Naturally, most of what you hear from healthcare IT companies about their products is going to be upbeat, designed to create a sense of potential and promise. I mean, I can easily extol the virtues of the company I lead and the products and services we sell.
But if I’m responsible and realistic, I also need to call attention to the challenges healthcare IT can create on the path to improved care. Without doubt, any information technology that creates, maintains, or transmits electronic patient data is a source of risk, as evidenced by the numerous security issues that are top of mind right now for just about everyone working in healthcare and healthcare IT.
Still relatively young, cyber liability insurance has nonetheless grown in recent years and is now available to organizations concerned with breaches, loss of data and ransom scenarios.
Have we gotten to the point where insurance against these types of situations is necessary, viable and affordable? It’s a question worth asking.
You’re probably familiar with the hospitals, health systems and insurance carriers that have suffered security breaches—names like Anthem, Hollywood Presbyterian, UCLA Health System and MedStar Health. These are only a few of the healthcare industry players that have been hacked, and they are a tiny slice of the organizations and facilities that are targeted on a daily basis.
Not only are healthcare organizations targeted, it’s happening with ever increasing frequency. According toSymantec’s April 2016 Internet Security Threat Report (ISTR), new malware variants jumped 36 percent from 317 million to 431 million from 2014 to 2015. Over the same time period, crypto-ransomware assaults rose from 737 to 991 per day.
New devices are creating more openings and threats. Mobile vulnerabilities rose more than 200 percent from 2013 to 2015. The Internet of Things (IoT) creates a game of whack-a-mole for hospitals trying to plug every potential access point.
Yes, the recent surge in cyberattacks on healthcare is alarming. Because hackers will try to maximize vulnerability until the window closes, expect them to continue and increase.
Of course, leadership at your healthcare organization is doing everything in their power to prevent cyberattacks and loss of patient data. You regularly back up data, and you have a ‘gold image’ of systems and configurations and a plan for dealing with attacks. You’re working with an established, reputable cybersecurity firm, and you’ve created test plans as part of a broader effort to educate and prepare all personnel. And every year you conduct a security review to make sure the preceding is in place.
If you have done all this, good for you. You’d probably have to anyway. Insurers, after all, pool risk to guard against unfortunate events despite all preparation, not in lieu of it. The numbers suggest the risk is significant.
In 2015, according to the NetDiligence Cyber Claims Study, the largest cyber insurance claim of the year—$15 million—came from healthcare, with the average claim falling between $30,000 and $230,000. Because retail and healthcare are the most vulnerable targets of cybercrime, insurance companies are now charging more to insure digital assets. In some early-2015 cases premiums tripled for healthcare organizations; Reuters reports that high deductibles are common and even large insurers won’t write policies for more than $100 million when clients are considered high risk.
If actuaries see healthcare as that vulnerable, it might be wise for us to see ourselves in similar terms. We know, after all, that the demonstrated vulnerability to hackers of healthcare organizations squares with the amount of money spent on security—currently a dismal 0 to 3 percent of total IT budget in most hospitals.
Well, you might say, my organization has not suffered a successful hack and lost patient data. Good for you. But can you afford it if you do? Again, the largest claim against cyber liability policies in 2015 was for $15 million by a healthcare organization, and hacks are becoming more effective and more frequent.
We’re not a very big hospital, you might think, so I doubt we’d be a target.
But the NetDiligence Cyber Claims Study shows that small and mid-sized organizations (revenues under $300 million) filed almost half (46 percent) of all claims in 2015, clearly demonstrating that large hospitals and healthcare organizations are not the only tempting targets.
The Symantec ISTR report also found that the highest number of 2015 network breaches, 39 percent, came from health services. And even while hackers are hitting healthcare harder than other industries, the actual number of identities exposed is relatively low, demonstrating the financial value of the data kept in patient profiles.
Indeed, according to NBC News, in the market for illicit goods and information, stolen credit cards are worth from $1 to $3 and social security numbers return about $15. Complete medical records, however, which provide access to prescriptions, treatments, surgery, even false tax returns, sell for around $60 each.
The February 2014 Cyber Insurance Roundtable Readout Report gleaned from a summit convened by the National Protection and Programs Directorate within Homeland Security probably sums up the situation well for most CIOs and chief security officers. It shows that healthcare organizations must weigh their preparedness for cyberattacks against the cost of cyber liability insurance and the potential costs of a breach.
Two years later, hacks are increasing. Premiums are increasing. But skyrocketing premium prices incentivize healthcare organizations to forgo insurance for stronger electronic locks and higher virtual walls. As cyber liability insurance grows, healthcare organizations would do well to engage with insurance providers in discussing the criteria by which a policy is affordable and provides protection.
Which brings us back to the reality of healthcare in the digital age. You are going to have to spend more on cyber security to either prevent data breaches and ransom attacks or clean up after them. And if cyber liability insurance sounds interesting, you’ll have to demonstrate effective and reliable security just to get an affordable premium. There’s just no way around better IT security.