Healthcare and Cyber Security Risks
Healthcare is one of the industries most threatened by cybersecurity risks. To understand just how concerned healthcare providers should be about cyber risk, consider this - private health information is now more valuable on the black market than most other forms of personally identifiable information (PII).
In addition, healthcare companies face strict and evolving regulations regarding patient privacy. Unlike other PII - for example, banking details - medical records cannot simply be replaced with new ones, and the regulatory fines and penalties inflicted on an organization for the breach of this information can be crippling.
As the volume and mobility of electronic health records grows, so does the propensity for data breaches. Furthermore, cyber-attacks are now multi-faceted and extend beyond data privacy to network security. With businesses today relying on technology to operate, disruptions to network security mean more wide spread impacts, all affecting the bottom-line. Healthcare organizations may now fall victim to a gamut of “new” cyber related exposures:
- Theft of patient and employee data.
- Extortion by encrypting data or disabling systems.
- Hacktivists smearing an organization’s reputation through online vandalism and by disclosing company records.
- Employee negligence, such as losing a laptop or forgetting to encrypt an email.
- Catastrophes, for example, a computer virus that takes months to eliminate.
- Breakdowns in a supplier’s security, causing data breaches or system outages that can’t be controlled or prevented.
Any of these emerging risks, or the traditional risks noted below, can expose a healthcare organization to significant liability, operational disruptions, reputational damage, regulatory scrutiny, shareholder lawsuits, patient dissatisfaction, and significant cleanup costs.
One specific and emerging cyber risk for the healthcare industry is that associated with network connected devices installed by external vendors, in hospitals (e.g. MRI machines) or in patients (e.g. pacemakers). In addition, start-ups are disrupting the healthcare sector, entering it to exploit the opportunities the system presents. Generally, they provide technology-enabled solutions or devices that connect to a healthcare service’s network. It is through these vendors, start-ups or devices that hackers find their way into a healthcare service’s network and information. Recent studies suggest that criminals are attacking these types of businesses in record numbers because small data grabs from such companies are harder to detect and the information stolen is valuable on the black market.
Traditional Risk Exposures the Healthcare Industry Faces
In addition to the emerging exposures listed above, healthcare providers face a number of traditional cyber risks.
Patient Data Exposures - Healthcare companies hold substantial amounts of data about patients, health plan members, physicians, acute care systems, employees, and more. And the types of data vary, including claims information, personal credit information, and PII. A breach of patient records poses third-party liability risks, raises reputation concerns, and can lead to fines and penalties for regulation breaches.
Shared System Data Exposures - When organizations share patient information among different providers in order to coordinate services, each share point raises the potential for a data breach.
False Claims Submissions - Criminals are known to target health care entities in order to fraudulently obtain medical services and to defraud using false claims submissions.
Employee Exposures - Rogue, disgruntled employees can take malicious actions against an organization, compromising key patient data and records. Those at highest risk include intake employees in the emergency room who manage high volumes of patient data in a particularly stressful environment.
Impact Across the Organization
Cyber is not just an IT issue and the first step to effectively managing cyber risk is to accept that technology-based prevention measures can only take you so far.
Cyber is an enterprise risk issue, impacting stakeholders throughout and beyond the organization. Managing it requires a business-wide response.
The best mindset for healthcare businesses is to think of cybersecurity as a game of chess, rather than a dice-rolling game of chance – it’s not if, but when we get attacked. And with that in mind, the only sensible strategy is a defensive one, which includes a clear, thorough, well-practiced plan.
Marsh’s approach to managing cyber risk is multi-dimensional, holistic, and accounts for the entire enterprise. It includes assessment of risk, risk transfer, risk management preparation, and response.
A dedicated cyber insurance policy can cover a full gamut of exposures. It can provide direct loss and liability protection for risks created by the use of technology and data in a healthcare organization’s day-to-day operations. These policies are flexible, allowing a customized program to provide protection for the myriad of cyber risk exposures discussed.