Cyber attacks on the healthcare sector are becoming worryingly frequent and growing in sophistication. These attacks pose significant risks to both operational integrity and patient safety. Recent ransomware attacks, such as those on UnitedHealth Group’s Change Healthcare and a major London hospital have exposed critical vulnerabilities in existing infrastructure, while underscoring the urgent need for robust cybersecurity measures and comprehensive cyber insurance cover within the sector.
The healthcare sector is being increasingly targeted
Data shows that the healthcare sector is increasingly a target for cyber criminals. According to researcher Omdia, the sector suffered 241 attacks during the first nine months of 2023, ahead of the government (147 attacks) and almost three times more than software, hardware and IT services (91). According to the data, hacking was the most common type of breach, followed by chain attacks, phishing and ransomware – the latter being particularly disruptive as it can shut down vital services for considerable periods of time.
These attacks often lead to substantial disruptions, data breaches, and, in extreme cases, indirect increases in mortality rates due to delayed or compromised medical services. According to an alarming whitepaper published by the University of Minnesota in 2023, ransomware attacks typically increase hospital mortality rates by around 20%.
Cyber attacks can cripple healthcare operations for significant periods
The attack on Change Healthcare incapacitated key functions such as billing, prescription management, and medical procedures. Similarly, the attack on London’s Guy’s and St Thomas’ Hospital in June has caused widespread disruption, with recovery expected to take months. Services such as blood transfusions have been severely disrupted, with processes including blood tests said to be taking up to six hours to complete, due to the required technology systems being down. These incidents highlight the ability of cyber attacks to cripple healthcare operations and revenue streams.
Congressional hearings being held after the Change Healthcare breach have revealed that Change Healthcare made the decision to forego insurance coverage due to perceived excessive costs. It is the responsibility of every organisation to determine their cyber risk appetite, thus protecting not only the organisation’s bottom line but also the safety and resilience of their operations. Insurance should be a major contributing factor to providing financial stability and restoration of operations for critical national infrastructure. To reinvest the capital needed to restore operations, insurance coverage is necessary without affecting other critical sources of funding for other healthcare services.
Effective cyber insurance should include coverage for losses suffered directly by the healthcare operation (such as business interruption) as well as third party liability (such as security or privacy liability). Comprehensive coverage must cover all points. It should also cover costs associated with incident response, including forensic investigations, legal fees, and public relations efforts. Additionally, coverage should insure against losses caused by operational downtime provide coverage for the full payments associated with cyber ransom, with clear protocols for negotiation and payment to aid businesses in their recovery efforts.
Preparedness is key in maintaining resilience
To maintain operational resilience and negate the risk of needing to claim on cyber policies, companies should ensure they practice good cyber hygiene. Given the dependency that healthcare organisations have on both IT and Operational Technology (OT) systems, this is crucial not only for patient service delivery, but also for patient safety.
Regular software updates and patching systems protect against known vulnerabilities, while complex security protocols such as firewalls, intrusion detection systems, and endpoint protection provide robust defences. Comprehensive security audits and risk assessments help identify and address potential security gaps. Insurers and brokers can support with these audits, in addition to offering insurability analysis that determines whether or not an organisation is currently practicing good cyber hygiene, and the areas they need to improve.
Educating staff on cybersecurity best practices, including recognizing phishing attempts from suspect emails and securing sensitive data, can also go a long way – and is something else that is often included as a service, or offered at a reduced cost, within the insurance offering. This level of hygiene is particularly important in the fast-paced healthcare environment, where staff have access to huge volumes of patients’ personal data, often through outdated operating systems.
A comprehensive risk mitigation plan
A well-defined, well-rehearsed incident response plan and business continuity plan is vital for minimizing the impact of cyber attacks. This plan should include rapid containment and mitigation strategies, effective communication protocols for internal and external stakeholders, and coordination with law enforcement and cybersecurity experts. The implementation of backup servers and cloud storage can help reduce the time that data is unavailable for, and has the additional benefit of reducing incidental data loss incurred by day-to-day data mismanagement.
Healthcare organizations must also stay abreast of regulatory requirements related to cybersecurity and data protection, ensuring full compliance. Participation in information-sharing networks with other healthcare organizations can help organisations to stay informed about emerging threats and effective countermeasures. Recognizing that the cost of robust cybersecurity measures is a prudent investment compared to the potentially catastrophic costs of a successful cyber attack is essential.
By addressing these areas, healthcare organizations can significantly bolster their defences against the growing threat of cyber attacks, safeguarding both their financial stability and the wellbeing of their patients.