Death by Ransomware: Poor Healthcare Cybersecurity

Death by Ransomware: Poor Healthcare Cybersecurity
Babur Khan, Technical Marketing Engineer at A10 Networks

If hackers attack your organization and you’re in an industry such as financial services, engineering, or manufacturing your risks are mostly monetary. But when it comes to healthcare cybersecurity, not only is there significant financial jeopardy, people’s health and wellbeing are also at risk so the stakes are much, much higher.

According to the Department of Health and Human Services, there has been an almost 50 percent increase in healthcare cybersecurity data breaches between February and May 2020 compared to 2019. This is thought to be a result of the COVID-19 pandemic distracting the industry due to the sweeping changes required, putting extra pressure on already inadequate healthcare cybersecurity measures. 

Why Are Hackers Attacking Healthcare?

If there’s one thing hackers like, it’s a target that’s “soft” and large, complex organizations in industries that have been slow to adopt and then secure digital technologies are precisely that, soft targets. These organizations usually have broad and mostly poorly defended “attack surfaces,” which provide hackers with many routes to enter and through which they can not only exfiltrate data but also compromise services and hardware.

Healthcare, in general, is one of the most visible and softest targets. Successful hospital cyber-attacks usually cause significant disruption of patient data and routine workflows such as scheduling patient medication, resources management, and other essential services. These hospital cyber-attacks can easily result in what is euphemistically called in healthcare “bad outcomes” … these “bad outcomes” include injury and death.

How Does Healthcare Think About Cyber Risks?

A study by the security consulting firm Independent Security Evaluators concluded:

One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective … In summary, we find that different adversaries will target or pursue the compromise of patient health records, while others will target or pursue the compromise of patient health itself.

The report argues that protecting patient records has been most of the focus of healthcare cybersecurity planning, and organizations often view threat actors as being “unsophisticated adversaries” such as individual hackers and small hacker collaborations. ISE argues that this framework ignores the potential of far more sophisticated hospital cyber-attacks from political hacktivist groups, organized crime, terrorists, and nation-states who are all highly motivated and well-funded and “As a result, a multitude of attack surfaces are left unprotected, and attack strategies that could result in harm to a patient are not considered.”

The Universal Health Service Hospital Cyber-attacks

In September 2020, Universal Health Services a hospital and health care network with more than 400 facilities across the United States, Puerto Rico, and the United Kingdom, found itself under attack by the Russian “Ryuk” ransomware. This wasn’t the first hospital cyber-attack on UHS. Security firm, Advance Intel’s Andariel intelligence platform, reported that trojan malware-infected Universal Health Services throughout 2020.

UHS has not officially confirmed the details of the attack but reports by UHS employees indicate the attack was the result of a successful phishing expedition. The attack disabled computers and phone systems and forced the hospitals to revert to using paper-based systems to continue operations. Affected network hospitals also had to redirect ambulances and move surgical patients to other unaffected facilities.

As is usually the case with large, complex organizations, cleaning up and restoring the system was neither simple nor quick and a UHS press release on October 12, 2020, announced: “… we have had no indication that any patient or employee data was accessed, copied or misused.” It also stated that operations were mostly back to normal after a total of 16 days. Given that downtime for enterprise security breaches cost upwards of $1,000,000 per day or more this attack will have dealt a serious blow to UHS’ bottom line. Whether UHS paid the ransom is not known.

Cyber Attacks and Murder

When a cyberattack happens to any organization, there are always consequences but when healthcare ransomware is involved there’s a real risk of loss of life. In the case of UHS, there were unconfirmed rumors of four patients dying because doctors had to wait for lab results delivered by couriers instead of by electronic delivery. While those, so far, appear to be just rumors, there is one known case of a patient dying directly due to a hospital ransomware attack.

The University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack on September 10, 2020. The attackers exploited a vulnerability in the Citrix ADC that had been known since January but the hospital, unfortunately, had not got around to implementing the fix.

As a result of the attack, the hospital immediately announced that “The UKD has deregistered from emergency care. Planned and outpatient treatments will also not take place and will be postponed. Patients are therefore asked not to visit the UKD – even if an appointment has been made” and patients were routed to alternative medical facilities.

