Ransomware Ravaging Health Care: Why Cybercriminals Target These Vital Institutions
When it comes to hospitals and other health care facilities, cyberattacks are not as far away as one might think. That’s because these systems are extremely appealing to cybercriminals.
“Once threat actors are able to breach health care networks, they have the opportunity to ransom the organization … health care organizations have a ton of protected health information, which is a treasure trove for threat actors to sell on the dark web. There’s a lot of value in each piece of data,” said Stephanie Snyder Frenier, SVP, professional & cyber solutions practice, CAC Specialty.
Added to that, health care facilities are vulnerable entities, making them easy targets for criminals.
According to Health and Human Services data, there were 630 ransomware incidents for health care organizations globally in 2023. Of those, 460 were in the U.S. According to a Statista report, the average data breach cost for health care organizations over the past few years has amounted to nearly $11 million.
“Threat actors are following the money, and health care is where the money is,” Snyder Frenier said. “It’s as simple as that.”
So, what are these facilities to do?
A “Treasure Trove” of Vulnerability
Health care facilities big and small have several key factors in common that make them such attractive targets for cybercriminal activity. As Snyder Frenier mentioned, the amount of sensitive information stored within health care systems is a top one.
Another is this industry’s reliance on technology.
Charts, data, dosages and more are documented for each patient in health care systems’ portals. Medical devices run the gamut, from X-ray machines, insulin pumps and defibrillators to heart rate monitors, meaning there are numerous different devices with different levels of oversight to use as entry points for attackers. And then, of course, outdated technology can open the doors for cybercriminals to step in.
And if the tech isn’t accessible, patients suffer.
“If the threat actor takes a hospital offline and they are able to ransom that hospital, there’s inevitably a sense of urgency and timeliness that comes with wanting to get access back to all the technology that a hospital needs to run,” Snyder Frenier said.
Physical injury and patient endangerment stories connected to cyberattacks are rising alongside growing attacks.
In one example, a Dusseldorf hospital faced a ransomware attack in 2020, which locked up systems and caused the Emergency Department to turn patients away because it simply could not admit new patients. One woman rerouted during the incident died because she wasn’t seen in time.
Two years later, reports detailed the story of a three-year-old boy who had been given five times the amount of painkillers prescribed to him thanks to a cyberattack inhibiting personnel’s access to their digital tools.
“We’ve seen, more recently over the past several years, a lot of the attacks are focused on causing some type of disruption to services, particularly in a hospital or health care system. The focus by threat actors is forcing the hospital or health care system to pay the ransom to regain network access and be able to provide medical services to patients,” Snyder Frenier said.
A Deviation from the Norm
All that is to say, the nature of attacks can change, too. Most recently, Change Healthcare, a payment management system for UnitedHealth Group, was breached in February.
“What makes the Change Healthcare attack unique is that, in this instance, the threat actors targeted a lynchpin within the greater U.S. health care ecosystem — a technology provider,” Snyder Frenier explained. “Change Healthcare is a clearinghouse for both claims and prescription processing. In attacking them with the result of over 100 applications taken offline, the cybercriminals shut down the ability for health care organizations to be able to process claims, and prescriptions, as well as impacted the ability to get pre-authorization for medical care.”
According to the Change Healthcare website, its systems process more than 15 billion billing transactions annually, and one in every three patient records passes through its systems.
This was more than a “typical” data breach or ransomware event; this was an attack on the technology infrastructure behind the health systems across the U.S. It amounted to severe business interruption for the affected facilities, causing providers to find alternative processing clearinghouses to issue billing and/or leaving them unable to fill patients’ prescriptions or incur extra expenses in the interim.
“This showed the larger cyber insurance industry that there’s potential for a greater downstream effect on all of the customers of Change Healthcare, who may have suffered a dependent business interruption loss that may be claimed under a cyber insurance policy in terms of a potential net income loss, as well as extra expenses,” Snyder Frenier said.
It’s just one example, but it shows the ever-changing nature of cybercrime and the devastation it could cause to these organizations nationwide.
Insurance on the Case
The rise in attacks has cyber insurers on high alert — and rightfully so. Breaches are costly events, and cyber insurers want to underwrite the risk appropriately. (For perspective: In all, UnitedHealth Group has paid out $3.3 billion to providers to remedy the situation to date. This number is still likely to grow, as the breach and its fallout are still being reviewed.)
Because health care facilities have protected health information, “they have been early buyers of cyber insurance,” Snyder Frenier said. “Cyber insurance is a great backstop to these types of risks that they face from both a data breach as well as a business interruption standpoint. And cyber insurance carriers are definitely more targeted in their underwriting to ensure that there are good cybersecurity controls that health care organizations have in place, especially because they are such a target for threat actors.”
The good cyber insurers are offering tabletop exercises, business continuity planning and other partnership opportunities, both to prevent attacks and to make hospitals whole should an event occur.
But having services and finding the right fit isn’t always as cut and dried. Snyder Frenier noted that brokers can play a big role in ensuring that both the insurance carrier and the health care facility are on the same page.
“A lot of the value of cyber insurance comes down to indemnification for use of vendors for data forensics and incident response as well as attorneys to advise from a legal and notification standpoint relative to a data breach,” she said “There’s a lot of value that comes out of cyber insurance, and its key that there’s a true partnership in place.”
The ability to pay claims should be one of the top things a health care facility looks for in its insurance partner. “The broker really plays a part here in ensuring that the carriers that get put on to a cyber insurance program are well tested and understand the risks facing health care organizations, because it is a unique risk if you compare it to other types of industries,” Snyder Frenier explained.
“We’re also talking about business interruption risks, so it runs the full gamut of the policy. The brokers who are really focused on cyber insurance and have that as a particular area of expertise, are able to advise clients on which carriers are the best partners in the claims process.
“There’s a carrier for every buyer. Different buyers enter the market with different needs when it comes to cyber insurance,” she concluded. “It’s not one-size-fits-all, but your broker can play a key role in finding the one size that fits you.” &