P&C the September 2024 issue

Hacking Hospitals

Bad actors are costing healthcare organizations billions and changing the insurance landscape.
By Tammy Worth Posted on August 28, 2024

Recent incidents have laid bare how significant this threat is across the United States.

Cyber attacks on hospitals and other healthcare organizations have steadily increased in recent years, with over 133 million healthcare records in the United States exposed in 2023.

Several factors make these organizations enticing targets, including the prevalence of digital systems, their regular use of third-party vendors, and overall lower spending levels on cybersecurity compared to financial and tech organizations.

Insurers are demanding clients improve their digital defenses if they want to obtain increasingly expensive cyber coverage. Mandatory measures range from use of multifactor authentication to security for medical devices.

UnitedHealth Group subsidiary Change Healthcare, which provides payment and revenue-cycle management software, wasn’t using multifactor authentication for login in one of its critical systems. This allowed for a ransomware attack in February that leaked the healthcare data—including health, insurance, and payment information—of an estimated one third of all Americans and is anticipated to cost the company just shy of $2.5 billion.

Last year, for the first time, a U.S. hospital cited a cyber attack as one of its main reasons for closing. The incident prevented staff at St. Margaret’s Hospital from filing claims, putting it months behind on insurance billing. The small community hospital about 100 miles southwest of Chicago never recovered financially and closed in June 2023.

As these cases demonstrate, cyber attacks are a constant threat for healthcare organizations. The number of breaches has been steadily growing in both scope and cost for years.

“All sectors of healthcare are seeing more breaches, but the growth has been especially significant against hospitals since about 2018 or 2019,” said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association. “During the pandemic, it really accelerated. Ransomware, typically from foreign-based groups, has gone up 300% in the past few years. Data theft attacks that resulted in the exfiltration of healthcare information has gone up 500% since 2020.”

Along with the expense for healthcare providers, a digital strike can dramatically impact patient care—and the market has noticed. Cyber insurance rates skyrocketed to keep pace with the ever-growing breach claims. Most insurers now require healthcare providers to have good cyber hygiene to qualify for coverage.

Ripe Targets

In 2023, 725 data breaches exposed more than 133 million healthcare records, according to the U.S. Health and Human Services Department’s Office for Civil Rights (OCR). This number doesn’t include breaches in which fewer than 500 records were stolen, because those aren’t reported on the OCR website. Since 2009, when OCR began publishing breach cases, nearly 6,000 incidents have been reported.

The FBI says healthcare and public health were the industries most impacted by ransomware in 2023. Other common threats to the sectors include phishing, insider threats (where an employee knowingly, or unknowingly, leaks data), and hacking of devices connected to the internet (for example, surgical robots).

Attackers focus on the healthcare industry for several reasons. One is the prevalence of potential targets: nearly all providers have some sort of digital component that can be hacked. Potential openings aren’t just electronic health records (EHRs), but can include video calling systems, medical scribing, and medical technology.

Cyber attacks often hit providers through a third-party vendor that has access to their information and networks. This was the case with file transfer program MOVEit Transfer, where criminals in 2023 gained access, through its software, to sensitive data for more than 2,000 organizations including some in the healthcare sector.

“Healthcare providers rely on health plans, law firms and other groups that support providers,” said Steve Cagle, CEO of Nashville-based Clearwater Security & Compliance. “Healthcare has become an interconnected ecosystem, relying on several parties to treat their patients.”

The COVID-19 pandemic also forced healthcare providers to rapidly adopt new technologies, including telehealth, remote patient monitoring, and remote tools for staff. This further increased the amount of valuable data being created and shared, adding additional points of access and vulnerabilities.

Health Insurance Portability and Accountability Act (HIPAA) rules, among other measures, require that healthcare providers employ safeguards including data encryption, audit controls to track data activity, and risk analyses. But the rules have not kept up with today’s threats—the last major updates were in 2013—and HIPAA doesn’t directly address technological advances like artificial intelligence (AI) software, mobile apps, and some wearable devices. In addition, OCR doesn’t typically ensure organizations are following HIPAA regulations unless it investigates a breach. And, some of the steps needed to comply with HIPAA can be costly—risk analysis, for example, may need to be performed by an outside vendor.