The demand note delivered by the hospital ransomware showed that the intended target was not in fact the University Hospital Düsseldorf but rather Heinrich Heine University. The German police contacted the hackers via the instructions in the ransom note dropped by the malware and explained the mistake after which the hackers withdrew their demand and provided the decryption key.

Unfortunately, one patient with a life-threatening illness was diverted to a distant hospital after UKD was deregistered as an emergency care facility. The additional hour’s travel may have been the cause of the patient’s death. On September 18, 2020, German prosecutors launched an official negligent homicide investigation which, if confirmed, would make the patient’s death the first known case of death by hacking.

Protect Critical Systems from Malware

The key to defending your systems from malware and phishing is monitoring and examining all network communications. Now that encryption is becoming the norm for all internet communications, looking “inside” of message streams requires new approaches and technologies so that embedded threats are caught and handled before they can escalate into disasters.


About Babur Nawaz Khan
Babur Nawaz Khan is a Technical Marketing Engineer at A10 Networks, a leading provider of secure application services and solutions. He primarily focuses on A10’s Enterprise Security and DDoS Protection solutions and holds a master’s degree in Computer Science from the University of Maryland, Baltimore County.


Information of nearly half a million Aetna members exposed in email hack

An email hacking incident exposed the information of close to 500,000 Aetna health plan members, the payer reported to HHS last week. The incident occurred when an unauthorized person gained access to an email account of Aetna’s vision benefit services provider.

COVID-19 Exposed The True Vulnerability of Healthcare Infrastructure

How COVID-19 Exposed The True Vulnerability of Healthcare Infrastructure
Martyn Crew, Director of Solutions Marketing at Gigamon

In 2019, 41 million patient records breached in 572 reported incidents at an average cost of $1.8 million per breach. These statistics are far from surprising with healthcare records selling for a reported average of $45 on the dark web. Unfortunately, the year 2020 aggravated these issues as COVID-19 exposed the true vulnerability of the healthcare infrastructure. Organizations not only had to manage the medical and financial impacts of the pandemic but also the security risks inherent in the work-from-home (WFH) model and the increasingly sophisticated attacks of cybercriminals intent on exploiting these vulnerabilities. In this article, we’ll dive into some of these growing threats.

The Bare Minimum of EDR

Although most organizations have now provided WFH employees with secure computers using endpoint detection and response (EDR) solutions or mandated the use of virtual private networks (VPNs), this does not fully solve the security problem.

These solutions may protect the user and network from future attacks, but if network infiltration has already occurred, threats in the form of advanced persistent threats (APTs) may be lying dormant for weeks, months, or maybe even years, on an apparently secure network. To respond to these threats, a network detection and response (NDR) capability is required. This capability looks for activity or patterns of behavior from users or network servers that indicate attacks may be in progress may have taken place or may be developing.

Ideally, EDR and NDR need to be integrated and used together to provide end-to-end network visibility and security.

Exploited Fears

Cybercriminals and other bad actors were quick to exploit the COVID-19 pandemic with, for example, phishing attacks. These exploited the fears of healthcare consumers and healthcare workers who, in the early days of WFH, were often accessing corporate networks on secured mobile phones and personal computers from their home networks.

This led to a variety of security issues; for example, Mirai botnet–type attacks that exploited WFH practices to infect healthcare organizations’ networks or dropper-based attacks that loaded malware to steal users’ credentials and ultimately lead to ransomware attacks. While these attacks still continue, most healthcare organizations have taken the measures necessary to secure their networks and their patient and organizations’ data.

A Spike in State-Sponsored Attacks

Beyond threats from financially motivated cybercriminals looms the threat from highly sophisticated and well-resourced state-sponsored attackers. As widely reported in the media, there has been a spike in state-sponsored security attacks on lab and research facilities working on COVID-19 treatments. For example, the Wall Street Journal cited U.S. officials as suggesting that Chinese and Iranian hackers are targeting universities and pharmaceutical and other healthcare firms that are working to find a vaccine for COVID-19, in an attempt to disrupt this research and slow its development.

In addition to direct attacks on research institutions, software vendors that develop the tools used by these institutions are also at risk. Security is becoming a “supply chain” issue that touches not only all of the network users and assets but also all the precursors to these assets, including the network carriers and software vendors on which network users rely.

