Since When Did Health Care Become More About Convenience Than Security?

According to a white paper by cybersecurity provider Sophos in May 2021, 34% of health care organizations were hit by ransomware in the last year.
By: | May 21, 2022

The use of telehealth stands to remain a major health care trend. But passive acceptance of its benefits without weighing its risks is not advisable.

Kyle Pass, health care broker for Risk Placement Services, said the popularity of telehealth has boomed in the last couple of years: “It’s exploded and it is only going to get bigger,” Pass said. “We were catapulted into this by the pandemic. Telemedicine has taken over.”

The Fast-Paced Adoption of Telehealth

A report by Liberty Mutual Insurance, “Healthcare’s New Reality: Risk Trends Year in Review,” singles out telehealth as a major health care trend in 2022.

Kyle Pass, broker, RPS Healthcare

According to the report, patients and providers alike are embracing telehealth. Telehealth visits were up 154% in March 2020 compared to March 2019; 46% of patients used telehealth for some visits; and virtual medical visits accounted for more than 20% of the total in 2021.

“Patients like the convenience and speed of delivery,” Pass said. “They can sit on their couch while they are watching TV and consult with their primary care physician.”

In addition to the boost given to telemedicine by the pandemic, the Liberty report noted other forces increased its use, such as the CARES Act, which removed regulatory and financial barriers for greater telehealth adoption.

Some other developments in telehealth include that it is available for all patients (not just those in rural areas); it allows providers to deliver telehealth services across state lines, subject to state laws; and it enables doctors to provide remote patient monitoring for acute and chronic conditions.

But Great Technology Brings Great Risk

As appealing as that is for some patients, the Liberty Mutual report also outlined some areas where risk may be increased.

These include:

  • Increased exposure for hackers to access patient/doctor communications
  • Increased chances of misdiagnosis due to not being face-to-face
  • Reduced accuracy when patients take metrics, such as blood pressure, at home
  • Higher compliance exposure with state rules if patients take a virtual appointment out of state
  • Increased exposure to battery claims due to a lack of proper consent regarding telemedicine risks

It’s fairly easy to see how some of these problems could occur, Pass said.

“Obviously, with telehealth, you’re talking to someone over the phone or computer. It’s never going to be as accurate or personal as the face-to-face meetings that we are used to. As a result there could be a misdiagnosis. Without that in-person visit, miscommunication can easily occur.”

Technology is far from perfect, Pass added.

“There could be a system outage with a computer and a doctor could miss something a patient mentioned,” he said. “Or maybe a picture sent by a patient is distorted or never received. For a lot of great reasons, we are putting our trust into technology, but at the same time that also opens us up to more risk.”

Ransomware and Cyberattacks on Health Care Systems

The risk that has gained the most attention is ransomware and cyberattacks on hospitals and health care clinics.

According to a white paper by cybersecurity provider Sophos published in May 2021, 34% of health care organizations were hit by ransomware in the last year.

Other findings included:

  • 65% of health care groups that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data in the most significant attack.
  • 44% of those whose data was encrypted used backups to restore data.
  • 34% of those whose data was encrypted paid the ransom to get their data back in the most significant ransomware attack.
  • Almost two-thirds of health care respondents (63%) who reported they hadn’t been hit by ransomware in the last year expect to be hit by ransomware in the future. Conversely, 37% don’t anticipate an attack.

A recent attack that hit the headlines was at the Good Samaritan Hospital and St. Mary’s Medical Center in West Palm Beach, Fla. Both are owned by Tenet Healthcare and were among numerous hospitals targeted in April 2022.

One costly cyberattack in 2020 occurred at the University of Vermont Medical Center, which detected a file with instructions to contact the alleged perpetrators of the cyberattack. The center locked down email, internet access and major elements of its computer network to stop further damage.

For nearly a month, employees couldn’t use electronic health records, payroll programs and other digital tools. Many surgeries had to be rescheduled, and cancer patients had go elsewhere for treatment. The center did not pay a ransom, but it was estimated that the attack cost the medical center about $50 million.

How Health Care Systems Can Cope

To deal with the potential of a ransomware or cyberattack in the health care space, Pass recommends insureds have three types of insurance in place: medical malpractice, tech E&O and cyber.

“That’s the way to absolutely protect yourself in the event of a claim and truly leave no gaps,” he said.

With cybersecurity under threat, he said insureds can also expect costs to go up.

“Premiums are going to continue to increase,” he said. “That’s due to the severity of the claims we’re seeing.”

Some steps hospitals can take to protect themselves from cybercriminals include:

  • Strong firewalls and frequent updating of antivirus software
  • Save three copies of all critical data in at least two different formats and storing one copy offline, out of reach of malicious code — advice taken from a joint cybersecurity advisory co-authored by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI
  • Segmentation, which involves dividing networks into smaller sections which enables ransomware to be limited to one segment rather than shutting the whole network down
  • Train employees to be aware of the importance of maintaining security

In addition, Pass said a broker can help an insured understand their insurance needs and improve their cybersecurity.

“All of the information is there,” he said. “It’s on the insured and their broker to make sure they are aware of the risk management tools and different coverages that are offered.” &

Annemarie Mannion is a freelance writer. She can be reached at [email protected].

More from Risk & Insurance