Replay: Should Aged Care Providers Be Concerned About Cyber Risks
The healthcare industry, including care services such as Aged Care and disability are one of the most vulnerable industries to cyber-attacks. In fact, there has been more high-profile attacks in the past few years within the healthcare sector in comparison to other industries, and the sector is likely remain one of the most targeted, given its sensitive data. The industry has one of the highest costs associated with cyber related incidents, with data breaches costing the sector US$6.45 million – that’s 60% more than the global average of all industries1 . With cyber risks becoming more apparent than ever, we answer key questions, highlighting critical facts the Aged Care and Disability industry need to know, as well as key areas of cover and ways you can safeguard your organisation.
Why should care facilities be concerned about Cyber?
In many parts of the world, the healthcare space, including Aged Care organisations, are still in the emerging stage of digitalisation and often rely on hardcopy medical records. The wide spectrum of formats in which data can exist within an organisation, either digitally or in print, means that the risks of data breaches can be widespread and systemic in healthcare. Due to the industry’s digital infancy, coupled with highly sensitive information, the sector remains a consistent target in relation to cyber risks. Financially motivated threat actors and accidental human error from internal parties, can also be cause for concern within the sector.
In 2015, three of the largest reported incidents, which impacted healthcare organisations, compromised nearly 100 million patient records and resulted in hundreds of millions of dollars in settlements2 . Despite this occurring five years ago now, unfortunately, the problem hasn’t gone away with organisations within the healthcare environment continuing to dominate media headlines with data breaches. Just late last year (2019), hospital networks in Victoria, Australia suffered a substantial ransomware attack, which caused severe disruption to major services. This attack came just months after a warning from Victoria’s Auditor-General as to cyber security weaknesses in infrastructure across the state, by demonstrating his department’s ability to successfully hack into the hospital healthcare system and obtain sensitive data3.
Healthcare organisations continue to incur one of the highest financial costs in the face of the cyber-attacks. The heavily regulated healthcare industry can be penalised up to $380 per patient record that has been compromised - equating to more than double the global industry average of $141 per lost or stolen record4 . Financial impacts are not the only consequences of cyber-attacks against care facilities. Data breaches have the ability to tarnish an organisation’s reputation. Consider Australia’s ‘My Health Record’, which enables patients and their doctor’s to access their health information online. In early 2019, a survey by SOTI revealed that only 39.12% of Australian’s support the system, with 61.68% all respondents identifying their biggest concern was not knowing who had access to their data5 . This follows the Australian Digital Health Agency (ADHA) annual report for 2017-2018, which identified 42 reported incidents of data-breaches in relation to the My Health Record system6.
Statistics also show that operational risks, such as lost or stolen paper records or non-employee access to restricted care areas, could also contribute to cyber related incidents. For example, consider a registered nurse who works in the residential care setting, who may need to access data remotely via a portable device. If the employee access a vulnerable network, or loses the device, this could contribute to a cyber-risk.
Overall, there are exposures that care organisations need to consider in order to minimise cyber-threats.
How has the COVID-19 pandemic elevated cyber risks as an increased threat to care providers?
During this stressful time, cyber criminals have been exploiting companies that are already under tremendous pressure. Undoubtedly, the care environment is one of them, with the industry fighting a tough war on two fronts. The most public battle that has dominated media headlines in Australia, is the containment of the Coronavirus pandemic, while simultaneously providing dignity of care for those who are infected. In addition to intense media pressure over how care providers are handling the virus, there has also been a less visible but deeply worrying struggle against pernicious attacks by cyber criminals using ransomware and other methods.
Ransomware, a malicious software designed to block an organisations digital infrastructure for a significant sum of money, has become ever increasing in the industry. Cyber security agencies in the United Kingdom and the United States have issued a joint warning to healthcare and medical research staff, urging them to improve their password security amid the threat. Microsoft is also warning the healthcare environment to watch out for sophisticated ransomware attacks that could target them through their VPNs and other network devices.
In particular, Microsoft singled out the ransomware campaign REvil (also known as Sodinokibi), which actively exploits gateway and VPN vulnerabilities to gain a foothold in target organisations. Following a successful exploitation, attackers can then steal credentials, elevate their privileges and move laterally across compromised networks, installing ransomware or other malware payloads.
As a result, the care providers need to act urgently to tighten their defences against cyber attacks to ensure their ability to deliver safe health care in this critical time. Please refer to our COVID-19 Q&A recap for more information.
What should care providers be covered for?
Cyber risk extends beyond that of costs to notify individuals. A good cyber policy should include the following key cover for care providers:
First Party Cyber Event cover
- Immediate 24/7 access to a cyber incident response hotline with low initial deductible for breach response costs
- Access to specialist third party vendors including public relations and crisis communication consultants, forensic IT and security experts, and law firms
- Coverage for loss of revenue due to business interruption that results from network or system downtime
- Cover for fines and penalties resulting from a regulatory investigation or breach of mandatory notification legislation (where insurable by law)
- Cyber crime cover [note: this is often an optional extension, so additional charges will apply]
Third Party Cyber Event cover
Guarding the privacy of customers and employees must be a priority. Cyber insurance should provide cover for third party liability brought against the organisation for:
- Compensation and defence costs which arise from claims brought by impacted customers or employees for privacy breach
- Third party privacy and breach management costs, including notification expenses, credit monitoringcosts and call centre services
Evidently, care organisations need to remain vigilant for a number of cyber threats, including malicious malware, human error and exploitation. Marsh’s expert cyber team, along with our dedicated Care Solutions practice, have a range of solutions and advice to ensure your facility is aware and safeguarded against a range of risks that could have a significant impact on your organisation and patients that rely on your services.
1 Landi, H (Fierce Health Care) ‘Healthcare Data Breaches Cost an Average $6.5M:report’, 23 Jul 2019: https://www.fiercehealthcare.com/tech/healthcare-data-breach-costs-average-6-45m-60-higher-than-other-industries-report
2Rodionova, Z (Independent) ‘Healthcare is now top industry for cyberattacks says IBM’, 21 April 2016: https://www.independent.co.uk/news/business/news/healthcare-is-now-top-industry-for-cyberattacks-says-ibm-a6994526.html
3Carey, A. (The Age), ‘Auditor-General hacked into hospitals to expose online security flaws’, 29 May 2019: https://www.theage.com.au/politics/
4Landi, H (Healthcare Innovation) ‘Report: Healthcare Data Breach Costs Remain Highest at $380 per record’ 20 June 2017 : https://www.hcinnovationgroup.com/cybersecurity/news/13028798/report-healthcare-data-breach-costs-remain-highest-at-380-per-record
5SOTI, 'Australian's unsure who is responsible for the safety of their healthcare data' 26 March 2019: https://www.soti.net/resources/newsroom/2019/australians-unsure-who-is-responsible-for-the-safety-of-their-healthcare-information/
6 Osman, H (Healthcare IT News) 'My Health Record system data breaches rise' 10 January 2019: https://www.healthcareit.com.au/article/my-health-record-system-data-breaches-rise