Lack of Trust

Who can you trust in this expanded threat environment? To take proper precautions, nobody. As healthcare consumers and the workforce want or need to operate on an “access anywhere, anytime” model, adopting what’s called a Zero Trust security architecture not only makes sense, it is close to an imperative for healthcare organizations.

Zero Trust means that, because the network is under constant attack from a huge array of external and internal threats, all users, devices, applications, and resources on the network must be treated as being hostile. These users and devices need to be rigorously and continuously authenticated, while patient, research, and other data and network assets need to be protected at a much granular level than traditional perimeter-based security models allow.

The Rise of IoMT Devices

Healthcare organizations must also find new, more cost-effective ways to deliver high-quality healthcare to their increasingly tech-savvy consumers – and the use of Internet of Medical Things (IoMT) devices is critical to this process. IoMT devices, ranging from simple telehealth and remote patient monitoring to surgical robots and augmented reality technologies, can reduce operating costs and increase the quality of patient care.

COVID-19 has accelerated the adoption of IoMT technology, a process that will further accelerate with the availability of 5G networks over the coming one to three years. Many of the simpler IoMT devices don’t support traditional security models, so their adoption poses significant new threats unless healthcare institutions act to enhance security by, for example, ensuring that their network detection and response tools are ready for this challenge.

Looking ahead, it’s clear that the world is evolving towards a new normal, which will pose more threats and concerns for the healthcare industry. Recognizing this and preparing for the threats discussed, will create a better game plan for what’s to come and allow for necessary growth within healthcare infrastructure. 


About Matyn Crew
Martyn Crew is Director of Solutions Marketing at Gigamon. He brings a 30-year background in all aspects of enterprise IT to his role where he focuses on a number of initiatives and products including Gigamon’s Application Visibility and Intelligence solutions.


How Hackers Are Targeting COVID-19 Vaccine Distribution Chain – Q/A

COVID-19 Vaccine Cyber Attacks

With the US and other major countries poised to begin national
distribution of multiple FDA-approved COVID-19 vaccines, the cybersecurity threats
to secure COVID19
vaccine distribution is imminent. Earlier this month, IBM released a report on malicious cyber actors targeting
the COVID-19 cold chain—an integral part of delivering and storing a vaccine at
safe temperatures.

Impersonating a biomedical company, cyber actors are sending phishing and spear-phishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials. The emails have been posed as requests for quotations for participation in a vaccine program. In the report, IBM urges companies in the COVID-19 supply chain — from research of therapies, healthcare delivery to the distribution of a vaccine — to be vigilant and remain on high alert during this time

We recently sat down with Nigel Thorpe, Technical Director, SecureAge, an enterprise data security and encryption company to talk about the cybersecurity risks involved with COVID-19 vaccine distribution.

HITC: What type of information are hackers trying to
seize to disrupt the vaccine distribution process?

Thorpe: Hackers will try to obtain all the data they can muster, but specifically, they are looking for data around the distribution logistics together with details of the vaccine and its packaging. Using this they could attempt to replicate and profit from a counterfeit vaccine. In addition, cybercriminals are looking for all sorts of personal information about people involved in the vaccine distribution process, plus members of the public, so they can attempt identity theft and phishing attacks.

What are the dangers and implications if foreign actors
weaponize this information?

Thorpe: One of the biggest problems that already exist is an apprehensive public who is concerned with taking the vaccine because of fears that the approval process has been rushed and circumvented. These fears can be exploited by cybercriminals simply through the use of disinformation. In terms of cybersecurity, any attack on the distribution chain feeds into the fear of those already uncertain about the whole program.

In addition, bad actors could launch ransomware and spear-phishing attacks to get into the corporate network. Here, they can steal information concerning the “cold chain” and use this to build an illegal channel for counterfeit vaccine delivery. Not only would this result in unauthorized, unsafe vaccines being distributed but also reinforce fears of vaccines that many Americans already have. Any data, no matter how small or seemingly innocuous, could be used and exploited by cyber attackers.

How can health facilities remain protected?

