As our world becomes increasingly high-tech and digitized, the threat of cybercrime within healthcare grows. Health records remain a top target for criminals.
Yet many practices, clinics, hospitals, and health systems still aren’t adequately prepared or covered for medical-professional liability, or even for product liability such as that which is used with emerging technologies.
Throughout 2019, NAS (now known as Tokio Marine HCC—Cyber and Professional Lines Group) found that cyberattacks continued to be of primary concern to business leaders in all sectors. The increased sophistication of cyber criminals, a growing base of connected devices (a.k.a., “the attack surface”), and human vulnerability all
contribute to a business environment rife with cyber-security risk that continues to be exploited by criminal actors.
In 2019, they saw that the activity (and expense!) of cyberattacks on their policyholders continued to shift from “data breach” to “cybercrime.” While phishing attacks, fraud, and ransomware are all on the rise, there was a decline in data breaches, exposure of personal information, and related notification expenses.
CASE #1
Employees of a hospital discovered that their email accounts were not accessible. The hospital’s IT department investigated and discovered that a ransomware attack had infected 70 servers and 600 workstations. The hospital had to close operations for two business days and suffered various losses due to the event. The hospital’s cyber-liability insurance covered:
- IT forensic consultants—Consultants were retained to immediately address the ransomware attack, secure data, investigate whether any patient health information was compromised, and rebuild the hospital’s network.
- Business interruption and income loss—Several surgeries had to be cancelled, resulting in loss of income.
- Data recovery—Several employees had to work overtime to re-create lost data from backup.
- Ransom amount—The hospital paid the ransom demand to restore system access.
- Total expenses: $570,000
CASE #2
A medical group experienced a Ryuk ransomware event. Ryuk is a type of crypto-ransomware that uses encryption to block access to a system, device, or file until a ransom is paid. Ryuk is often dropped on a system by other malware, or gains access to a system by remote desktop services. The event resulted in the shutdown/compromise of the medical center’s computer system, which included multiple desktops and servers as well as backup systems. The malicious actor made a ransom demand of more than $1.2 million. Attorneys for the insured attempted to negotiate the ransom down, but the hacker wasn’t willing to negotiate.
Additionally, legal counsel confirmed that the medical group’s system could not be restored from the encrypted backup servers. The medical group, therefore, paid the $1.2 million ransom, but was reimbursed under its Cyber Extortion coverage. After paying the ransom, the insured received the decryption key and was able to regain access to its systems and data.
If there were a theme for 2019 cyber claims, as told by Tokio Marine HCC— Cyber and Professional Lines Group, it would be the growth of phishing attacks
on small-to-midsized businesses. Ransomware and financial-fraud claims were up from 2018 across the board, and largely initiated in response to phishing attacks. Though the larger cyber incidents at Facebook, Citrix, and Capital One grab the headlines, the rampant attacks on small and midsized businesses are devastating, as most SMBs don’t have sufficient resources to prepare or defend themselves. A recent Fundera study reports that “three out of four small businesses don’t have the
personnel to address IT security.”
Whether through wire transfers, fraudulent payments, or unauthorized access to financial accounts, cybercrime activities were up significantly on all sectors of business in 2019.
PROTECTING YOUR ORGANIZATION
1. Conduct a Risk Assessment
Risk assessments and analysis are the foundation to mitigating the above risks and preventing an unpleasant experience with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”). Failure to conduct a risk analysis is the most common HIPAA violation found during the OCR’s investigations. Analyzing your organization’s risks is the starting point to determining a proper information security program and appropriate risk-mitigation
measures.
2. Train Employees
Employee training is another key part of achieving HIPAA compliance and mitigating associated privacy and security risks. HIPAA rules require that an organization’s workforce be properly trained on the HIPAA Privacy, Security, and Breach Notification Rules.
3. Implement Policies and Procedures
HIPAA’s Privacy and Security Rules require healthcare organizations to have data-security policies and procedures addressing a multitude of risks. Inadequate policies and procedures are a frequent violation cited in HIPAA enforcement actions.
4. Manage Vendors Appropriately
Vendor risks have become one of the top data-security concerns for healthcare organizations. As OCR holds business associates and covered entities liable for HIPAA
compliance when it comes to vendor relationships, it’s important for healthcare organizations to have a vendor-management program in place to maintain control of their business associates processing PHI.
5. Prepare an Incident Response Plan
The best way to handle a cyberattack is to be prepared well in advance. When responding to a cyber incident, critical decisions must be made within a condensed timeframe. Notification deadlines—the most notable of which is the 60-day notification deadline to OCR and affected individuals—apply to all healthcare organizations.
Any mistakes can be costly and have a lasting impact.
If you suspect ransomware…
- Isolate the infected computer(s) from all networks (by unplugging network cable and/or turning off Wi-Fi).
- Take a picture of the ransomware message (if possible).
- Do not immediately rebuild your system (you might destroy important forensic evidence).
- Regularly back up all critical data, and store it offsite.
WHAT TO LOOK FOR WHEN CONSIDERING CYBERLIABILITY INSURANCE
Not all insurance programs are created equal, so it’s important to compare policies. You are at risk from simple negligence, rogue employees,
unencrypted data, and outsourced information technology. And that means you need to protect all of your billing information, such as credit card
numbers, addresses, bank information, insurance information, Social Security numbers, employee information, and basically everything in your medical
records. Physicians Insurance includes a basic level of coverage as part of its standard physician and clinic policies. Higher limits for increased protection
are also available. If you have questions about cyber security or other risk-mitigation resources, log onto our website at phyins.com and go to the Cyber Center
portal.To report a cyber breach or suspected breach, contact our Claims Department at 800-962-1399.
COVID-10 Relief Packages Trigger Uptick in Scams
Congress recently passed a number of relief packages, and criminals are trying to scam victims out of their relief funds. Criminals use email, SMS text, and robocalls to
contact victims. Log onto our cyber center at https://bit.Ly/3dqwmbp to learn more about COVID-19 scams and prevention, COVID-19, and HIPAA: get tips on how to use
Zoom securely; view webinars on protecting your cyber security in uncertain times; and more.