Healthcare organizations, overall, spend less on cybersecurity than those in the financial and technology sectors. According to a 2023 survey of 229 cybersecurity specialists by the Healthcare Information and Management Systems Society (HIMMS), 41% of respondents said their employer as of 2021 spent no more than 6% of their IT budget on cybersecurity; another 26% spent 7% or more; the remaining did not know the percentage or said their IT budget did not have a specific allocation for cybersecurity but that the operation was funded. (Compare this to financial services businesses, which spend about 13% of their tech budget on cybersecurity, McKinsey said in 2023.)

Finally, because an event can halt patient care, these healthcare providers are more likely than many other victims to pay the ransom, according to Cagle. “It’s difficult not to pay the ransom when you are talking about patient lives,” he said.

The Blast Radius

The most concerning kind of attacks for healthcare organizations are when ransomware gets into, and prevents users from accessing, a system. For hospitals, this can mean disruption to life-sustaining technology. Riggi calls these attacks threat-to-life crimes.

An organization may be locked out of its EHRs or electronic drug cabinets or prevented from transmitting images from its X-ray machine and other imaging technologies. Hospitals may not be able to process labs in-house for patients who need to know their blood type for a surgery. Providers might lose access to dosing schedules for hospital patients.

During the downtime after the attack, a hospital may have to use runners to move lab specimens and reports to each unit. Radiologists may have to come to the hospital to do on-site imaging and elective surgeries can be canceled. One study from the University of Minnesota found that mortality rises between 20% and 35% for patients receiving care at a hospital during a ransomware attack.

An attack doesn’t even have to directly hit a hospital or doctor’s office to impact patient care. Following a mid-June ransomware strike, U.K. pathology service provider Synnovis could only analyze about 400 of the 10,000 blood samples it received daily. Hospitals serviced by the organization had to cancel hundreds of operations and thousands of patient appointments. Even when it could analyze blood work, Synnovis could not send results to area primary care doctors. According to The Independent newspaper, Synnovis was forced to discard many samples and to cancel appointments made by patients of area primary care providers through the end of June.

There is also what Riggi calls a “blast radius” beyond the direct target of a cyber attack. If a hospital’s network system is down, it typically tries to divert emergency patients to nearby facilities. The Minnesota study found that patient volume during the week after a cyberattack can drop by 17% to 25%. This not only puts additional stress on area hospitals but can negatively impact the patient who must travel farther for time-sensitive treatments for a stroke or other medical emergency.

Data on the financial toll of a cyber attack is similarly bleak. In an IBM survey of 553 organizations in various industries in 16 countries that were breached in 2023, the average cost per incident was $4.45 million. That was up 15% from 2020. The cost of breaches in the healthcare sector rose 53% from 2020, reaching an average of nearly $11 million per attack. That covers costs such as unpaid claims, increased IT and other staff time, and paying outside help like lawyers and public relations specialists to help clean up after the incident.

The longer it takes to identify and contain a breach, the more costly it becomes. The IBM report cites an average time of 277 days. Breaches that had a “lifecycle” of fewer than 200 days cost, on average, $3.93 million. For those longer than 200 days, the average cost was $4.95 million.

While many organizations pay the ransom after an attack to get back online more quickly (something Riggi said his company strongly discourages) that often saves very little, if any, time and money. According to the IBM survey, organizations that paid the ransom in 2023 averaged $5.06 million per breach, as opposed to $5.17 million for those that didn’t. Those numbers, however, don’t include the cost of the ransom, which can be large—like the $22 million Change Healthcare paid.

What did save time and money was involving law enforcement, which shortened the average breach cycle from 306 days to 273 days. When law enforcement was involved, it took less time to identify the origin of, and then contain, ransomware breaches. Other factors that lowered costs, according to the IBM report, were using AI to assist in finding the breach, training employees in protecting health information and good cyber practices, and employing DevSecOps software (this is a way to create software that focuses on three important aspects— development, security, and operations—through its entire life cycle).

One study from the University of Minnesota found that mortality rises between 20% and 35% for patients receiving care at a hospital during a ransomware attack.

