Ransomware Ravaging Health Care: Why Cybercriminals Target These Vital Institutions

Health care facilities are an attractive and vulnerable target for cyberattack. Understanding the cyber landscape and getting the right insurance team in place is just the first step to stopping cybercriminals in their tracks.

By: Autumn Demberger | April 10, 2024

When it comes to hospitals and other health care facilities, cyberattacks are not as far away as one might think. That’s because these systems are extremely appealing to cybercriminals.

“Once threat actors are able to breach health care networks, they have the opportunity to ransom the organization … health care organizations have a ton of protected health information, which is a treasure trove for threat actors to sell on the dark web. There’s a lot of value in each piece of data,” said Stephanie Snyder Frenier, SVP, professional & cyber solutions practice, CAC Specialty.

Added to that, health care facilities are vulnerable entities, making them easy targets for criminals.

According to Health and Human Services data, there were 630 ransomware incidents for health care organizations globally in 2023. Of those, 460 were in the U.S. According to a Statista report, the average data breach cost for health care organizations over the past few years has amounted to nearly $11 million.

“Threat actors are following the money, and health care is where the money is,” Snyder Frenier said. “It’s as simple as that.”

So, what are these facilities to do?

A “Treasure Trove” of Vulnerability

Health care facilities big and small have several key factors in common that make them such attractive targets for cybercriminal activity. As Snyder Frenier mentioned, the amount of sensitive information stored within health care systems is a top one.

Another is this industry’s reliance on technology.

Stephanie Snyder Frenier, SVP, professional & cyber solutions practice, CAC Specialty

Charts, data, dosages and more are documented for each patient in health care systems’ portals. Medical devices run the gamut, from X-ray machines, insulin pumps and defibrillators to heart rate monitors, meaning there are numerous different devices with different levels of oversight to use as entry points for attackers. And then, of course, outdated technology can open the doors for cybercriminals to step in.

And if the tech isn’t accessible, patients suffer.

“If the threat actor takes a hospital offline and they are able to ransom that hospital, there’s inevitably a sense of urgency and timeliness that comes with wanting to get access back to all the technology that a hospital needs to run,” Snyder Frenier said.

Physical injury and patient endangerment stories connected to cyberattacks are rising alongside growing attacks.

In one example, a Dusseldorf hospital faced a ransomware attack in 2020, which locked up systems and caused the Emergency Department to turn patients away because it simply could not admit new patients. One woman rerouted during the incident died because she wasn’t seen in time.

Two years later, reports detailed the story of a three-year-old boy who had been given five times the amount of painkillers prescribed to him thanks to a cyberattack inhibiting personnel’s access to their digital tools.

“We’ve seen, more recently over the past several years, a lot of the attacks are focused on causing some type of disruption to services, particularly in a hospital or health care system. The focus by threat actors is forcing the hospital or health care system to pay the ransom to regain network access and be able to provide medical services to patients,” Snyder Frenier said.

A Deviation from the Norm

All that is to say, the nature of attacks can change, too. Most recently, Change Healthcare, a payment management system for UnitedHealth Group, was breached in February.

“What makes the Change Healthcare attack unique is that, in this instance, the threat actors targeted a lynchpin within the greater U.S. health care ecosystem — a technology provider,” Snyder Frenier explained. “Change Healthcare is a clearinghouse for both claims and prescription processing. In attacking them with the result of over 100 applications taken offline, the cybercriminals shut down the ability for health care organizations to be able to process claims, and prescriptions, as well as impacted the ability to get pre-authorization for medical care.”

According to the Change Healthcare website, its systems process more than 15 billion billing transactions annually, and one in every three patient records passes through its systems.

This was more than a “typical” data breach or ransomware event; this was an attack on the technology infrastructure behind the health systems across the U.S. It amounted to severe business interruption for the affected facilities, causing providers to find alternative processing clearinghouses to issue billing and/or leaving them unable to fill patients’ prescriptions or incur extra expenses in the interim.

“This showed the larger cyber insurance industry that there’s potential for a greater downstream effect on all of the customers of Change Healthcare, who may have suffered a dependent business interruption loss that may be claimed under a cyber insurance policy in terms of a potential net income loss, as well as extra expenses,” Snyder Frenier said.

It’s just one example, but it shows the ever-changing nature of cybercrime and the devastation it could cause to these organizations nationwide.

Insurance on the Case

The rise in attacks has cyber insurers on high alert — and rightfully so. Breaches are costly events, and cyber insurers want to underwrite the risk appropriately. (For perspective: In all, UnitedHealth Group has paid out $3.3 billion to providers to remedy the situation to date. This number is still likely to grow, as the breach and its fallout are still being reviewed.)

Because health care facilities have protected health information, “they have been early buyers of cyber insurance,” Snyder Frenier said. “Cyber insurance is a great backstop to these types of risks that they face from both a data breach as well as a business interruption standpoint. And cyber insurance carriers are definitely more targeted in their underwriting to ensure that there are good cybersecurity controls that health care organizations have in place, especially because they are such a target for threat actors.”

The good cyber insurers are offering tabletop exercises, business continuity planning and other partnership opportunities, both to prevent attacks and to make hospitals whole should an event occur.

But having services and finding the right fit isn’t always as cut and dried. Snyder Frenier noted that brokers can play a big role in ensuring that both the insurance carrier and the health care facility are on the same page.

