Since early 2018, ransomware attacks have increased 486%, leading to more aggressive underwriting and as much as a 20%-50% increase in some cyber policy premiums (Greenwald, J, 2021). The increase in cyberattacks and its subsequent effect on the insurance market is particularly dangerous to the healthcare industry. In 2020, healthcare rose from tenth place to the seventh most targeted sector for cyberattacks and its data breaches continue to have the highest associated cost of any leading industry (Davis, J 2021).
As an independent insurance agency, Professional Risk Associates has closely monitored the changes in the cyber liability market over the last few years. According to the market trends they have observed, both the number of attacks and the associated financial risks have increased due to the high dollar value of Electronic Medical Records (EMRs). The wealth of personal information available in an EMR system has made them a coveted commodity among hackers. Additionally, the recent migration to telehealth services and much of the workforce now working remotely has opened new opportunities for malicious actors and the risk of a cyber security breach only increases further. Higher premiums for this coverage may be shocking at first, but cyber security insurance is a crucial part of ensuring a medical practice’s financial security.
EMRs Are a Valuable Commodity
Your EMR system may seem innocuous, but the sensitive data the system holds represents one of the most lucrative targets for hackers. A 2017 study found a complete EMR database can go for as much as $500,000 when sold on the Dark Web (Rosario Fuentes, M, 2017). EMRs are valuable because of the sheer volume of sensitive information they contain. This sensitive information can be used to create fraudulent documents like fake IDs, tax returns, birth certificates, or they may be used to obtain prescriptions for controlled substances.
The incentive for hackers to target EMR systems is not the only concern hospitals or medial practices should have regarding these attacks. The associated cost of a breach is also a threat to any practice’s financial security. On average, a data breach costs $499 per patient record (Ikeda, S 2021). This cost can include business interruption, with an average period of over 90 days to detect a breach and up to 236 days to recover from one (Ikeda, S 2021). Additional fees incur from legal defense, breach detection and response, and patient notification about the threat to their sensitive information. There is also the potential for secondary losses, such as a clinic’s damaged professional reputation due to the incident, losing current patients, or negative publicity leading to fewer new patients.
The COVID-19 Pandemic Increased Cybersecurity Threats
The COVID-19 pandemic has further exposed the weaknesses in healthcare cybersecurity systems as the industry was forced to rapidly institute and/or expand upon their telehealth services and remote working functions. In a study published by Bitglass, 2020 saw more than a 55% increase in healthcare-related cyberattacks (Ikeda, S, 2021) and of these cyberattacks, roughly 28% were ransomware (Davis, J, 2021). The increase in these cyberattacks is likely the result of practices shifting to remote work, additional devices connecting to secure networks from outside the workplace, and the rapid transition of cloud-based services. As the healthcare industry continues to expand upon telemedicine, a new threat emerges as the risk of a cyberattack is not only contingent upon the healthcare entity, but also on the patient’s (or practice’s) network security.
A cyberattack threatens both the practice and the patient’s health and safety. Hospitals and medical practices must monitor their systems and create step-by-step plans for what to do in the event of an attack. The pandemic and new technology may be creating new opportunities for malicious actors, but as always, the greatest weakness or strength in a cybersecurity plan is the people using the system. One of the best ways a practice can help protect itself against a cyberattack is ensuring the employees receive regular cybersecurity training. Routine education may help employees identify phishing or spam attacks and this could prevent a devastating cyber incident. Employee training will help reduce the risk of an attack, but adequate cyber coverage is still paramount when protecting your practice.
If you would like to get a cyber indication for your practice, please complete this quick form:
Davis, Jessica. (February 25, 2021). Healthcare Cyberattacks Doubled in 2020, with 28% Tied to Ransomware. Article [Website]. Retrieved from: Healthcare Cyberattacks Doubled in 2020, with 28% Tied to Ransomware (healthitsecurity.com)
Greenwald, Judy. (March 4, 2021). Cyber insurance rates to increase 20-50% this year: Aon. Analysis of report [Web Page]. Retrieved from: Cyber insurance rates to increase 20-50% this year: Aon | Business Insurance
Ikeda, Scott. (February 26, 2021). Healthcare Cyber Attacks Rise by 55% Over 26 Million in the US Impacted. Article [Webpage]. Retrieved from: Healthcare Cyber Attacks Rise by 55%, Over 26 Million in the U.S. Impacted - CPO Magazine
Rosario Fuentes, Mayra. (2017). Cybercrime and Other Threats Faced by the Healthcare Industry. Statics and analysis [PDF]. Retrieved from: The Expansion of Cyber Underground Goods to Electronic Health Data (trendmicro.com)