Claud Bilbao, Cowbell’s RVP, Underwriting & Distribution UK, outlines a series of valuable lessons healthcare organisations can take from 2024’s string of cyber attacks.
As is the case across almost all industries, increasingly sophisticated cyber threats are becoming a huge concern for the healthcare sector – not least because the risk of extreme financial losses from these cyber incidents is also on the rise.
According to the International Monetary Fund’s (IMF) April 2024 Global Financial Stability Report, the size of extreme losses from a cyber attack has more than quadrupled since 2017 to $2.5 billion, leading to potential funding problems or even insolvency.
However, for the healthcare industry – a long-time attractive target for cybercriminals thanks to companies owning, processing and storing a vast amount of highly sensitive data and personal information – concerns span way beyond financial losses or reputational damage, with patients’ lives also coming into play.
Take the recent ransomware cyber-attack involving a series of London hospitals back in June. As we saw with King’s College Hospital, Guy’s, St Thomas’ and others partnered with Synnovis, a breach of this nature is not just about extremely sensitive data getting exposed. This was a major IT incident – affecting almost all Synnovis systems. Leading to a significant reduction in capacity to process samples, it’s impacted service users and frontline NHS colleagues, as well as putting patients’ health at immense risk.
This kind of attack is not exclusive to Europe either. The Change Healthcare (subsidiary of UnitedHealth Group (UHG)) cyberattack in February this year – in which criminals used compromised credentials to remotely access a portal lacking multi-factor authentication (MFA) – was one of the most widely reported. The data breach saw UHG CEO Andrew Witty pay cybercriminals a ransom of $22 million in Bitcoin to protect sensitive data associated with over 100 million American patients. As well as the huge financial blow and number of patients’ data affected, UHG took immediate action to disconnect Change Healthcare’s systems. This prevented further impact and essentially quarantined the threat, but left many doctors temporarily unable to fill prescriptions or get paid for their services.
Lessons the healthcare industry can take from the incidents
Moving forwards, and the healthcare organisations affected by cyber attacks this year are beginning to recover and taking actions to ensure no further impact. But what can others learn from these incidents and what steps can be taken to drastically improve your business’ cyber posture?
Enhance cybersecurity measures now
While it’s true that threats may be getting more sophisticated with advances in AI, the most common cyber threats are in fact relatively unsophisticated and even preventable with some simple cyber hygiene measures in place. As mentioned with the case of Change Healthcare, criminals took advantage of there being no MFA – a common, easy-to-deploy and low cost security measure that significantly enhances security.
With this in mind, educating the industry about the importance of MFAs and other security measures that form a broader, multi-layered security strategy is an obvious but critical learning to take forward. This might include encryption techniques, robust firewalls, regular software updates, network monitoring and regular security audits, as well as ensuring organisations’ workforces know how to recognise phishing and social engineering attempts, and what to do if they spot one.
Formalise a cyber incident response plan (IRP)
While in the UK the sector that tends to have a more formalised cyber incident response approach is indeed healthcare, social care and social work businesses (53% vs. 22% overall), there is still work to be done, with almost half in this category not properly prepared with communication strategies, legal considerations, and recovery procedures in the event of cyber attacks.
The first step in creating an IRP is to clearly define the goals, scope, and types of incidents the plan covers, ensuring that all team members understand their focus. It must also outline specific roles and responsibilities within the incident response team, with up-to-date contact information to facilitate swift communication during incidents. In addition, it should establish clear reporting channels and immediate response actions to contain and mitigate impacts, including strategies for isolating threats, removing them, and restoring systems to normal operations with thorough testing to ensure security. Documentation is also key to a good IRP, meaning detailed records of incidents and lessons learned to inform policy updates and improvements, while regular training and simulations will ensure the incident response team can respond effectively to real-world threats.
Utilise support and expert guidance
There are lots of resources available to help businesses both prevent and recover from an incident; industry associations, crime prevention agencies and cyber insurance providers all offer expert guidance here. Obtaining a standalone cyber insurance policy is also a financial safety net to fall on in the case of an incident, but businesses should ask their brokers about cyber insurance providers that offer risk assessment and management support as well, helping to facilitate the process. Cybersecurity analysts and consultants are trained in handling cyber attacks and the claims process, and can help healthcare victims navigate incident response and recovery. Most cyber insurance providers offer free risk prevention services, including vulnerability assessments, threat intelligence, and cybersecurity training too. There are also some that offer a more holistic approach to cyber risk management, which incorporates continuous monitoring and real-time data to dynamically refine risk assessments and insurance offerings.
Remain proactive and adaptive in cybersecurity
For healthcare organisations – much like any other business – it’s important to remember that the cyber landscape is constantly evolving, and so must your strategies for preparing, protecting, and recovering from potential attacks. Essentially, don’t stand still. Continuously review and assess your security measures to keep pace with emerging threats.
This is advice that goes beyond organisations. Policymakers, insurers, and businesses alike all need to work together to better understand, anticipate, and mitigate evolving risks. Regulatory bodies can play a crucial role in updating regulations and guidelines regularly to keep pace with evolving cyber threats, and establishing mechanisms for businesses to provide feedback on regulatory measures, ensuring they are practical and effective.
The bottom line here is that in this new, digital age, raising the standard of cybersecurity awareness and defences is crucial. Any business of any size, in any industry, can fall victim to an attack.
Not sure where to start? My advice is to talk to your CFO, Risk Manager, IT Professional, or cyber insurance company, agency or broker about ways to one-up your cyber hygiene today.