is updating the Cybersecurity Framework and expects to publish version 2.0 soon. The draft is organized around six “core functions,” which describe desired cybersecurity outcomes:
- Govern
- Identify
- Protect
- Detect
- Respond
- Recover
Each function breaks down into more detailed categories and subcategories. Because the Framework outlines a robust approach to cybersecurity, provider organizations and insurers should become familiar with it.
HHS’s Health Industry Cybersecurity Practices. Pursuant to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) collaborated with more than 150 cybersecurity experts, clinicians, and healthcare administrators to create the Health Industry Cybersecurity Practices (HICP), a set of 10 voluntary cybersecurity practices:
- Email protection systems
- Endpoint—known as end user device—protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Security operation centers and incident response
- Network-connected medical devices
- Cybersecurity oversight and governance
The HICP provides differing recommendations for small, medium, and large organizations and includes a table to help organizations determine which size category they fit into. Two technical volumes provide details for small organizations and for medium and large organizations, respectively.
#StopRansomware Guide. The US Joint Ransomware Task Force’s #StopRansomware Guide includes best practices to address ransomware. Part 1 describes strategies to prevent successful ransomware and data extortion attacks, and Part 2 includes a checklist for responding to events.
MITRE Corporation’s Medical Device Cybersecurity Playbook. The MITRE Corporation’s Medical Device Cybersecurity: Regional Incident Preparedness and Response Playbook and Quick Start Companion Guide address organizational preparedness, including detection and analysis; containment, eradication, and recovery; and postincident activity, as well as regional preparedness and response.
Evolving risks and critical gaps in preparedness
Cyberthreats can enter the organization through a variety of pathways and can take many different forms. Five of the most common cybersecurity threats to healthcare organizations are:
- Social engineering attack, in which attackers trick people into providing sensitive details
- Ransomware attack
- Loss or theft of equipment or data
- Insider, accidental, or intentional data loss
- Attacks against network-connected medical devices
Supply chain attacks are a growing concern, with 50% of healthcare cybersecurity professionals reporting their organization’s exposure to supply chain attacks within the past two years.
Despite the importance of cybersecurity, healthcare organizations show suboptimal preparedness. In a study of 48 healthcare organizations’ adherence to the NIST Framework and the HICP, the organizations were more reactive than proactive, scoring best in the Respond function of the NIST Framework (74% coverage) and worst in the Identify function (65% coverage). In addition, a landscape analysis conducted among hospitals found that five best practices recommended in the HICP are in urgent need of improvement:
- Endpoint protection systems
- Identity and access management
- Network management
- Vulnerability management
- Security operations center and incident response
Medical device cybersecurity is another critical concern because of the threat to patient safety. However, organizations’ efforts in this area are suboptimal. In the study of healthcare organizations’ adherence to the Framework and the HICP, medical device security was the weakest-scoring area in the HICP, with only 54% average coverage.
Transferring cybersecurity risk
Provider organizations may seek to transfer some aspects of cybersecurity risk by purchasing insurance. Some provider organizations report difficulty obtaining cyber insurance. Even when such insurance is available, the scope of coverage for cybersecurity varies widely. Factors that provider organizations may consider in evaluating cyber insurance policies include the following:
- Terms, conditions, and key definitions
- The organization’s rights and responsibilities
- Availability and scope of coverage for:
- Notification costs, call centers, or credit monitoring
- Cyberextortion and ransomware
- Private suits brought by individuals whose information was breached
- Responding to and defending against regulatory proceedings
- Incidents affecting third parties that store the organization’s information
- System, data, software, and hardware restoration
- Business interruption or loss of business income
- Requirements for notifying the insurer of an event (e.g., manner, timing)
- Services provided in the event of an occurrence (e.g., forensics, legal counsel, public relations, and crisis management)
- Manner in which claims are paid (e.g., direct payment, reimbursement)
- Requirement to obtain insurer consent before incurring costs
- Coverage limits and premiums
- Deductibles and retention amounts
Because of the tremendous risk that a successful, large-scale cyberattack can pose, many cyber insurance companies have become selective when deciding whether to insure an applicant organization. Increasingly, insurers seek to verify that applicants have robust cybersecurity safeguards and controls in place. Underwriters may now ask detailed questions about the implementation of a variety of specific measures. Thus, provider organizations should have a comprehensive, well-designed cybersecurity program, both for their own sake and to obtain insurance as well.
Provider organizations and insurers should also consider whether existing non-cyber-specific insurance policies may cover some aspects of cybersecurity loss. Examples include insurance policies covering general liability, professional liability, directors and officers, property, fidelity and crime, and ransom or extortion. To determine whether such policies may address aspects of cybersecurity loss, review definitions, terms, conditions, limits, deductibles or retention amounts, endorsements, and exclusions in existing policies.
In addition, provider organizations should consider including provisions to address cybersecurity risks in their noninsurance contracts. For example, contracts with vendors may specify what the organization and the vendor each must do in the event of data disclosure or theft. Contracts may also contain indemnification provisions, insurance requirements, or other protective provisions.
What you can do
To strengthen their cybersecurity posture, provider organizations and insurers can do the following:
- Learn more about cybersecurity by reviewing key resources, such as those discussed above.
- Meet with individuals responsible for cybersecurity within their own organizations and within partner organizations.
- Use an enterprise risk management approach to achieve a comprehensive understanding of the risks that cybersecurity problems pose.
- Provider organizations should also understand their cybersecurity risk context, develop a cybersecurity risk management strategy, and routinely assess their adherence to best practices.
- Optimize response to cybersecurity incidents.
- Provider organizations should develop robust policies and procedures for responding to and recovering from cyberattacks.
- Insurers should evaluate their coverages, service offerings, and procedures for cyberattack response and recovery.
- Explore cybersecurity risk transfer mechanisms.
- Insurers should periodically reevaluate their offerings as cyberattack risks evolve.
- Provider organizations should also consider shifting risk through contract clauses.