Over the years, the healthcare sector has become more invested and reliant on technologies to provide care. With Covid-19 hitting, these requirements have escalated even further.
An acceleration in telemedicine and other varying forms of online, digital, or software-based treatments and services also demonstrates a growing cybersecurity threat within the healthcare sector.
These threats can affect large and small organisations alike, and education and resources should be invested within the healthcare sector to minimise cyber-related incidents.
Today, Servca looks at the varying examples, exposures, and steps that can be taken to try and minimise cyber threats.
Please note that this article is intended to serve as value-adding information, and you should consult with a professional when taking steps in arranging cyber liability protections.
What is Cyber Security?
The National Cyber Security Centre dictates that Cyber security's core function is to protect the devices we all use (smartphones, laptops, tablets, and computers), and the services we access - both online and at work - from theft or damage".
What are some examples of Cyber Security threats?
- Ransomware - is a type of malware that infects systems and files, making them inaccessible until a ransom is paid. When this occurs in the healthcare industry, critical processes are decelerated or become impossible.
- Data Breaches - can be caused by many different types of incidents, including credential-stealing malware, an insider who either purposefully or inadvertently divulges patient data, or loses a laptop or other devices with confidential information on it.
- Insider Threats - The insider presents a threat because they have indisputable access to the systems and knowledge of the network capabilities and weaknesses.
- Fraud - scammers use a compromised account or fake email to trick employees into initiating a money transfer to an alternative (fraudulent) account. The scammers almost always pretend to be a person of power within the organisation.
Why is the Healthcare sector at higher risk?
- Private patient information is worth much money - They can be sold on the dark web for close to £1,000 – 200 times the black-market value of a financial record.
- Medical technologies are an easy access point for attackers – The use of devices, computers, servers, and software provides an increased number of entry points for attackers to focus on.
- Data is often accessed remotely, allowing more opportunities for attacks.
- Healthcare staff are not educated and trained enough in online risks.
- Extensive network of connected medical devices – Particularly within larger organisations, it is not easy to manage and stay on top of all these devices.
- Outdated technology means the healthcare sector is ill-equipped for attacks.
Steps that can be taken to improve Cyber Security in Healthcare
- Cybersecurity training for staff and employees - Mandatory training ensures that all employees know their role in keeping the organization's systems and data safe. It keeps them mindful of the most common cyber threats.
- Apply regular system checks and software updates – developers often regularly release updates for their applications and software that ensure the most up-to-date patches limit opportunistic threats.
- Controlled System Access - granting a specific employee is the system privileges they need to execute their job effectively will ensure a monitored and considered approach to accessing and using the systems.
- Regular Risk Assessments - Conducting a technology risk assessment at least once a year allows organisations to detect new threats before third parties exploit them.
- Data Recovery - Data loss is far worse than unauthorized data access. It not only damages the organisation's reputation but can also cause a crippling effect on the way services and treatments are rendered.
Therefore, a data recovery mechanism will ensure data is intact if the information on systems is rendered unusable due to a breach.
Case Study – WannaCry
In May 2017, the National Audit Office (NAO) issued that more than a third of NHS trusts in the UK were affected by the WannaCry ransomware attack.
WannaCry, which circulated to more than 150 countries in a globally, as a form of malware encoded data on infected computers that demanded a ransom (to be paid) roughly equivalent to £230.
Approximately 7,000 NHS appointments were cancelled as a direct consequence of the incident, of which around 140 people potentially with cancer, who had urgent referrals rescinded.
An evaluation of 88 out of 236 trusts discovered that none passed the necessary cyber-security specifications.
As you can see from the case study we have highlighted, any type and sized organisations can be affected by cyber-attacks, with devastating effects.
Furthermore, within the healthcare sector specifically, a cyber-attack or incident can consequentially result in a claim of medical malpractice. In the WannaCry case study, we highlighted that nearly 7,000 NHS appointments were cancelled. If one of these patients fell ill, they could try and file a negligence claim (or misdiagnosis).
Since most cyber policies have a bodily injury exclusion, it is vital to understand that relevant and essential coverages are in place to protect against a host of scenarios of claims.
If you wish to learn more about cyber liability in the healthcare sector, get in touch with us a Servca. We are an owner-managed Lloyd's of London insurance brokerage focusing on the Healthcare and regulated sectors and it is our priority to ensure you are protected.