Healthcare and Ransomware Go TogetherSeptember 18, 2019
By Robert Sargent, Tennant Risk Services
Unfortunately, healthcare and ransomware go together. Healthcare organizations, particularly medical practices, facilities and specialized healthcare vendors, are prime ransomware targets and should make sure that they have comprehensive Cyber Risk Insurance to obtain the best protection.
Ransomware has become the attack vector of choice due to its effectiveness. In the early days, criminals would blast out phishing emails to many recipients, hoping to get a small number of victims to pay $500-$1,000 each. Then a few targeted attacks against hospitals demonstrated the disruption that an effective ransomware attack could have and the potential for a significant ransom payment. The business interruption losses from a ransomware attack were so high that ransom payments of $20,000 to $50,000 seemed like a small price to pay, and the value of ransom payments went up. More recently, municipalities have been prime targets due to lax IT security and the potential for substantial extortion payments, with some payments exceeding $500,000.
Healthcare continues to be a prime ransomware target. In addition to hospitals, other healthcare targets can be lucrative targets of ransomware attacks – and Cyber Risk Insurance can be the difference between survival and failure.
For example, a small medical practice in Michigan suffered a devastating ransomware attack, resulting in the demise of the business. A phishing email introduced the ransomware malware, which encrypted all the practice’s electronic data. The practice was unable to access schedules, patient records or payment information. The ransom demand of $6,500 (small by comparison to other attacks) was not paid, and the criminals deleted all the practice’s records. Rather than attempting to rebuild, the owners shut the practice down. They did not have Cyber Risk Insurance to provide incident response services or financial resources to recover from the attack.
Other examples include:
- An Ohio-based practice administrator paid a $75,000 ransom payment to unlock data encrypted by a ransomware attack. In addition to the ransom payment, the practice estimated losses of $30,000 to $50,000 per day over approximately three days.
- A nonprofit youth social service suffered a ransomware attack and paid the ransom demand.
- A surgical healthcare facility in Washington paid a $14,000 ransom demand after the attack compromised patient records.
While ransomware is the leading attack vector today, it is not the only cyber exposure facing healthcare organizations. As noted in a prior post, healthcare organizations face other cyber exposures, including breaches of confidential healthcare information, theft of money from social engineering fraud and HIPAA fines.
Like many business segments, healthcare organizations are digitally connected with many other organizations, including specialized vendors. A cyber security incident at one entity can create cyber exposures at other digitally connected entities, as was the case with a recent ransomware attack at a medical billing company that entangled many other healthcare organizations.
Cyber Risk Insurance is essential for all healthcare organizations, for protection from both criminal attacks (such as ransomware attacks) and employee errors. Coverage varies widely, so a thorough review is essential to ensure that comprehensive coverage is in place – yet 70% of healthcare organizations do not have comprehensive Cyber Risk Insurance according to a recent FICO survey.
A comprehensive Cyber Risk Insurance policy will provide resources for an organization to recover from a ransomware attack. Insurers often offer 24/7 incident response resources to assist insureds in quickly addressing an attack. Comprehensive standalone policies will typically provide coverage for the extortion payment and business interruption losses. Depending on the specifics of an attack, other Cyber Risk coverages may also be triggered.
Tennant Risk Services, a division of Worldwide Facilities, is a specialty wholesale broker and underwriting manager delivering expertise, markets and exemplary services to our retail insurance agent clients in the placement of professional liability and specialty insurance. We are experts in Cyber Risk Insurance and excel at hard-to-place accounts.