In early August, Prospect Medical Holdings was the victim of a cyberattack that affected the company’s computer systems, forcing emergency rooms within its healthcare facilities to shut down and ambulances to divert. The healthcare system could not use its computer systems, which prompted providers to revert to paper systems that have long been retired.
"Virtually every element of hospital operations is performed digitally. Patient medical records, coding, billing, posting of payments and accounting; everything occurs in a digital environment and is maintained on networks," said Ky Chaffin, managing director of financial services, health systems at BOK Financial®. "All that data is sensitive, making hospitals and health systems a prime target for cyberattacks. The effects of data breaches can be catastrophic, both financially and, more importantly, to patient care."
Healthcare companies common cyberattack target
Cybercriminals often target healthcare companies because of the wealth of data they possess; attacks like the one on Prospect are not new.
Healthcare organizations experienced 1,426 weekly attacks in 2022, a 60% increase over 2021. Ransomware attacks—malware that encrypts files on a device and holds them “hostage” until a ransom is paid—are even more prevalent. According to threat intelligence data from the FBI, out of the 870 ransomware attacks last year, healthcare was the most common target, representing more than 24% of the attacks.
The average cost of a healthcare breach is $10.93 million—making them the costliest of all industries, largely because of the value placed on the data that can be gleaned from an attack.
“The data-rich environment of a healthcare organization provides cybercriminals with your blood type, medical history, personal identifiable information (PII), financial information and more,” said Paul Tucker, chief information security and privacy officer at BOK Financial. “Other than the federal government, it’s difficult to get that much info that can be sold for a profit for these criminal enterprises. It’s why healthcare is a big target.”
According to Jay Bouche, the black market value of medical records is valued at $250 each, making it a lucrative business for cybercriminals, channel and customer success with Lumifi, a managed cyber anomaly detection and response provider.
“The healthcare industry has led in the adoption of robust data security measures but, the reality is that cybercriminals evolve quickly, always looking for novel ways to defeat the security in place," Chaffin said.
Cyberattack fallout
And not just dollars and cents are affected once a cyberattack occurs.
“Cyberattacks present not only operational and financial risks for hospitals, the consequences can quite literally be life or death for patients.”- Ky Chaffin, managing director of financial services, health systems at BOK Financial
Exposure of health records also can violate the Health Insurance Portability and Accountability Act (HIPAA), which protects an individuals' medical records and other individually identifiable health information. Violations can result in both civil and criminal penalties and fines.
Meanwhile, companies’ inability to collect revenue, an increase in insurance premiums, reputational damage, fines and, for a publicly traded company, even changes to the market can all be part of the fallout.
The role of cyber insurance
Given the evolution of ransomware and cyber extortion events, a comprehensive cyber insurance program is even more important for healthcare companies to consider.
“Cyber coverage can be implemented in many ways; there’s no one form or policy that covers all cybersecurity issues,” said Sean Pechan, insurance practice leader at USI Insurance Services. Pechan said healthcare organizations have a different structure for protections because of the nature of the information and data being protected.
Cyber insurance aims to protect four main sources of data: PII, confidential corporate information, payment card processing information and protected health information. For healthcare companies, the risk exposure includes all four categories. In providing coverage, underwriters look at the controls around protecting the information, how it’s stored, how it’s accessed and, if it’s compromised, the potential to use backups or alternate systems.
“The importance of underwriting controls for cyber insurance have become increasingly more scrutinized,” Pechan said. “There’s a much higher emphasis placed on what risk management is in place for an underwriter to consider.”
He said things like multi-factor authentication (MFA), which requires users to log-in using two (or more) forms of identification, such as a password and code, and endpoint software detection are now mandatory for coverage.
He added that cyber insurance is not the only answer, but a piece of the puzzle.
“Preventing the event will take you further than having insurance, but being prepared for the event is what will make you resilient.”- Sean Pechan, insurance practice leader at USI Insurance Services
Safeguards to consider
Cyberattacks often begin through phishing, the practice of sending fraudulent communications that appear legitimate to gain access to sensitive information or data.
“Cybercriminals gain a foothold through phishing in one account and continue to escalate the threat to a leader that might have privileged rights and access to valuable data,” Tucker said.
Here are some protections to consider:
- Enhanced spam filters. It’s not enough to use the filters already available from your email provider; these built-in solutions aren’t going to pick up on the intelligent phishing attempts that look like they’re coming from legitimate internal or external sources. One way to enhance filters is by identifying all emails that are coming from outside the organization.
- Multi-factor Authentication (MFA). Although it’s a requirement for cyber insurance policies, MFA should be essential for any healthcare company.
- AI-driven monitoring. Artificial intelligence is used to identify potential threats by looking at anomalies in emails to combat compromises through email.
- Think about resiliency. The time to consider business resiliency is not during an event, but before one occurs.
- Partner with an outside Security Operations Center (SOC) or Managed Detection and Response (MDR) provider. It’s important to have access to an outside team that can multiply efforts quickly if ransomware strikes. Additionally, 24/7 monitoring can positively impact identifying in real-time when there may be a breach.
Additionally, Tucker recommends using a framework, such as the National Institute of Standards and Technology, for protection:
- Identify. Managing technology assets becomes critical because if you have networked devices that no one knows about and are connected, that’s what cybercriminals are likely to target first. “If you don’t know about them, you can’t patch them or update them with the latest security updates,” Tucker said. Identify any assets that aren’t being used.
- Protect. Phishing is one of the biggest threats to an organization, so investing in advanced protection is critical. If an organization can’t afford this investment, employee training becomes crucial as the first defense against outside threats.
- Detect. In the case of ransomware attacks, the cybercriminals have likely been in your network for some time, trying to crack your passwords so they can steal information and then deploy ransomware. This is where detection and monitoring come in, but detection software might not make a difference unless an organization has focused on the “identify” portion. If an organization understands where its assets are, detection software can detect breaches very early and be mitigated more quickly.
- Respond. Having a playbook for response to an incident is crucial to recovering from a cyberattack. For example, if an MDR sees ransomware on a device, the next step would be to isolate it so it can’t spread everywhere. A playbook covers the response protocols in detail, along with who is responsible for each step.
- Recover. This step is crucial and involves developing and implementing the appropriate activities to maintain resilience plans and restore any capabilities or services that were impaired because of a cybersecurity event.
“Healthcare organizations have had to focus extensively on data privacy, which may have diverted resources from data security attacks,” Tucker said. “Preparing for a cybersecurity event, data breach or ransomware attack should be a top priority for these institutions.”
. © 2024 BOKF, NA.