This article appeared previously in an edition of Western New York Physician magazine.
By Gregory C. Knicley and Mark J. Battaglia, Tompkins Insurance Agencies, Inc.
Cyberattacks are becoming increasingly commonplace, and it’s a growing threat in the healthcare sector. In the three-year period from 2016 to 2019, according to Health IT Answers, cyberattacks in the medical community increased by more than 35%, with the vast majority consisting of ransomware attacks. Since that period, the COVID-19 pandemic has brought forth many changes. Telehealth became a norm, as did remote office work. In recent years, too, operational efficiency and patient care have been significantly improved as the healthcare sector digitalizes more information and connects information systems at a rapid pace.
Inherently, these enhancements are good – for business, patient experience, and productivity. But with those changes, insecure remote access to medical practices became more prevalent. Hackers can more freely do what they do best and find the easiest points of entry on home networks to do major damage. And as the healthcare sector digitalizes with increasing speed, so does vulnerability; the hyperconnectivity makes room for malware and other cyber threats.
Related Article: The Basics of Ransomware Attacks: What You Need to Know
With all of the advancements that are celebrated, it comes with a caveat. HIPAA Journal reported that 2021 was, in fact, the worst year for healthcare data breaches to date.
What’s clear is that with exciting advancements in how the general public and medical community use technology, there are growing pains. While these threats may feel far removed when all is well, it’s important to remember that they can (and do) affect organizations of all sizes, from small-town family medicine practices to major hospitals. Being knowledgeable and proactive can help mitigate risks. Below are five trends we’re noticing in the cyber liability space and ways to help reduce the odds of a costly – and disruptive – attack on your medical practice.
Last month’s attacks on Ukrainian government websites and its local banks are chilling reminders of the devastation that can come about when a network is infiltrated. It put many governments, including the United States, on high alert. What we all realized is that threats can come from outside of our own organizations and even outside of our own country. Without raising unnecessary alarms, being aware and on alert is always a good idea.
Before obtaining cyber liability insurance, there are certain risk management controls to consider putting in place. We recommend beginning with an up-front assessment of vulnerabilities and taking early steps to mitigate risks.
Ten-plus years ago, firewalls and passwords were the go-to for protecting an organization, but now there are several other technical controls that should be considered when designing your network, including multi-factor authentication. Continually patching and updating your network and applications that your organization uses, nightly, weekly, or on another appropriate cadence, is key and not unlike the IOS updates on your iPhone.
A well-rounded risk management plan should also include spam filtering, phishing, and information security training for staff and regular data backups as first lines of defense before obtaining insurance to ensure employees can identify any red flags. Moreover, consider dedicating an internal team to monitoring cybersecurity threats and the security systems in place. Like all matters of technology, these systems are ever-changing. Having a team in place to monitor and update when necessary can make all the difference.
It’s a challenging market right now, and companies seeking to obtain cyber liability insurance should anticipate higher costs. Prices have been on the rise for the past two to three years, with increases of 50% to 200% due to the spike in claims in recent years. Despite the potential for sticker shock, consider reframing the costs as an investment in the safety and security of your – and your patients’ – data. Any upfront security and insurance costs will pale in comparison to cleaning up a data breach crisis.
Ensuring you have the right level of coverage is critical. Different organizations have different needs depending on things like their size, types of data, and the tools used to carry out the work. Organizations with protected information, such as highly sensitive medical records, can become bigger targets and are subject to regulators and state data security laws, which should be a factor in determining how much liability coverage is needed. More recently, for example, healthcare organizations are using medical devices to a greater degree. However, these devices come with varying levels of security, some not nearly adequate. Prioritize device security by working with a medical device integration solution that enables isolation from networks and encryption of sensitive information in transit.
A false assumption many practices make is that they don’t need cyber liability insurance because they aren’t big enough to attract the attention of hackers. The truth of the matter is cybercriminals are regularly targeting smaller medical groups because many have an IT infrastructure that’s easier to break into. Think about it: someone managing various aspects of medical practice on a laptop and through the cloud or without a multi-factor authentication for access would be far easier to hack.
Finally, if you’re not sure if your organization is protected, take it as a sign that it’s high time to review your policy. It’s not as much a matter of if you need cyber liability insurance, but how much. We know your list of to-dos is long, but we highly encourage you to stay up on the current trends and latest risks – and adjust your sails if needed. Security is everything.