Even as COVID-19 and its emphasis on telehealth have opened providers to greater cybersecurity risks, insurance policies that offer potential protection are becoming more expensive, and in some cases, harder to get.
Insurers are issuing 25% to 50% premium increases this year, reflecting a large number of ransomware payouts over the last year and a half, according to David Basham, an Atlanta-based broker for Willis Towers Watson.
Among about 65 cyber insurers Willis Tower Watson works with, many are ramping up underwriting efforts, requiring healthcare providers to prove they’re doing more to protect their IT networks, hardware and data before providing quotes. When policies are extended, insurers also may exclude more costs, set higher deductibles and require providers to pay steep co-insurance fees in the case of a loss or damage.
“We are seeing the cyber market harden,” Basham warned during a webinar last week.
Meanwhile, increasingly connected skilled nursing facilities are becoming more vulnerable to such attacks. Many might recognize potential costs related to strikes, including paying a ransom, recapturing or rebuilding data, replacing compromised hardware and fines.
Add in the industry’s growing use of telehealth platforms and remote monitoring technologies, and the implications get even scarier. A recent “bad actor” attack on a water treatment facility could have caused bodily harm, which should serve as an important warning for healthcare providers, Basham said.
“To have that kind of impact on a system and manipulate how a piece of equipment operates, the idea that they could potentially infiltrate equipment that is tied directly to a patient is not out of the question,” Basham told McKnight’s Long-Term Care News Thursday.
Still, Basham says cash-strapped facilities have to run a cost-benefit analysis when considering cyber coverage. He’s seen the number of nursing homes inquiring about cyber insurance increase tenfold. About half of those opt into coverage. Still, many decide not to because of budget restraints, or because they’d rather use those dollars to strengthen their infrastructure, Basham said.
Threats to SNFs grow
“Smaller organizations … can certainly still be targeted and have vulnerabilities even if they feel that they have their security controls airtight,” Basham said.
Phishing attacks, in particular, don’t necessarily target large or high-value businesses. Hackers cast a wide net and hope they can trick a system user into turning over key information or activating back-door access through malware.
“Over 60% of the incidents we see are attributable to someone clicking on something they shouldn’t have, losing something they shouldn’t have or someone just being angry,” said Basham, noting that 44% of his firm’s 2020 cybersecurity claims last year were related to malicious or accidental data breaches. “The majority of cases are still related to that human element.”
The threat of ransomware attacks also is becoming more real each year.
Last summer, Lorien Health Services, a Maryland long-term care operator with nine locations, reported identifiable data from 47,754 residents was stolen and encrypted by the ransomware strain NetWalker. The attackers posted screenshots of the stolen information after Lorien refused to pay a ransom.
The previous November, an attack on a technology vendor cut 110 nursing homes off from their patient and business records, preventing them from paying employees and ordering medications. Hackers unsuccessfully demanded $14 million in that case, which happened after a 14-month phishing campaign gave them control of administrators’ accounts.
“These supply chain type incidents are becoming more and more frequent and having major impacts on all of their customers who utilize their platforms,” Basham told McKnight’s. “Unfortunately, it sometimes takes experiencing an incident for many of the organizations to have that ‘wake up call’ to the real severity behind these cyber attacks.”
Layer on protection
Providers should take key steps to protect patient and business information even with cyber insurance, added Mark Owens, information security director for Prime Care Tech. The managed services and cloud software company hosted the webinar April 14.
Because ransomware attackers often access and encrypt data they’re holding, even if it’s recovered, it may no longer be usable.
Owens suggested providers pursue a multipronged approach to data protection, with a “modern and managed firewall” that has features like geo-blocking to limit access to out-of-area attackers; access that is restricted to specific users and departments; and backups that are stored on separate servers in different locations.
Facilities also need to require repeated employee training about IT security, keeping in mind the going rate for resale of medical records is about $250 per record.
“People who have medical records have a huge bull’s eye on their back,” Owens said.