Cybersecurity threats to health care organizations and patient safety are real. Indeed, recent ransomware attacks have shone a light on just how vulnerable health care organizations have become to cyber risk when caring for patients in an interconnected tech driven care setting.
Health information technology now encompasses providing critical life-saving functions, many of which are connected, networked systems and leverages wireless technologies, all of which must be secured from a cyber-attack.
Given the increasingly sophisticated and widespread nature of cyber-attacks, the health care industry must make cybersecurity a priority and make the investments needed to protect its patients.
HHS (Health and Human Services) recently released a new report, titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” This document does not create new frameworks, re-write specifications, or “reinvent the wheel.” It serves as a new resource to help small to large size health care providers. To emphasize the variation in the size of a healthcare organization, the Technical Volumes within the report present cybersecurity practice implementations separately for small, medium-sized, and large organizations.
The goal of the publication is to foster awareness, provide practices, and move towards consistency within the healthcare sector in mitigating the current most impactful cybersecurity threats.
The five threats explored in the new HHS document are as follows:
• E-mail phishing attacks
• Ransomware attacks
• Loss or theft of equipment or data
• Insider, accidental or intentional data loss
• Attacks against connected medical devices that may affect patient safety
The report breaks down the five threats and provides details on the threat vulnerabilities, how a healthcare organization may be impacted, and practices to consider.
Interestingly enough, the report does not mention cyber insurance as a practice that healthcare organizations should consider. While the report is heavily focused on the five pressing threats that healthcare organizations are currently faced with, cyber insurance has become an important risk mitigation strategy that should be considered.
Here is how cyber insurance can help a healthcare organization with these threats:
• E-mail phishing attacks: These types of attacks happen daily, which result in many cyber insurance claims being filed. Depending on the outcome of what happens after that phishing link is clicked, whether it results in malicious software being downloaded, or access being provided to information stored within the organization’s network, or whether it was a targeted social engineering email based attack that leads to a loss of funds, coverage may be found in most cyber insurance policies. However, the coverages vary greatly by policy. It is important to check the cyber insurance policy wording and understand how the coverage would respond to the incident, and at what limit and retention (deductible).
• Ransomware attacks: Long gone are the days of the $300 ransom requests, as many ransoms have since grown to thousands of dollars. Fortunately, most cyber insurance policies cover ransomware attacks. However, since most ransoms need to be paid in cryptocurrency, you will want to check to see if your cyber insurance policy covers that and what steps need to be followed when an attack happens.
• Loss or theft of equipment or data: While cyber insurance policies do not cover the theft of physical hardware or equipment (you will want to schedule this on your business property insurance policy), the theft of data is what would trigger your cyber insurance policy to respond.
• Insider, accidental or intentional data loss: It is important to carefully read the cyber insurance policy coverage section and exclusion wordings to understand how the coverage would respond to an insider, accidental or intentional data loss. Nonetheless, all cyber insurance policies respond differently and it is important to understand how before an incident happens.
• Attacks against connected medical devices that may affect patient safety: This is a very high and sensitive risk considering that patient safety is at risk. Most cyber insurance policies are not covering bodily injury harm in the event a cyber attack causes a connected medical device to physically harm a patient. However, there are some cyber insurance policies that can cover such an incident.
Indeed, cyber insurance should not be navigated alone. You will want to work with an experienced cyber insurance broker that can help your healthcare organization obtain the appropriate coverage for your organization’s cyber risk needs.