The healthcare industry has seen an alarming increase in cyber attacks. A new report estimates that the global healthcare cyber security market will reach $10.85 billion by 2022, thanks to the rapidly increasing number of cyber attacks, regulatory and security compliance issues, and internal data leaks.

Criminal attacks against healthcare providers have more than doubled in the past five years, with the average data breach costing a hospital $2.1 million. Could your organization afford the operational and financial implications of a cyber event?

Healthcare providers manage huge volumes of personal health data and personally identifiable information
Compromising healthcare regulations, such as HIPAA, could result in large fines and penalties
Protecting confidential information is a business requirement, and in many cases also an ethical and legal requirement
A complex technology environment means that healthcare providers face extensive security challenges
Access to electronic health records is essential. System interruption or shut down can result in hospitals being unable to administer medications, place orders for supplies, organize staffing and can also affect medical equipment resulting in a life or death situation
Actual or implied theft of improperly protected electronic data can result in an extortion threat
Healthcare is a labor intensive industry, with employees wanting instant access to data. Extensive employee networks, make it difficult to manage human error, limit data breaches and ensure network integrity
Personal health data is 10x more valuable than financial data on the black market making it an attractive target for cyber criminals
Healthcare providers often hold intellectual property and other sensitive information about new product developments making them an attractive target for cyber criminals
Screenshot 2016-05-04 11.24.12

Malicious Cyber Events are often the hardest to predict and in the healthcare sector, are often for financial gain. These events can materialise in a number of ways:

  • Privacy breaches or network security events
  • Cyber Extortion
  • Data or System degradation

E-Cyber is designed to protect healthcare providers against these malicious cyber attacks providing comprehensive coverage for crisis management, particularly for costs associated with notifying clients of a breach, identifying and resolving the cause of the cyber or extortion event, as well as offering the financial protection for any fallout, such as:

  • the increased cost of working or direct loss of net income due to the covered event
  • defence costs and any subsequent damages or fines which may be incurred as a result of the event
Screenshot 2016-05-04 11.26.26

Data manipulation, ransom, and breaches are a major concern for healthcare providers given the high volume of Personal Health Information and Personally Identifiable Information they hold. This data is shared across an extensive employee network making data management extremely complicated.

Whether the data is corrupted, exposed, or held ransom E-Cyber is designed with an understanding of the inherent exposure healthcare providers encounter in managing large data repositories. The policy is designed to cover the cost to the company of managing through a data breach, or a ransom event, as well as data restoration in the event of a cyber event. The policy further extends to consider the legal and regulatory implications of data breaches and covers any fines and penalties with regard to a regulatory investigation.

Screenshot 2016-05-04 11.27.45

Much like data management, maintaining network integrity presents a serious challenge, as inadvertent System Failures can be just as disruptive as malicious cyber attacks. Whether the failure is caused by negligence or a mistake in managing the organizations system, a programming error, or a malfunction or failure of the organizations system, the healthcare providers outage will cause financial loss.

Many of these system exposures are intended to be covered within the E-Cyber policy as the triggers for business interruption and the liability sections extend beyond malicious acts and to the practicalities of managing a centralised network. As a result we handle many of these system interruptions as if they were malicious and would look to provide coverage for event management to identify and resolve the system failure, the increased cost of working or direct loss of net income due to the covered event, or any defence costs and any subsequent damages or fines which may be incurred as a result of the event.

March 2016 – Ten hospitals and over 250 outpatient centres shut down their computers and email servers after malware paralyzed their online systems. Initially, officials of the $5 billion healthcare provider did not refer to the incident as a ransomware infection, but an employee released an image of a ransom note. The note warned, “You just have 10 days to send us the Bitcoin, after 10 days we will remove your private key and it’s impossible to recover your files”.

February 2016 – A Los Angeles hospital was the subject of a ransomware attack which rendered the organizations internal computer systems inoperable. The systems were offline for over a week, only being restored after the hospital gave in to demands and paid a hefty ransom.

February 2016 – Second largest health insurer in the US made history as the largest healthcare breach ever recorded. An estimated 80 million records were breached comprising of names, birthdays, social security numbers, addresses, email addresses and employment information, including income data.

May 2015 (discovered January 2016) – A Washington based health insurance company was the target of a cyber attack. The data breach was said to have occurred in May 2014 but was only discovered in January 2015. The attack affected 11 million customers and may have given hackers access to Social Security numbers, bank information and contact details.

December 2013 (discovered August 2015) – An upstate New York healthcare company were the target of a sophisticated cyber attack exposing as many as 10 million records containing dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claim information.

June 2011 – The UK’s national health service suffered a large scale breach when a laptop holding unencrypted files of 8 million patients went missing from a store room.

March 2015 – A Los Angeles hospitals electronic health system failed, which led to the closure of the hospitals emergency room. The hospital experienced problems with dispensation of needed medications, no verification of doctors’ orders, no review of patient labs, no review of radiology exams, MRIs, and other diagnostic procedures, and an inability of doctors and nurses to review patient records.

March 2015 – A university hospital in Ireland experienced a breakdown in the IT infrastructure which led to the postponement of a number of outpatient appointments. Several departments had to revert to manual data gathering and it was necessary to put into place their contingency plan in order to deal with the communication failure.

2015 – A report noted that nurses experienced more than eight work system failures during an 8-hour shift. The most frequent failures identified involved medications, orders, supplies, staffing, and equipment. In addition to operational failures that delayed productivity, there were a large number of reported work interruptions.