Whether you’re running a large hospital or a small GP or specialist practice, you need to ask yourself what you are going to do when you get hacked? Because you will be.
Former FBI director Robert Mueller said famously more than a decade ago: “There are two types of companies, ones that have been hacked and ones that will be”, to which he added not long after a third category, “ones that will be again”.
Jess Millen, business development manager with global cyber insurance company Coalition, told Health Services Daily this week that as a rule healthcare providers try to avoid thinking about being hacked.
It’s an understandable emotion given how complex, expensive and scary the issue can be, especially for healthcare groups, which are among the most targeted institutions and companies globally for the value of their data.
Ms Millen is of the view that traditional insurance models aren’t fit for purpose to meet the rapidly iterating threats presented by cyber criminals, and how people view traditional insurance can be part of the avoidance problem.
“In 1975 a large proportion of the value of a business [83%] was driven by tangible assets, the business that we’ve got, the office that we’re in, the people that we’ve got, maybe even cash, whereas last year, the value of a business would come mostly from its intangible assets [90%], its IP, the trade that it does about e-commerce, the information that it stores on other people,” she explained.
That changes a lot about how we need to think about insurance according to Ms Millen, most especially for healthcare, because in the last five years healthcare organisations were breached 62% more than the next highest industry (which is the public sector).
According to the Office of the Australian Information Commission and the Sophos State of Ransomware in Healthcare 2024 report, last year the average Australian ransomware claim for healthcare providers was $355,000, the average cyber claim was $134,000 and 78% of healthcare organisations that were hacked took more than one week to recover from a ransomware attack.
The major points of breach were electronic medical record systems, medical devices, patient portals and telemedicine platforms, and the most sensitive information hacked included biometric data, private patient health records, financial data and employee information.
Which types and sizes of healthcare organisations were the most attacked?
According to Ms Millen, any type or provider, big and small, are in play, the key denominating factor for intent of attack on a healthcare provider organisation not being anything other than “is there a weakness in their systems we can exploit”.
“It’s not spearfishing, it’s trawling, it’s very opportunistic,” she said, emphasising that small providers weren’t any less of a target because they were small, based on the array and number of bad actors in play.
A key change in thinking around traditional insurance versus cyber insurance is that cyber insurance providers are first technology companies and consultants and then insurers, according to Ms Millen.
Related
Coalition’s CEO is the former CEO of major global cloud security outfit, Cloudflare.
The biggest change from the old asset-based model of insurance is that cyber insurance focuses heavily on proactively identifying risk on an ongoing basis. That’s why Ms Millen describes her company as a tech group first, because a lot of Coalition’s business is the same work that the major cyber security firms are doing around the world.
Coalition focuses first on risk assessment and monitoring, with a view to prevention, but also provides extensive services in response to an attack. A lot of Coalition’s initial client contact has started when a group has been hacked, says Ms Millen.
Actual insurance cover comes last.
When assessing a client the group often identifies vulnerabilities up front via extensive stress testing to establish baselines for protection, and in the assessment of risk.
Prior to the major US hack of Change Healthcare last year, Ms Millen says that as a part of the assessment of the group for cover, Coalition identified a weakness on one of their Citrix servers, which they alerted the company to, but which the company failed to act on.
The Change Healthcare hack was described by the CEO of the American Hospital Association as “the most significant and consequential incident of its kind in US healthcare system history”.
Change Healthcare played a key role in managing clinical criteria for pre-authorisation, verifying coverage, and processing patient claims to third parties across the entire US network of insurance providers.
The attack took the operations offline intermittently for weeks and resulted in 6 terabytes of data being stolen, which included the personal information, payment details and insurance histories of millions of US citizens. The rumoured ransom payment was US$22 million but the loss to the US economy was around $1.6 billion.
But Ms Millen emphasised to the AIDH audience at the Primary Care Digitally Connected conference on Tuesday that the size of an organisation was still not the delimiting factor in an attack.
HSD asked Ms Millen if having about 75% of Australian GP practices still using onsite servers was an existential risk to the sector and she said that the same principles applied.
“In some cases things will be fine because in some ways the risk is isolated, but all of these groups need to consider the principle that bad actors aren’t discriminating,” she said.
“Where they can find a weakness they will go in. There’s likely going to be many points at which old systems like these have such weaknesses. It can be as simple as an employee opening the wrong email.”
Asked what were some key things practices could do with old set-ups, Ms Millen said there were a few key things, like making sure all records are backed up securely offsite at least once a week, and making sure staff are drilled in procedures for security including password protection and opening suspicious external communications.
But Ms Millen said that every provider needed to ask themselves what the maximum disruption and cost to their business might look like, based on their best efforts at protection, because the risk of breach was always high.
Given the average down time for Australian providers last year was at least one week, even small providers can weigh up what that might cost them, even if they do have secure backup of their key records and protocols for restoring systems and data.
Ms Millen told Health Services Daily that there was a perception that cyber insurance was hugely expensive and so small groups sometimes worried about the ROI.
She said that this was not necessarily true because proactive insurance groups assessed systems and risk upfront and cost was based on risk.
“If big risks are identified upfront most people do something about them straight away which is part of the model,” she said.