Healthcare Facilities Are Vulnerable

In the aftermath of the WannaCry cyber attack, it has now come to light just how vulnerable healthcare facilities computer systems are. The UK NHS (National Health Service) was crippled by the recent global ransomware attack.

The reason why healthcare facilities are such a target is due to the high value of their assets and the ease in which they can be compromised. According to KPMG (2015), “the healthcare industry is behind other industries in protecting its infrastructure” and its data. This means cyber attackers can easily hack into their systems at no cost and reap huge rewards from a ransom threat.

According to the Ponemon Institute report (2016), on average, US healthcare facilities have been victims of one cyber attack per month over the past 12 months and half of them “have experienced the loss or exposure of patient information during this time period (26% of the other half is unsure)”.

Healthcare Facilities Have Valuable Assets

Healthcare facilities hold a number of assets that are seen as highly valuable by cyber criminals. Below is a list of the assets that are at risk:

  • Patient’s health – this can be affected in many ways by perpetrators. For instance, cyber attackers can tamper with the medical device software and possibly temporarily injure the patient, e.g. cutting off the power supply in operating rooms is a way in which a patient’s health could be fatally compromised.
  • The second most important asset held by healthcare providers is a patient’s health record. This record contains not only valuable protected health information (PHI), e.g. any kind of patient health information that can be used to identify a patient, but also the patient’s health record contains personally identifiable information (PII) such as social security number, healthcare provider information, credit card number, name, address, date of birth, etc. which can be sold by hackers on the black market to other criminals who use this information to steal people’s identities.
  • The availability of healthcare services. This refers to the healthcare service patients receive e.g. from medical devices and equipment as well as the administrative healthcare services such as patient reports, prescriptions, appointments, etc.
  • Intellectual property is sometimes kept by healthcare facilities with research labs which may be of interest to third parties such as researchers or pharmaceutical companies of competitor companies and as a result are possible targets of cyber attacks. If this data is taken during clinical trials, stolen data could result in harm to patients.
  • Reputation of the facility and its physicians is also an asset. Now that data breach reporting in Australia will be mandatory from February next year, a cyber attack on a healthcare organisation could really harm the institutions credibility as soon as the breach is made known to the public.

Digitalisation Poses New Security Challenges

Over the past decade the medical sector has undergone massive digitalisation which has brought with it new security challenges and as the sector becomes increasingly reliant on these machines when they are compromised the impact is even greater.

According to KPMG “interconnectivity of data in healthcare holds huge promise for health outcomes – improving both quality and efficiency of medicine” however the risk of cyber attacks will only increase and their nature will become more complex. As we saw a few weeks ago, currently the most popular type of cyber attack targeting healthcare facilities is ransomware. Healthcare facilities are a particular target because the perpetrators know the healthcare providers cannot be without this data for a long time as patients’ health could be at serious risk – resulting in possible death – and could prompt lawsuits against the healthcare provider. As a result health facilities do not take any additional risks and directly pay the ransom.

Although the health sector goes to great lengths to ensure a patient’s health is protected by employing well qualified physicians, prescribing treatments and using medical devices, the medical community unfortunately does not see cybersecurity and cyber insurance as having a major role to play in this protection.

Cyber Insurance Can Protect Against Skilled Hackers

The recent ransomware attack on the UK NHS reveals just how vulnerable healthcare facilities are and how absolutely necessary cybersecurity and cyber insurance are. Cyber insurance is necessary in conjunction with cybersecurity as many healthcare facilities still rely on legacy systems and devices that have reached their end-of-life or are no longer supported because of the cost to upgrade them and, as we saw in the WannaCry attack, patches no longer protect them. Even the very best cyber security measures could still be compromised by increasingly adept cyber hackers.

Leed are leaders in cyber risk consulting and insurance solutions. We offer a range of cyber risk management solutions including risk profiling that helps you understand the cyber risk exposures unique to your organisation. We also offer cyber insurance, which can cover ransomware and other cyber incidents. Cyber insurance can include the provision for a cyber incident response team who can assist with the first response to a cyber incident and coordinate the actions required. Please contact us by phone on 1300 881 464, or by completing our online cyber insurance quote form, if we can assist you in preparing for, responding, mitigating and transferring risks of cyber incidents.