Thorpe: The most important aspect is to ensure
that data is encrypted at all times so even if it is stolen, hackers won’t be
able to access this scrambled information. In addition, organizations should
make sure that unauthorized processes don’t run. This can be done by blocking
any application that attempts to execute, but which is not on an authorized
list. These measures will stop the problems of both phishing messages and data
theft – even by insiders.

What other information do you think hackers will target
in the future as we head into 2021?

Thorpe: Outside of exploiting the vaccine distribution network, hackers will attempt to capitalize on the continued remote working situation that is likely to last for most of 2021. Cybercriminals will try to exploit a situation where workers are not all using secure devices, resulting in data being stolen and exploited by bad actors.

In addition, we can expect combination attacks, where
something technical and something human will be combined in ways that the
confines and physical security of office spaces would have prevented. Notices
sent by mail to homes, phone calls, and possibly even personal visits by repair
technicians will be facilitated through stolen information and credentials
online, upping the ante of the scams and other illegal shenanigans.

Phishing attacks most common cybersecurity incident at US healthcare organizations

A survey of healthcare cybersecurity professionals by HIMSS details the most common types of cyber attacks, it’s impact on patient care as well as solutions hospitals and health systems have implemented to prevent falling prey to this type of criminal activity.

New Attacks, Regulations, and Stakes Call for New Security Strategies

New Attacks, Regulations, and Stakes Call for New Security Strategies
 Tim Callan, Senior Fellow, Sectigo

The amount of data generated by the healthcare industry is staggering—and constantly increasing.  Healthcare data encompasses the personal information of patients, doctors, nurses, and administrators. It includes diagnostic information, test results, ultrasound images, x-ray images, and of course insurance and financial information. With so much sensitive patient information there for the taking, it comes as little surprise that the healthcare industry—perhaps more than any other sector—has become a primary target for cyberattacks. Now, more than ever, it is critical that healthcare organizations take decisive action to protect their data. 

There has been no shortage of major (and notably costly) data breaches in recent years. The Equifax breach, for example, affected nearly half of all Americans. Last year’s Facebook breach was also headline news, thanks in large part to the number of users affected. Then there was a lesser-known yet costly LifeLabs breach—the largest in Canadian history—affecting more than 15 million people and prompting a lawsuit seeking north of $1 billion in damages for failure to adequately protect data. 

Healthcare data heists yield a premium, making them particularly attractive to hackers. The Center for Internet Security (CIS) notes that the “average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158,” compared with $355 for healthcare records.

Though large, the LifeLabs incident isn’t even close to the largest healthcare data breach in history. That dubious honor goes to Anthem, which suffered a breach in 2015 that resulted in nearly 80 million compromised records. Although Anthem was able to reach a settlement with the victims for the relatively paltry sum of $115 million, both the standards for data protection and the expected remediation for failure have changed considerably in the five years since the attack. 

Regulations Raise the Stakes for Security

As the regulatory environment surrounding data breaches of all types grows more strict, hospitals and insurers have found themselves in the crosshairs of an increasingly brazen and sophisticated set of attackers. Part of the reason for this targeting stems from the relative value of healthcare records. There is a reason why “HIPAA” is an acronym known to most Americans, while other data protection laws are not.

Personal Health Information (PHI) tends to be more valuable than standard Personally Identifiable Information (PII) in large part due to its static nature. Patients can change a compromised credit card number or social security number, but not their medical history—and scammers prepared to exploit that history may render victims more vulnerable to certain types of fraud. 

New regulations are further raising the stakes for compliance. Although the California Consumer Privacy Act (CCPA) is not specifically targeted at healthcare organizations, the sector represents potentially one of the most vulnerable industries under the new law. If an organization is found to be in violation of CCPA, they have 30 days to rectify the situation or be subject to a fine of up to $7,500 per record exposed.

To put this in context: if CCPA were adopted nationwide, the LifeLabs breach that affected 15 million individuals would potentially be subject to a fine of $112.5 billion. That $1 billion lawsuits that LifeLabs is facing might sound like a lot, but under CCPA, it might mean getting off easy. This should underscore the necessity of protecting data of any kind today—let alone healthcare records. 

