Is healthcare doing enough to protect themselves and their patients from long-lasting, irreversible effects of a cyber attack?
The financial costs associated with a security breach can be extreme and reputation damaging. In critical industries like healthcare, a cybersecurity attack could expose patients to major safety risks that no amount of cyber breach insurance will fix.
Historically speaking, healthcare has had a myopic focus on privacy and protecting the confidentiality of patient information–largely caused by HIPAA, Caldicott, APA, PDPA, GDPR, and state breach rules. These have resulted in a skewed, compliance-based approach to security by senior management with a 'checkbox mentality' of ‘have we done the minimum necessary’, rather than a attempting a holistic, risk-focused approach to identify, protect, detect, respond, and recover from threats and vulnerabilities.
These possible risks are evolving especially quickly in healthcare (as are legal liabilities and exposure to inadequate cybersecurity protection). CISOs, CROs, and GC/CLOs (General Council or Chief Legal Officers) are beginning to understand how cybersecurity preparation is critical to protecting patient safety, as well as its potential impact on reputation in the age of digital inter-connectivity.
“Cybersecurity is no longer a question of simple compliance,” said one hospital CEO at a recent US healthcare conference, “it’s about protecting the hospital’s reputation and ensuring patient safety while our systems are under attack and misbehaving."
"We purchased cyber risk insurance to cover all the un-budgeted costs associated with an attack. We keep our fingers crossed that we won’t need it.” he added.
However, many insurers are now claiming that cyber attacks are an 'Act of War' and are therefore exempt from coverage under the terms of their policies, a fact that is currently being disputed in court by drug maker Merck and its insurers.
An OCR fine and the institution’s name being posted to the OCR 'Wall of Shame' is one thing, but patients being turned away or even held to ransom by cyber-attacks compromising medical devices are an entirely different order of magnitude! It may not be prudent to rely entirely on insurance to save you.
Given our reliance today on HIT / HIoT systems to treat patients, there's a real risk that someone could lose their life because critical systems are not available to diagnose and treat them following a cyber-attack. When a hospital is forced to go on 'Full Divert' following a cyber-attack, their reputation suffers as well as seen with the WannaCry attack on the British NHS in 2017. More recently, Campbell County Health in Wyoming, USA was also forced to go on full divert following a similar cyber-attack.
“I would find it much more preferable to have HHS OCR camped out in my office examining all my papers following a breach, than the FBI walking the halls investigating a series of patient deaths at my hospital caused by a cyber-attack.” said a prominent San Francisco area CISO who preferred not to be named without clearing his statement with his employer.
“One set of risks threatens executive jail time for wanton negligence, the other pretty much guarantees it,” he added.
Some years ago I did a walk-through of a hospital in Tasmania as part of its parent company’s risk assessment. The top floor was dedicated to a large and sprawling maternity department. Patient rooms with open doors and sleeping new moms and their infants lined either side of a wide corridor so nurses could come and go to check on both. Mothers and infants had plastic straps around their wrists with their name, D.O.B., and patient identifier, but none were RFID-tagged.
It would have been very easy for someone to walk into a room, remove the sleeping child, and walk down the corridor to take the elevator down to the underground parking complex. There was no physical security to stop them–only a few nurses moving in and out of rooms.
In our debrief, I asked the doctor running the department what would happen if someone were to abduct a newborn. She protested saying that no one ever would, nor had anyone attempted so in the past–this was Tasmania, they had more babies than they needed. She acknowledged that maybe this might be a problem in in other places like Sydney or Melbourne. But, upon further consideration, she announced, “In a small-knit community like ours, we would close if something like that happened! It would ruin our reputation and no one would come here to give birth again!”
The message here is that no amount of liability insurance is going to protect your reputation fully. It can cover costs for forensic investigation, breach notification, loss of business while down or recovering, and even for extortion payments if you are unable to recover critical data wiped out during a ransomware attack–but it can never cover what your customers think of you! Cyber risk insurance is valuable, but it’s no replacement for a well-functioning cybersecurity program.
Some of us continue to shop at Target following its massive breach of customer data some years ago, but most of us would never apply for a Target Card, nor would we ever consider using an email service provided by Yahoo for similar reasons!
“Once damaged, reputation is a problem to fix” said the US hospital CEO. “It’s something that is becoming an increasing concern for all of us in healthcare. But how do you do that without spending a fortune on cybersecurity?”