How Healthcare Organizations Can Minimize Risk From Ransomware Attacks

the one minute takeaway

Cybercriminals are targeting hospitals and medical practices in ransomware attacks, holding healthcare records hostage. Here’s how providers can protect themselves through improved security, risk management and insurance coverage.

By Michael J. Sacopulos

Despite repeated warnings of their vulnerability to ransomware attacks, healthcare organizations routinely are victims. Need examples?

A Simi Valley, Calif. clinic closed permanently in late 2019 after losing all its medical records in a ransomware attack. The clinic was unable to recover the records encrypted by the cybercriminals behind the attack.
After refusing to pay a $6,500 ransom to buy back access to its medical files, founders of a Michigan ENT practice retired after the records were deleted.
A Wyoming hospital system suspended new inpatient admissions temporarily, canceled some surgeries and shut down other services after a ransomware attack.¹

There’s another payoff for cybercriminals in healthcare data records: The going rate for a single health record exceeds $250; in comparison, a credit card only commands $5.40.² So the allure in ransomware is twofold: first, to keep records hostage in return for a ransom; and second as material to sell on the dark web.

To make matters worse, healthcare organizations that are victims of a ransomware attack may not have adequate or proper insurance coverage against the attack.

More technology equals more risk

Growing reliance on technology has compounded the risk. The explosion in telehealth during the COVID-19 pandemic creates more opportunities for cybercriminals. Too many platforms fall short of HIPAA requirements and lack adequate data safeguards.

HIPAA guidelines stipulate:

Only authorized users should have access to electronic protected health information (ePHI).
There needs to be a system of secure communication to protect the integrity of ePHI (this rules out platforms including SMS, Skype, and email).
Implement a system of monitoring communications containing ePHI to prevent accidental or malicious breaches.³

Criminals typically target smaller practices and clinics that often lack sophisticated technology infrastructure with security safeguards.

To minimize risk, and as part of any risk management strategy, providers of any size should assess and improve their practices in three specific areas:

Backup and IT security. Failure to backup system records is more common than you realize; in addition, these records may lack encryption. It’s also critical to keep software and hardware updated. Running antivirus solutions is key as is two-factor authentication for all users.

Education and training. Frequent training is the best defense against hackers. Employees must be on guard against common ploys like phishing and spoofing attacks. They must also be diligent with cyber hygiene when out of the office, whether it’s on a business trip or daily commute, and never insert thumb drives into a computer — a practice more common than you might believe.⁴

Risk management and insurance. Healthcare providers cannot skimp on cyber insurance, but many may not be aware of what it covers and whether they have the right coverage. Improper insurance can be a catastrophic mistake: Recovering from an attack can cost upward of $1.4 million, and healthcare organizations spend about 64% more in advertising in the two years following a breach in attempting to mend their reputation.⁵

Cyber insurance covers losses and damages from data breaches, digital security issues, and recovery costs, along with legal fees and damages to the network and its components. HIPAA fines also may be covered – for as much as $50,000 per occurrence, up to an annual maximum per violation of $1.5 million. One incident involved a lost iPhone that caused in a data breach of more than 400 nursing home residents and their families, resulting in a $650,000 fine.⁶

But remember: Some cyber insurance policies do not cover ransomware breaches, making it essential that healthcare organizations have the right language in their policies to cover this type of attack. Policies and coverage terms and limitations vary widely.

Working with a broker who can help healthcare organizations get the right type of cyber coverage is the most important step of all.

Michael J. Sacopulos, JD, is founder and president of the Medical Risk Institute and a consulting partner to HUB International’s healthcare practice.

HUB International’s team is ready to help your organization respond to the opportunities and risks in today’s changing healthcare environment.

¹ Becker’s Hospital Review, “What 4 facilities did after ransomware attacks: Permanent closures, temporary service suspensions & more,” October 9, 2020.

² Trustwave.com, “Trustwave 2019 Global Security Report,” April 25, 2020.

³ HIPAA Journal, “HIPAA Guidelines on Telemedicine,” accessed January 29, 2021.

⁴ Tripwire.com, “Does dropping malicious USB sticks really work? Yes, worryingly well…,” August 4, 2016.

⁵ HealthITSecurity.com, “What Is Cyber Insurance for Healthcare Organizations?”, February 5, 2019.

⁶ Revelmd.com, “Top 10 Most Common HIPAA Violations?”, December 3, 2016.