Ecosystems Span Email to Equipment

With the healthcare industry becoming an increasingly popular target and the penalties for breaches growing steeper, it’s important to consider that every endpoint, from desktops to devices, present attack paths for hackers. Measures as simple as stronger email security can make a big difference: in 2018 alone, Business Email Compromise (BEC) attacks resulted in more than $1.2 billion in victim losses. Spear phishing attacks, which are carried out using social engineering techniques to convince the target to relay confidential personal or financial information to what they believe is a legitimate recipient, represent an increasingly common method for attackers to gain access to user credentials or even directly obtain PII or PHI. Securing email with S/MIME (Secure/Multipurpose Internet Mail Extensions), which authenticates the sender of an email, enables employees not only to digitally sign and encrypt email communications but also to detect whether an email received has been authenticated or should not be trusted or opened.

Digital certificates are an essential part of protecting medical devices. Because they can be incorporated during the manufacturing process, these certificates allow device identity and integrity to be established from the moment they are first powered on. They also eliminate the potential for device spoofing, which protects against the possibility of counterfeit devices connecting to the network. These certificates serve as an effective proof point for savvy healthcare organizations. When vetting device suppliers and manufacturers, asking about their approach to device identity is essential. By learning to trust only manufacturers with a responsible approach to authentication, healthcare organizations can help protect one of the areas most susceptible to costly breaches. 

Medical equipment itself has also become more vulnerable. Today’s diagnostic devices are rarely standalone—most are connected to the internet, and anything connected to the internet can potentially be compromised. In fact, this compromise could occur before devices even leave the factory, potentially undermining even the most secure networks and leading medical device manufacturers to consider security starting at the assembly line; the point where device identity measures and digital certificate authentication become critical. Technologies such as secure boot can protect the integrity of a device or piece of software from the first time it is powered on. Similarly, embedded firewall and secure remote update technologies help ensure that software updates are authenticated before installation and that any communication with unauthorized devices stops before harm can be done. 

A kitchen with a sink and a window

Description automatically generated

Moving Forward with New Security Strategies

Today, health insurers, hospitals, and other patient care organizations must manage a truly massive amount of data. It is simply a fact of life. That data comes in many forms, and it can be valuable to cyber attackers for a multitude of reasons. At its core, this data is the healthcare industry’s most valuable asset—one that it must protect at all costs. 

Vulnerabilities can take many forms, from a human error to compromised devices. And while no solution can shield every possible form of attack, data and IT security administrators (and even OEMs) can take concrete steps to protect their organizations, patients, or chipsets against common attack vectors and better comply with today’s strict data protection regulations. Yes, the cloud has introduced new vulnerabilities, but it also has helped enable new security strategies and solutions that ensure every application, cell phone, server, or other connected “thing” has an authenticated digital identity.  The stakes are simply too high, and hackers have become too savvy, to rely on yesterday’s security status quo.

About Tim Callan, Senior Fellow at Sectigo

Senior Fellow Tim Callan contributes to the company’s standards and practices effort, industry relations, product roadmap, and go-to-market strategy. Tim has more than twenty years’ experience as a strategic marketing and product leader for successful B2B software and SaaS companies, with fifteen years’ experience in the SSL and PKI technology spaces.

5 Critical Considerations for Patient Privacy in Telehealth

5 Critical Considerations for Patient Privacy in Telehealth
Sachin Nayyar, CEO at Securonix

The COVID-19 pandemic has had a tremendous ripple effect across all industries, with one of the most impacted being healthcare. Providers have had to quickly adapt to supporting patients ‘virtually’ in a secure manner, while simultaneously developing procedures to support accurate reporting to government organizations. These changes have placed added pressure on security and privacy professionals, as they struggle to keep up with urgent demand.

Mature healthcare organizations already have stringent policies and procedures in place to remain compliant with government regulatory requirements (i.e., HIPAA, HITECH Act, etc.) and protect patients’ privacy. However, with the new focus on telehealth, unprecedented patient growth, and strict regulations on reporting, the key threats healthcare security and privacy teams need to be able to detect are also evolving: 

  • Unauthorized access to patient data by employees
  • Patient data snooping (by employees, family members, co-workers, etc.)
  • Compromised records (unusual access patters – new locations, multi-location access, etc.)
  • Failed logins and download spikes 
  • Terminated or dormant user accounts being used to gain access
  • Accessing discharged patient records or deceased patient records

Identifying these threats and uncovering suspicious patterns or activities, however, is no easy feat. Most security monitoring solutions cannot integrate with and consume electronic medical records (EMR) in a usable format. As a result, these solutions have limited out of the box content, leaving a majority of threat detection engineering to the security operations teams, which are already overwhelmed. Legacy security tools are no longer cutting it, as they use rule-based security event monitoring methods that do not account for the need to protect patient data privacy required by regulations such as HIPAA, HITRUST, and GDPR. They also lack the ability to protect patient data from insider threats, advanced persistent threats, or targeted cyberattacks.

