3 Interconnected Cyber Risks Leaving Health Care Systems Vulnerable to Added Liability
It seems that not a day goes by without the announcement of a ransomware attack. Some events, like the shutdown of the Colonial Pipeline earlier this year, make headlines, reminding the public of how serious a threat ransomware can be.
Oftentimes, events will go under the radar. But this doesn’t mean they are any less severe; the average ransomware attack can cost millions of dollars. Bad actors are constantly looking for vulnerable facilities to gain access to critical information and wreak havoc on the company.
More than a third of health care organizations were hit by a ransomware attack in 2020, and of those, 65% said cyber criminals were successful in encrypting their data, a report from cyber security company Sophos found. For medical facilities, however, a ransomware or any cyber event can be much more costly, because patients’ lives are at stake, making this more than just a cyber risk.
“The hospitals, medical facilities and their physicians have sensitive patient information on their systems,” said Monica DiCesare, chief underwriting officer at IronHealth. “That information is critical to protect, because it’s critical to ensure patient safety.”
Ransomware then becomes a safety concern for such institutions, making medical facilities that much more attractive for hackers. Hospitals are more likely to pay a ransom, with 34% of respondents in the Sophos report saying they paid to get back their encrypted data.
When cyber events bleed over into the safety realm, institutions will be left vulnerable to medical malpractice claims and other serious threats. Here’s a look at three ways a cyber event at a hospital can trigger other policies and what these facilities can do to mitigate the risk.
1) Medical malpractice can stem from a facility’s inability to access sensitive patient information.
Cyber attacks can lead to a number of medical malpractice concerns, from misdiagnosis to delays in treatment. When networks are down or systems are impaired, the inability to retrieve sensitive and key data in real-time can hinder physicians in making informed decisions on a patient’s care.
“Prescription information, drug allergies and other sensitive information documented on medical records can be held for ransom,” DiCesare said. “If a physician is looking to administer a medication quickly but doesn’t have access to medical history, that could be catastrophic.”
“We’ve become so reliant on technology. When we don’t have that technology and data, we become inhibited. The physician can’t practice medicine to its fullest, which can later be construed as negligence, because they weren’t able to provide adequate or appropriate care,” added Dennis Cook, president of IronHealth.
The consequences of such an event can be dire.
Not only can vital medical information be locked, but so too can in-take systems, which may lead to ambulances being sent away from the hospital and routed to facilities miles away with critical trauma patients in tow. Lab reports may not arrive in time to help make the right diagnosis. Routine appointments and procedures can be delayed or canceled — all of which can lead to a medical professional liability claim.
2) When devices are hacked, products liability can be triggered.
Many health care organizations have their own software system and products that they use or develop with third parties, which means if a system is infiltrated, so too can any connected devices if proper protections are not in place. And because these facilities have created their own systems, they’re also open to their own unique exposures in the event a cyber breach occurs.
That is why putting protections in place is key.
“Making sure your medical devices are using the most updated software and have all the patches in place can go a long way in protecting yourself against these attacks,” DiCesare said. the facility uses, like insulin pumps, ventilators, pacemakers, monitors and more, can help in preventing malicious deeds. Comprehensive procurement practices are vital in ensuring all medical devices purchased and used on site have the adequate protection throughout their lifespan.
Cook agreed, adding that contingency planning and system backups are a must: “Health care facilities are used to emergency and disaster planning. Cyber preparedness should be no different. If a hurricane is coming, they know to evacuate. They know to have the back-up generator ready to go. Running through emergency planning for a cyber event should reflect that disaster preparedness approach.”
It’s also important to note that products liability is not isolated to health care systems, either; device manufacturers can be held liable for faulty or unprotected devices being infiltrated by hackers. That is why it is not only imperative for hospitals to do their due diligence when it comes to vetting the machinery they use, but it is also important that manufacturers and vendor partners understand how cyber can impact their devices and how they can work to prevent events from happening.
3) Billing errors and other regulatory liability concerns for health care facilities.
During a ransomware attack, if a health care facility’s billing system is infiltrated and miscoded, the medical facility will likely be on the hook for any alleged improper billing practices. If it appears that the facility has been overbilling, the government can impose fines and penalties against the system.
“The hacker could be siphoning off that money without the facility realizing. And then, when the bills aren’t adding up, the health care system can be hit with large penalties,” said Cook.
Governments are starting to get proactive around ransomware issues, including billing. More regulations and requirements surrounding cyber controls are being discussed every day, from cyber policy requirements to mitigation efforts at play.
One legislation being discussed may prohibit health care facilities and other businesses from paying ransoms at all. This has been a topic of discussion for many state legislatures in the last few months as a means to curb cyber activities.
“That could lead to another type of regulatory concern for health care facilities. Will they comply or will they pay a ransom to gain back access to the critical information they need for patient care?” Cook said.
How Health Care Facilities Can Address Cyber’s Interconnected Risks
With medical malpractice, products liability and regulatory concerns on the table, it’s clear to see that a cyber attack is more than just a cyber event. Health care facilities can face a number of risks should they find themselves at the receiving end, but there are ways to get ahead, starting with a deep review of what existing policies might cover.
“Not all policies are created equal,” said Cook, “and so cyber limits within individual policies may be adequate or they may not.”
Talking through the risks with a broker partner and the carrier is also a best practice that health care facilities can adopt. Understanding the intricacies of the policy will go a long way in knowing where the gaps are and what should be done to fill them.
The partners at IronHealth, in tandem with parent company Liberty Mutual, are working to provide clients with the necessary insurance information and tools required to tackle cyber and ransomware exposures. From working through possible cyber risk scenarios to providing coverage that spans both the cyber and health care realms, the team is working to become a trusted partner in mitigating cyber risk.
“Not only do we have the policies, we also offer support from a risk management viewpoint,” DiCesare added. “We are looking to point our clients in the right direction when it comes to the services they need to address the risks where cyber and health care intersect. We’re equipped to partner them with the right experts so they’ve got the right risk plans in place.”
To learn more, visit: https://business.libertymutual.com/.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty Mutual Insurance. The editorial staff of Risk & Insurance had no role in its preparation.