Ransomware attacks, in particular, have a long recovery time because the malware shuts down a system and must be decrypted to get to the uncorrupted data backups. This is a technical and time-consuming process that can’t be performed until an organization knows how the adversaries penetrated the network. Once the vulnerability is found and closed, the organization must confirm the hackers aren’t still in the network or left a back door in the system where they could get covert access at a later time.

The financial effects can linger for years, Riggi said. While a hospital is offline, the staff must perform all its documentation on paper, something for which many younger clinicians have never trained. Because of this, charting is more likely to be incomplete, causing issues with insurance claims payments down the road.

Organizations also may have to pay for credit monitoring for months or years. In addition, legal fees pile up for the inevitable class-action lawsuits brought by patients whose data was compromised. In June, Mercy Hospital in St. Louis paid $1.8 million to settle a case stemming from a 2020 data breach that impacted records for more than 11,000 patients.

“Class actions are almost happening monthly now,” said Ellie Saunders, U.S. and Canadian healthcare team leader for London-based CFC Underwriting. “Any kind of large exposure is likely to have a class action.”

Booming Market Response

Cyber insurance can help hospitals and other healthcare providers shield themselves from some of the costs of cyber crimes. But the increase in the costs of claims and number of attacks has sent costs skyrocketing, making plans unaffordable for some cash-strapped organizations.

Created in the late 1990s, cyber insurance didn’t become commonly used until around 2014 when retail breaches boomed. This was followed by a spate of cyber attacks on the healthcare sector in 2015. But even then, it was still relatively easy and inexpensive to be insured.

“Cyber insurance was born in a soft insurance market—there were low premiums, deductibles, and robust coverage,” said Patrick Bourk, vice president of cyber and professional lines at Navacord, a benefits broker based in Toronto. “It was a real buyer’s market.

Insurers weren’t operating that well and they didn’t understand the risk very well.”

The market began to harden in late 2019 due to capital losses in the property and casualty space, he said. Going into 2020, Bourk said rates were expected to increase. And then COVID hit.

People were working remotely, necessitating a boom in the use of technology and creating new opportunities for cyber crime. Huge claims began rolling in to insurers. By the end of 2020 to early 2021, insurers’ loss ratios were between 400% and 600%, Bourk said. It quickly became more difficult to qualify for cyber insurance plans.

“We had to totally rethink how to underwrite risk,” he said. “So, the price had to go up, capacity went down, and there was more scrutiny for a few years on the cybersecurity organizations had in place. A lot of carriers began just writing for excess coverage, they didn’t even want to be the primary insurer.”

Because the plans were so underrated prior to the pandemic, premiums hiked by as much as 300% in 2020 to correct the market, Saunders said. All the losses weren’t replenished, but business stabilized somewhat for underwriters.

Cyber insurance became cost prohibitive for some healthcare organizations, especially smaller, rural hospitals, Riggi said. A 2024 report by cybersecurity firm Sophos surveyed 5,000 IT leaders worldwide in 14 countries and found that nearly half of all healthcare organizations did not have a stand-alone cyber insurance policy.

Some organizations must pay claims out of their own pockets. Another solution for certain organizations is to let their property and casualty insurance cover some of the breach and ramp up security.

We want organizations to have a minimum benchmark of controls like multifactor authentication and employee training—particularly for phishing, which is the most common type of attack for doctors’ offices.
Ellie Saunders, U.S. and Canadian healthcare team leader, CFC Underwriting

“Rather than invest on the cyber side, organizations can create stronger overall policies and procedures and work through a managed services provider, so their risk is shifted to that vendor,” said Erik Pupo, director of commercial health IT for Guidehouse, a consulting firm based in McLean, Va.

A managed services provider is an external vendor that performs tasks including maintenance of a hospital’s network, and undertakes cybersecurity services like email monitoring, patching apps, and managing access of user accounts.

With the market leveling out, many insurers predict cyber insurance premiums will be relatively stable for the moment. But the market is in its infancy and claims are increasingly expensive.

“It’s been a real evolution, and this coverage is newer, so we don’t have hundreds of years of property losses as a basis for underwriting risk,” Bourk said. “But with a lot of these large breaches now happening, we may see underwriters creep back up into higher prices.”

