How to protect your care business from cyber-attack

Healthcare cyber-security series.

Cyber security in healthcare is a growing concern for healthcare leaders and for good reason. Healthcare has been a key target for cyber-criminals, accounting for 67% of attacks in 2019¹ and this has been getting worse throughout the pandemic.² The top cause of loss for healthcare businesses was accidental disclosure – often a result of human error.³

Cyber-criminals target healthcare businesses as they adopt new technologies - exploiting the growing interconnectivity of modern software and devices. More recently, the industry has been providing huge financial rewards for criminals. Healthcare workers distracted by the pandemic and employees working remotely have been easy targets, much less likely to detect a suspicious email.

Why is healthcare a key target for cyber-criminals?

The healthcare industry presents a unique opportunity for criminals, due to the sensitive nature of the data held and how this data is shared.

• Volume of personally identifiable information and health information stored on shared systems
• Creation and transmission of Electronic Health Records (EHRs) and Personal Health Records (PHRs)
• Reliance on external service providers for payment processing and laboratory testing.

The combination of sensitive data and lack of cyber security awareness makes the healthcare industry very lucrative for cyber-criminals.

The digital wave

Healthcare has seen some dramatic changes over the last few years, moving from manual to digital records, and developing population health tools and enhanced security. This rate of change is part of the reason why cyber security issues in healthcare are concern for many leaders.

With the increase in remote working, and the improved ability to remotely access information – care should be taken to ensure all employee devices are equipped with the necessary security features.

As healthcare workers increase their use of email and digital communication methods – they become more at risk to phishing attacks and the threat of ransomware.

According to IBM’s Cost of a Data Breach Report, the average cost per compromised record has increased steadily over the last three years. In 2019, the cost was £110 (per record). To put this into context, 5.2 million records were stolen in Marriott’s most recent breach - which could amount to over £500 million.⁴

How to prevent cyber-attacks in healthcare

Often, limited budgets in healthcare mean cyber-security must compete with other urgent needs. However, it is more important than ever to invest in cyber-security. Protecting your business from cyber-crime and data breach doesn’t need to be expensive. Modest investment in training and process changes can provide outsized returns, reducing the likelihood of falling victim.

A cyber incident can lead to:

• Theft of money, data or goods
• Business interruption
• Reputational damage to your company or brand.

To protect your business, carry out robust risk assessments, offer training, and ensure you’re covered by a cyber liability policy, protecting you against human error, cyber-crime, and data breaches.

Risk assessment

A cyber risk assessment enables you to see how your staff are using applications. It not only helps ensure that cyber security policies are being followed, but improves compliance and patient data protection.

You should also assess the potential financial cost of a cyber-attack, build a model to quantify costs of a data breach, and create an assessment for loss arising from data breach.

Training and awareness

Your employees are your first-line of defence against cyber-crime and data breach. Provide periodic anti-fraud training that teaches all employees to detect and avoid phishing and social engineering scams.

Cyber liability insurance policy

Your existing commercial insurance may offer some level of coverage, but a cyber liability policy is essential to properly managing the risk within your business.

Your basic insurance will usually cover:

• General liability: Covers injury and property damage, not economic loss
• Errors and omissions: Covers economic damages resulting from a failure of defined services only - excluding data and privacy breaches
• Property insurance: Covers tangible property only
• Crime: Covers employees and tangible property. Offers no cover for third party property, including customer/client data.

Marsh Commercial can arrange cyber liability insurance that will help you with recovery from cyber-attack, by:

• Taking action
  As soon as we’re notified of an incident, our cyber policy reacts, covering your liabilities on media, data security, viruses, and hacking.
• Rectification
  Costs covered are further reaching than your initial liabilities. Customer notifications, credit monitoring, and legal fees are also included.
• Repairing the damage
  In addition to hiring forensics to identify root causes, PR consultants can also be paid to mitigate damage to your brand.

Read more about cyber liability insurance for healthcare providers here.

^Sources

^{1 http://www.pharmatimes.com/news/cyber_attacks_hit_more_than_half_of_healthcare_orgs_in_last_year_1322396}

^{2 https://blog.checkpoint.com/2021/01/05/attacks-targeting-healthcare-organizations-spike-globally-as-covid-19-cases-rise-again/}

^{3 https://www.beazley.com/news/2019/beazley_breach_briefing_2019.html}

^{4 https://www.ibm.com/uk-en/security/data-breach}