Successfully monitoring patient data privacy must focus on two key entities: the employees accessing records and the patients whose records are being accessed. Organizations need to be able to visualize and correlate events across these entities and throughout the IT infrastructure and EMR applications to detect suspicious patterns while adhering to reporting and compliance mandates.

Monitoring EMR applications is crucial to detect and prevent suspicious activity that may lead to data compromise. However, this can be a cumbersome process. Given that nearly all EMR records contain patient data information, organizations must maintain the confidentiality of this data while enabling security monitoring. Unfortunately, most traditional SIEMs do not provide solutions to this problem. As a result, organizations are forced to intermix sensitive patient data with other IT data, risking compliance violations.

To achieve these goals in the near term, there are five crucial areas where healthcare security and privacy teams need to focus attention:

1. Remote Access Protocol: Like all other industries, healthcare organizations must now grant remote access to a large percentage of their workforce. As they migrate workers to remote access these organizations must address logistical challenges such as ensuring IT support can keep up with requests and implementing multi-factor authentication. 

2. Security Training: Organizations must make sure that their employees are abreast of the unique challenges that accompany working remotely and associated security best practices (i.e., security hygiene, secure internet connections, strong vs. weak passwords, signs of phishing attacks, etc.)

3. Critical App Exposure: Typically, critical applications containing electronic health records are not exposed to the internet without very rigid security controls. However, with the need to share and access more information via apps, strict security is more critical than ever before. 

4. Use of Personal Devices: Many organizations do not issue corporate devices to all their employees. Therefore, there is a greater security risk as workers are being permitted to use their personal devices to access critical systems.

5. User Monitoring and Detection: Identity activity patterns are vastly different as employees adapt to the new normal. As a result, prospective attack vectors have changed drastically. Monitoring and detecting new patterns of human and non-human identities must happen quickly in order to adapt to the new reality and detect attacks.

With the entire world experiencing unprecedented changes, we must learn to adapt quickly and strategically. New threat patterns will emerge, but it is crucial to remain vigilant about all activity and access occurring across IT infrastructure. Stringent regulations and ethical codes of conduct also mean that organizations need to be more vigilant about protecting patient data privacy than ever before. 

The constantly evolving data landscape makes it hard to differentiate new and normal, from malicious and threatening. Healthcare organizations need to assess their security posture, ensuring that they have proper tools in place to accurately analyze and correlate events across the IT infrastructure and electronic records. Only with access to this full picture will they be able to detect any suspicious patterns and ultimately protect patient data.


About Sachin:

Sachin Nayyar is the CEO of Securonix, a company redefining Next-Gen SIEM using the power of big data and machine learning. drives the vision and overall business strategy for Securonix. Built on an open Hadoop platform, Securonix Next-Gen SIEM provides unlimited scalability and log management, behavior analytics-based advanced threat detection, and automated incident response on a single platform.

Prior to Securonix, Nayyar served as the founder & CEO of VAAU where he led the company from conception to acquisition by Sun Microsystems. Following the acquisition by Sun, Sachin served as the Chief Identity Strategist for Sun Microsystems where he led the vision and strategy for the Sun security portfolio. Sachin is a renowned thought leader in areas of risk, regulations, compliance, identity/access, and governance and speaks frequently at professional conferences and seminars.