“A lot of the value of cyber insurance comes down to indemnification for use of vendors for data forensics and incident response as well as attorneys to advise from a legal and notification standpoint relative to a data breach,” she said “There’s a lot of value that comes out of cyber insurance, and its key that there’s a true partnership in place.”

The ability to pay claims should be one of the top things a health care facility looks for in its insurance partner. “The broker really plays a part here in ensuring that the carriers that get put on to a cyber insurance program are well tested and understand the risks facing health care organizations, because it is a unique risk if you compare it to other types of industries,” Snyder Frenier explained.

“We’re also talking about business interruption risks, so it runs the full gamut of the policy. The brokers who are really focused on cyber insurance and have that as a particular area of expertise, are able to advise clients on which carriers are the best partners in the claims process.

“There’s a carrier for every buyer. Different buyers enter the market with different needs when it comes to cyber insurance,” she concluded. “It’s not one-size-fits-all, but your broker can play a key role in finding the one size that fits you.” &

Autumn Demberger is a freelance writer and can be reached at [email protected].

Why Insureds Might See an Uptick in M&PL Claims

George Schalick, Jr., Senior Vice President of the Management and Professional Liability Division, Philadelphia Insurance Companies

The current soft market might come as a bit of a surprise as it does not track with previous underwriting cycles and economic conditions. Afterall, many privately held and non-profit organizations struggled during the early days of the pandemic with shutdowns and rapidly declining revenues. But the Government assistance programs, like the Paycheck Protection Program loans, helped keep many afloat during the tough times.

“During COVID many organizations stopped doing business until they were able to sort out all of the health and safety challenges,” Schalick said. “They were forced to lock down, but then all the government assistance programs allowed them to keep people employed. The increased volume of claims we anticipated we would see coming from the lockdowns and restrictions that were imposed upon businesses in the U.S. didn’t manifest at first.”

“Just because there wasn’t an onslaught of reported claims at the beginning of the pandemic, doesn’t mean the circumstances that would give rise to a claim being reported didn’t occur. Courts and the judicial system were closed or slowed and now that they are back open, we’re starting to see the circumstances that occurred during the COVID lockdowns becoming claims today,” Schalick said. “Litigation is progressing.”

Added to the delayed pandemic litigation is a concern over newer claims that might be filed as the country inches toward an economic downturn. Though a recession was avoided in 2023, experts think a soft dip could occur in 2024, with 76% of economists saying there’s a 50% or less chance of an economic downturn this year — that almost always results in more management liability claims.

“During the Great Recession in 2008, we saw an almost immediate spike in claims because of the economic conditions and the pressure it placed on organizations. They were making personnel changes with significant belt tightening almost immediately.” Schalick said.

What’s in Store for M&PL Policy Rates in 2024?

Despite an uptick in claims and increased economic uncertainty, management liability rates haven’t increased, resulting in market-wide pricing levels that may not meet the increased pressure of rising settlements and jury verdicts.

“Rates are going the other direction and settlement values are not falling,” Schalick said.

The mismatch between rates, claim frequency and severity is, in part, because carriers experiencing the dramatic soft market in the public D&O market are seeking premium gain in the private and non-profit market.

“In the public company market, the rates have been decreasing significantly. The rates were increasing in the private, not-for-profit market, and rightfully so, but there’s a desire to supplement overall mid-size D&O for carriers who also write private not-for-profit, and they see that as an opportunity to aggregate premium,” Schalick said. “So the always competitive landscape in the private, not-for-profit market has dramatically increased in the last 18 to 24 months.”

Still, companies of all sizes and types should be concerned about management liability rates in the future. Legal system abuse is resulting in increases in both the amount of litigation and the size of verdicts plaintiffs are receiving.

Certain areas of the country are particularly vulnerable to this type of legal system abuse. As a result, insureds in these localities are likely to be vulnerable to rate increases.

“The environment is so positive for the plaintiff that forces premium increases so carriers are able to stay in that market long term,” Schalick said.

Why a Tenured Carrier Partner Can Help Insureds Navigate An Uncertain Market

It’s clear that insureds are facing an uncertain M&PL market over the next few years. Fortunately, carriers with a long history in the M&PL space will be there to offer stability.

Philadelphia Insurance Companies has been supporting this market for 35 years. PHLY is committed to offering long-term rate stability, even as economic and claims trends start to push premiums upwards. They have an appetite for all sorts of companies, large and small, for-profit and nonprofit alike.

“We’ve been at this game for a long time and are one of the most tenured underwriters in this space,” Schalick said. “We like to stay very consistent.”

PHLY has worked with both for-profit and non-profit on management liability policies. With dedicated M&PL teams throughout the company’s 13 regions, PHLY provides the support agents and brokers are looking for on behalf of their clients. The teams know their regions well and can respond to local trends. They’re also dedicated to making the renewal process as easy as possible for their partners and policyholders.

“We have real confidence in our results, so we focus a lot on making the renewal experience as painless as possible for all agents and insureds,” Schalick said.

The company is also investing in tools to help insureds avoid losses. Earlier this year, they launched a new online risk management platform, PHLYGateway, which offers resources for insureds on how to create an employee handbook and trainings on issues such as recognizing workplace sexual harassment and discrimination.

If insureds have questions, they can consult a Best Practices Help Line, provided via the platform. That way, they can get on the spot risk management guidance to help them prevent claims.

To learn more, visit: https://www.phly.com/mplDivision/managementLiability/default.aspx.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Philadelphia Insurance Companies. The editorial staff of Risk & Insurance had no role in its preparation.