Healthcare and Cyber
Budgeting for the Unforeseeable
Costs of Cyber Threats
Cyber-crime, it is every business’ nightmare but has quickly become reality. The following are two accounts of recent activity that have become commonplace for healthcare entities.
Monday Morning Wake Up Call
On Monday morning, the office manager for a doctors’ office came into work and discovered that almost all their work emails had been deleted. Then, other employees reported that attempts to log into workstations were not working. The network administrator logged in to a server and found a ransom note that said:
“Your network has been compromised and sensitive information has been downloaded. You must contact us immediately. If you do not contact us, we will call your customers and tell them that you have been hacked and their personal data has been stolen.”
The office manager confirmed that the servers and workstations had been encrypted. The doctors and nurses were not able to access patient records. They were unable to pull up the daily schedule and prepare for patient visits, and they could not submit insurance claims or communicate with referring providers. They had no choice but to close the office while they tried to determine what had happened and make plans for how to recover.
A Thief in the Night
Friday evening, after closing, a multiple location medical office received an automated alert from their IT vendor that something suspicious was going on in their computer environment. Unfortunately, no one was monitoring the alerts, and on Monday office personnel noticed documents with an unusual extension. Then they found a ransom note telling them to reach out to the criminal group that facilitated the attack if they wanted to recover their files and documents. The note warned the office staff that data had been exfiltrated from the system and would be published on a Dark Web shaming site if the ransom was not paid.
Upon further investigation they confirmed that over 90 GB of data had been stolen from the environment, and that data unfortunately contained sensitive and protected employee and patient information which will require the medical office to complete the breach notification process. So, in addition to having to close their doors for a week while they recovered operations and restored the machines in their computer network, the medical office was required to send out thousands of breach notification letters, issue a press release, and post a notice about the event on their website. Notification law, including HIPAA, required notifications also be sent to regulatory agencies. After notice was provided to the U.S. Department of Health & Human Services – Office for Civil Rights (“HHS/OCR”), HHS/OCR opened an investigation that has been ongoing for more than eighteen (18) months and is likely to extend well into next year. Regulatory inquiries have also been received from several state Attorneys General.
Exfiltration and Extortion
These two healthcare providers, like many others in the recent past, have been victims of a rapidly increasing ransomware threat. The most sophisticated ransomware variants that target healthcare entities seek to:
+ invade a computer network
+ conduct reconnaissance
+ steal credentials
+ exfiltrate sensitive and protected data
+ extort the victims for ransom payments
The threat actors hold a decryption key needed to restore operations and use the sensitive data as a hostage until payment is made. These attacks impact the ability to provide patient care, trigger notification obligations under both HIPAA and state data breach notification laws and disrupt revenue generation. Proper preparation and access to resources can mean the difference in surviving these types of criminal attacks.
Facts and Figures
2009 – 2020, 3,705 healthcare data breaches of 500 or more records have been reported
Resulting in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records
That is more than 81.72% of the population of the United States
In 2018, healthcare data breaches of 500 or more records were being reported at a rate of around 1 per day. In December 2020, that rate had doubled. The average number of breaches per day for 2020 was 1.76. (1)
1 https://www.hipaajournal.com/healthcare-data-breach-statistics/
Cyber Insurance for Healthcare
With the ongoing threat to healthcare entities, many companies and medical facilities are inquiring about proactive steps to take to protect their practice and their patients.
One integral part of an incident response plan should include a robust cyber insurance policy.
Cyber insurance encompasses third party coverage, which would address regulatory fines and penalties as well as security and privacy lawsuits. But continues to evolve and address a variety of first party coverage such as cyber extortion, business interruption, reputational harm, data recovery and crisis management expenses. All considered vital pieces of coverage should a catastrophic incident take place.
More Than a Policy
Determining the next steps quickly and efficiently is crucial in achieving a positive outcome after a cyber incident. Cyber policyholders have access to immediate response vendors when a cyber incident is suspected or discovered. A team of experts are in place to assess and mitigate the problem putting plans into action. These experts may include legal counsel or breach coach, forensic investigators, crisis management or public relations firm, ransom negotiator and forensic accountants.
To Learn More
The Lewis Brisbois Data Privacy and Cybersecurity Team assists clients with managing the investigation and response to all types of cybersecurity incidents, including ransomware. We facilitate digital forensics, crisis management and communication, consumer notification, and regulatory response. We work closely with cyber insurance broker and carriers to maximize client access to appropriate resources. Our team is also experienced in handling data breach related defensive litigation. We have a team that specializes in responding to incidents in the health care sector and are available to discuss proactive prevention and preparedness.
The IMA Cyber Risk practice continues to have a pulse on the rapidly changing cyber market. We advise clients and colleagues on this heightened area of risk and how to go about transferring the risk to a cyber policy as a financial safety net for their business. To talk with an insurance professional about your concerns and to analyze your individual risk please reach out to your local IMA representative.
Contributors
Autumn Stone, Cyber Practice Specialist
316.266.6216 | autumn.stone@imacorp.com
Lindsay Nickle, Vice Chair, Data Privacy & Cybersecurity
This material is for general information only and should not be considered as a substitute for legal, medical, tax and/or actuarial advice. Contact the appropriate professional counsel for such matters. These materials are not exhaustive and are subject to possible changes in applicable laws, rules, and regulations and their interpretations.