Security Mandates

There was a silver lining to the post-pandemic market changes. To minimize risk, insurers began making eligibility for coverage dependent upon clients significantly improving their cybersecurity practices.

“Some wouldn’t insure organizations if they didn’t have multifactor authentication in place,” Riggi said. “The industry helped drive these best practices.”

James Trainor, senior vice president for Aon’s cyber solutions group, said the risk management company requires clients to demonstrate they have a rigorous cybersecurity program in order to receive coverage. The focus is on 12 areas that lower an organization’s risk, including multifactor authentication, patch management, cyber awareness training for staff, disaster recovery and backups, access controls and use of administrative accounts, and security programs for medical devices.

“No organization will have a robust program in all 12 of these areas, but it helps us determine the small percent that are deemed uninsurable,” Trainor said. “The vast majority will have room for improvement but can get insurance. Their premiums just might be higher if their security is less tight. And it’s an annual policy so they have to tell their cybersecurity story to underwriters every year.”

In an ideal world, all organizations would have comprehensive cybersecurity controls. But it’s not feasible, even for some large healthcare providers, Saunders said. The National Health Service (NHS), England’s publicly funded health system, sustained a major breach in 2017 and another in June 2024. It’s simply not possible for an organization of that size to upgrade its entire system, she said, due to the exorbitant financial and human capital costs.

“We want organizations to have a minimum benchmark of controls like multifactor authentication and employee training—particularly for phishing, which is the most common type of attack for doctors’ offices,” Saunders said. “Training in that is fundamental and the most cost-effective way of mitigating cyberattacks in the first place. We promise to pay their claims and hope the insured organizations prepay that favor.”

Even organizations with exceptional cyber hygiene aren’t impervious to attacks, Riggi acknowledged. The cybersecurity-focused U.S. National Security Agency (NSA) has been hacked, he noted.

“We can’t rely on a purely defensive solution to stem attacks as an industry and a country,” Riggi said. “We must rely on the federal government for better offense of attacks…and the insurance industry needs to be better at detecting and preventing healthcare fraud. If it was hard to commit fraud [by using healthcare data], it would disincentivize people from trying to steal.”

Cyber insurance is also not an automatic cure-all to the threat. For instance, a hospital might say it is performing certain cybersecurity procedures like annual staff training. But if a breach occurs and the insurer determines the client wasn’t meeting its data hygiene directives, it can deny the claim, Pupo said.

“Where they didn’t practice good hygiene, it doesn’t cover costs,” he said. “It’s just like home insurance; if you have an accident and weren’t taking care of your property, it won’t always cover it.”

Some policies also exclude certain types of strikes, like those using social engineering—where the attacker gains an employee’s trust to get sensitive data, credentials, or access to a personal device.

Some policies might not cover a physician’s practice if they are affiliated with a hospital group whose third-party vendor is hacked, impacting the hospital’s network. Pupo said vendor attacks are excluded from many policies even though that is one of the most common types of attacks in the industry today.

A plan might only cover a certain percentage of the costs of an incident; others don’t cover more than a certain amount, like $5 million. Smaller organizations might also only have add-on policies that aren’t as comprehensive.

In an April report, cybersecurity optimization specialist CYE found that 80% of 101 surveyed organizations across multiple industries had not had sufficient coverage to pay the full costs of a breach. Uncovered losses per breach averaged $27.3 million. The gaps in coverage were relatively extensive—350%—meaning more than three-quarters of the organizations’ costs stemming from the incidents weren’t covered. Some organizations had coverage gaps as high as 3,000%.

Cyber insurance was born in a soft insurance market—there were low premiums, deductibles, and robust coverage. It was a real buyer’s market. Insurers weren’t operating that well and they didn’t understand the risk very well.
Patrick Bourk, vice president of cyber and professional lines, Navacord

Healthcare providers must adopt best practices for cyber hygiene, understand where their critical information is held, and perform ongoing risk analyses that show what controls are in place and how likely it is to have any vulnerabilities exploited by cyber criminals.

