The healthcare industry has experienced many of the large and notable data breaches over the past decade.
As the industry has modernised its systems and processes to facilitate easy access to its customers' most sensitive data, so too has it become exposed to internal and external threats putting that data at risk.
Beyond the mega breaches in the headline news though, it is often small and medium sized healthcare organisations facing a greater vulnerability to cyber incidents. These incidents can arise out of cyber-attacks or simply a human error, and can result in a myriad of different costs.
While the frequency, nature and severity of cyber incidents are constantly changing, patterns have in fact emerged for many industries which demonstrate key exposures and the corresponding controls necessary to mitigate them.
For the healthcare industry, the role cyber insurance can play in complimenting an enterprise risk management approach to cyber risk is increasingly clear.
Cyber Insurance By The Numbers
Based on an analysis of Chubb’s prior decade of claims experience, the healthcare industry made up 38% of all claims reported during that period. Further, the trend of incidents impacting the industry has continued into 2018 as the number of Chubb healthcare cyber-related incidents grew 13% over the past two years.
Internal Threats Rising
In terms of the make-up or “triggers” of cyber claims for the healthcare industry, Chubb’s experience in many ways debunks the belief that external bad actors hacking into an insured’s system are the predominate threat. In fact, just 9% of healthcare breaches have resulted from Hacks, which is the lowest of any industry we track.
On the other hand, human errors and rogue employees have accounted for a combined 58% of all incidents. This experience suggests that while perimeter controls used to protect the organisation from malicious intrusion remain critical, other areas like employee training and internal access controls are equally important.
Ransomware On The Rise
Security Research firm Cybersecurity Ventures estimates global ransomware damage costs to be US $5 billion in 2017, with projections for damages to exceed US $11.5 billion annually by 2019.
From the perspective of incidents handled by Chubb, the healthcare industry accounted for 33% of all ransomware attacks noticed, which is the most of any industry. These attacks have become increasingly destructive, and can have a significant impact on insureds in terms of the immediate costs incurred to mitigate and recover from the incident, as well as the lost income during the period of interruption.
Source: Chubb’s global claims data (10 years of data as of December 2017)
Key Exposures & Coverage
The following are some of the privacy and network security exposures faced by the healthcare industry:
Key Coverages Available
Cyber incidents can trigger immediate, direct costs as well as resulting liabilities. Some key elements of cover include:
A Cyber Claim Scenario
A hospital's computer system was the subject of a ransomware attack. While the attacker sought only $500, the attack essentially shut down the medical facility. The hospital incurred significant expenses attempting to restore the data from backup systems, and payroll, billing and imaging systems were inoperable during the period of restoration. With its systems completely corrupted, the hospital resorted to paper mode to chart and monitor patients. As a result of the attack, more than $700,000 was paid for forensics, data recovery, business interruption and crisis management costs.
Best Practice Controls
Implementing a holistic risk mitigation plan is the best defense against all types of cybersecurity breaches. Consider implementing the following seven measures to protect your organisation:
|Backup all systems routinely|
|Providing annual employee trainings for both medical and non-medical staff on emerging cybersecurity threats and red flags to watch for|
|Enable strong spam filters|
|Invest in technologies that can scan and review emails for suspicious activity|
|Limit access to privileged accounts|
|Conduct regular penetration tests|
|Improve password hygiene|
This content is brought to you by Chubb Insurance Australia Limited (“Chubb”) as a convenience to readers and is not intended to constitute advice (professional or otherwise) or recommendations upon which a reader may rely. Any references to insurance cover are general in nature only and may not suit your particular circumstances. Chubb does not take into account your personal objectives, financial situation or needs and any insurance cover referred to is subject to the terms, conditions and exclusions set out in the relevant policy wording. Please obtain and read carefully the relevant insurance policy before deciding to acquire any insurance product. A policy wording can be obtained at www.chubb.com/au, through your broker or by contacting any of the Chubb offices. Chubb makes no warranty or guarantee about the accuracy, completeness, or adequacy of the content. Readers relying on any content do so at their own risk. It is the responsibility of the reader to evaluate the quality and accuracy of the content. Reference in this content (if any) to any specific commercial product, process, or service, and links from this content to other third party websites, do not constitute or imply an endorsement or recommendation by Chubb and shall not be used for advertising or service/product endorsement purposes. ©2020 Chubb Insurance Australia Limited ABN: 23 001 642 020 AFSL: 239687. Chubb®, its logos, and Chubb.Insured.SM are protected trademarks of Chubb.