Health care organizations are an attractive target for cyber threats because of the sensitive information they hold. The digital migration forced by the coronavirus pandemic has exacerbated these risks.
Health care organizations were already an attractive target for cyberattacks with their treasure trove of sensitive information: The coronavirus pandemic didn't help.
“Health care and medical facilities have a variety of personally identifiable health information and an obligation to keep that information confidential," says Tim Francis, enterprise cyber lead for Travelers Insurance. “However, they're often subject to other attacks that aren't stealing health information for the sole purpose of using the information."
Francis points to an increase in ransomware claims, in which the cybercriminal compromises the health care organization's systems to extort a ransom payment, leveraging the organization's urgent need to get back online as quickly as possible. “Not only is that disruptive, but it can actually lead to real, damaging outcomes for patient care," he says.
The digital migration forced by the coronavirus pandemic has only exacerbated health care organizations' cyber risks.
“While health care facilities have remained open with essential employees, personnel not directly involved in patient care, including those involved with network security, have found themselves working remotely," Francis says. “With changing work environments and pressures, and with the primary focus remaining on patient care, it's much easier to miss something or to wait to make changes to your cybersecurity."
Although the cyber liability market may react quicker to risk trends than many other coverages, “the insurance environment usually doesn't move at the same pace as technology," Francis says. “The current, most pervasive threat is that rise in ransomware claims. Particularly in health care, where the outcomes potentially lead to negative health consequences, it's crucial to make sure a health care organization's cyber insurance has appropriate coverage limits and adequately addresses ransomware."
Of course, the ideal defense against ransomware is to prevent it from happening in the first place. “But even if an attack does occur," Francis adds, “to be able to pivot and address it—not only with financial resources but with expertise through forensic investigation—is crucial to get that health care facility functioning as quickly as possible."
When it comes to mitigating cyber risk, Francis has several tips. “The first thing is to make sure there is a culture, starting with a top-down approach, that appreciates the necessity for keeping information and systems secure and protected," he says.
HIPAA has crucial guidelines to keep health information secure, but in terms of the rest of a health care organization's digital systems, other important safety measures include “keeping administrator credentials separate and using multifactor authentication for remote access," Francis continues. “And endpoint detection and response (EDR) can not only prevent malicious malware from entering a system but can also easily identify it within milliseconds and prevent it from spreading across the network."
In an evolving field like cyber liability, it's more important than ever to have access to experts who are in the business of trying to read those evolving trends. For agents with cyber liability clients, Francis advises to “make sure you're linked up with cybersecurity threat professionals. Use those relationships to craft coverage for your clients to protect them, not just from the threats they're facing now but also the ones they might face tomorrow."
AnneMarie McPherson is IA news editor.