“Even organizations that get insurance, put security measures in place, and do everything right can still have an attack,” Cagle said. “The goal is to really try to find areas where something bad can happen and address them. Then, if there is a breach, they are better able to contain the event and operate under duress through resiliency planning. It’s all meant to minimize the impact to any organization.”

Hitting a Moving Target

Historically, the cyber insurance industry was inherently transactional: healthcare providers paid for insurance and insurers gave them a plan. But with the burgeoning of cyber crime—and few regulations in place to guide organizations on best practices—many insurers and brokers have taken on a much greater advisory role for their clients with their own in-house IT experts.

Bourk said insurance companies are finding better tools to underwrite by scanning networks and using programs like Bitsight, a cyber risk analysis tool, to review and analyze clients. Underwriters are hiring cyber risk engineers to inspect client companies. These engineers ask the right questions on security and help underwriters ensure they are comfortable with an organization’s risk.

“An IT security professional is necessary and a real key member of the insurance renewal or placement process,” Bourk said. “Brokers have to recognize what underwriters need to know. Some brokers are hiring in-house cyber specialists who can talk the security language with our clients.”

These insurers are consistently trying to stay one step ahead of bad actors and write policies for the constantly changing cyber landscape.

Saunders said CFC Underwriting’s policies are tweaked regularly to keep up with the evolving market. For one: coverage for sexual misconduct accusations against healthcare providers is now standard for both in-person and online visits. That was necessary due to an increasing number of accusations from both kinds of care, Saunders said CFC is also expanding its base coverage to include AI, including diagnostic mistakes from virtual or digital technologies. One such scenario: A dermatology client uses a provider’s AI tool to determine if a lesion on their skin may be cancerous. If the AI system analyzes the image and finds the lesion noncancerous it would not recommend an in-person visit. If that is a misdiagnosis, causing the patient to delay treatment for cancer, the client could sue for bodily injury.

The U.S. Food and Drug Administration (FDA) has been preparing new rules regarding the use of AI in healthcare. When something becomes more regulated, it tends to make hospitals and other providers subject to additional oversight and exposure, according to Saunders.

Trainor said that most cyber policies don’t explicitly address AI ransomware, so many groups are still working out how it will impact the insurance market. “All industries are embracing AI and we have not yet really sorted out how it will affect the market, so there is lots of uncertainty,” he said.

AI can cause problems both internally and externally for healthcare providers. For instance, if a hospital purchases an AI tool that causes a denial of services for a patient, is the hospital or vendor at fault? Who is to blame if an AI tool leads to a data breach? Or if benefits are denied that should have been paid?

AI is also being used externally to hack into systems. Social engineering can be used to learn what kind of attacks are and aren’t working and help bad actors adapt to make them more realistic. AI can create deepfake voices to make calls to get people to provide credentials or send payments. It can also be used to find out information about people to send carefully constructed emails that appear real.

Determining fault can be difficult in many of these cases. If AI is used to craft a good phishing attack, but it’s later determined that a hospital didn’t have a patch on that system, who is going to pay?

Saunders said the main risk with AI is the loss of data sets, which are valuable because they can be leaked to an organization’s competitors. It takes time and money to rebuild them, and these have to be covered as well.

“AI has boomed over the last 18 months,” she said. “There are new regulations and risks and exposures for healthcare, cyber, and privacy.”

Tammy Worth Healthcare Editor Read More

More in P&C

Risky Business
P&C Risky Business
RiskScan 2024 identifies what buyers and sellers in the insurance industry are w...
Sponsored By Munich Re
P&C When Disaster Knocks
A continuous series of natural catastrophes around the United States might final...
Business Interruption Goes Digital
P&C Business Interruption Goes Digital
Brokers have long worked to help ensure their clients are covered for unexpected...
Sponsored By Ryan Specialty
Bond, Completion Bond
P&C Bond, Completion Bond
For movie buffs, completion guarantors are a little-known but crucial element of...
Council Q3 2024 P/C Market Survey Results
P&C Council Q3 2024 P/C Market Survey Results
More premium increase moderation, but umbrella sees effects ...
Weathering Cyber Storms
P&C Weathering Cyber Storms
Q&A with Joshua Motta, CEO and Co-Founder, Coalition