Cybersecurity: Managing Risk in the COVID-19 Era

Cybersecurity: Managing Risk in the COVID-19 Era

Healthcare IT consultants’ work involving health records may expose them – and their provider and payer clients – to regulatory, legal, financial, and reputational risk. These risks are potentially higher in the COVID-19 era, with many of their employees working from home and accessing sensitive records and networks from remote locations. According to the US Department of Homeland Security (DHS), there is a heightened risk of phishing, SMS phishing and other attacks using COVID-19 themes, and increased attacks on newly deployed remote access and teleworking infrastructure. Managing these risks requires a clear understanding of what a consultant’s potential exposures are, adopting best practices for mitigating risk, and considering appropriate insurance coverage to cover potential liabilities. 

How big is your risk?

Too often, cyber risk analysis is conducted with simplistic estimation methods based on broad assumptions. These methods may not tell the full story and may leave an organization uninformed about its true exposure. In my practice, we can use sophisticated scenario analysis to estimate cyber exposure – efficiently defining cyber event scenarios and estimate resulting losses using cost models tailored to specific impacts. Calculating the risk environment related to COVID-19 is part of this analysis.

Consultants and other vendors who have access to personal health information are organizations typically considered “covered entities” under HIPAA. As such, the consultants are “business associates” under HIPAA and subject to HIPAA requirements and penalties. These consultants may also be subject to claims and legal actions by affected patients who believe their personal health information privacy has been violated.

Because of the value of health records and the size of many of the clients, the average claim for a security or privacy breach can average $3.4 million for larger healthcare organizations, according to NetDiligence.  Consultants are also subject to the risk of claims and legal actions from their provider or payor clients for damages arising from data breaches and other cybersecurity incidents, interruption of service, and other problems. And whatever the merits of these claims, the cost of defending can be very high. 

Best practices for risk management

Best practices for risk management in the COVID-19 era start with employee education and ongoing communication. Focus on safeguarding personal health information, following your organization’s data security policies, proper management of emails that may include malware/ransomware, protecting mobile devices and sensitive paper documents in transit, and other measures. In an era of mass telecommuting, it means enhancing security controls around Security Application Gateway or VPN to access corporate systems and ensure multifactor authentication, where applicable. It also includes following best practices for virtual meetings, including the National Institute of Standards and Technology (NIST) Virtual Meetings Best Practices.  

An updated, regularly tested and reviewed, business continuity and incident response plan is essential – with copies of the plan available offline and off-site. This plan should include the contact information for incident response vendors who have been approved by your cyber insurance carrier(s). The incidence response plan should, at a minimum, follow HHS guidance.

How much insurance do you need?

It’s a good idea to evaluate your insurance needs at least once a year, and perhaps more often if your business is rapidly changing. Some organizations acquire insurance early on in their company history, just enough to meet the requirements of clients, lenders, investors, and other interested parties. As time goes on, there may be inefficiencies where you’re paying too much for some coverages, or not scaling up coverage for the current size of your business and the potential exposures. Also, coverage should specifically meet the nature and size of current threats. For example, ransomware demands have increased 33% on average to $111,605 from Q4 2019 to Q1 2020 according to a recent Coveware report.  A regular review, coupled with accurate risk assessment, will help you determine appropriate coverages.

Review your cyber liability insurance policy to ensure how it will respond to security/privacy infiltrations within a remote desktop employee environment. Most updated policy forms affirmatively cover unauthorized access into the organization’s network/system/environment when the software is managed by the insured organization, such as via a mobile device manager (MDM). However, each policy differs in coverage. Remind employees to report suspected activity or infiltrations of their home network to their IT/information security team in accordance with your incident response plan and cyber liability policy. 

Conclusion

With the expanded use of technology, such as cloud utilization and EMRs, the healthcare industry is more interconnected and dependent on service providers more than ever before.  The impact of the pandemic further stresses this reality and can cause implications that can pose numerous liabilities around the confidentiality, integrity, and accessibility of the data within your organization. Reviewing your vendor contracts and audit procedures of such critical vendors can be valuable in maintaining supply chain resiliency and limiting legal and incident response costs when security or privacy incidents occur. Cyber insurance may be an afterthought within some organizations. However, it is a crucial response mechanism that should be known and tested with various simulations to understand the adequacy of coverage and limits.  


Mario Paez, RPLU, CIPP/US is Director, Cyber & Technology E&O, with the Minneapolis office of Marsh & McLennan Agency LLC. He can be reached at [email protected]


Disclosure: This article is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisers.