Executive perception that cyber risk will decrease over the next year is surprising, especially as the healthcare industry is one of the most heavily targeted for ransomware. It is concerning that this perceived decrease in risk might signal a pullback on IT security among overconfident organisations.
Healthcare and life sciences organisations that believe themselves to be protected simply because they have already taken steps to address cyber risk or because they consider themselves too small to be a target are misguided in their assumptions. In truth, no one knows what the new cyber threat will be; this is a risk that evolves swiftly, and organisations must be diligent to keep up.
Cyber is a significant industry risk due to the sheer amount of personal, identifiable information attached to medical records. Each record contains an individual’s name, social security number, addresses current and past – basically everything needed to assume someone’s identity. This data is hugely profitable to those wanting to cause harm."
Explore what a medium or low risk environment means for healthcare and life sciences organisations.
The healthcare sector overall has invested less money in security than other sectors². This makes these target organisations potentially more vulnerable.
Companies must recognise the allure that healthcare data holds for cyber criminals. Healthcare records are unchangeable and can’t be altered, making a breach of this information particularly devastating to victims. If your credit card information is stolen, you can cancel your card and get a new one. The same can’t be done with medical information – this personal data is unalterable regardless of who has obtained it, making it particularly attractive on the dark web – and thus a frequent target.
Hackers are less concerned with the size of a company than with finding a way in via the back door. If they can find their way into a system, they will simply take everything they can. The majority of cyberattacks are not targeted; cyber criminals throw out a phishing email and wait for just one employee to open that link. As a result, this is a risk that is relevant to organisations regardless of size.Smaller companies, telemedicine organisations, and startups may be slow to invest in IT, simply because resources are limited and building a viable business comes first.
They may be aware of the data threats, but in the rush to get to market, they don’t have time to prioritise that true cybersecurity expertise. These companies are vulnerable simply because they haven’t thought through all the outcomes of being hacked.
In contrast, our experience has shown that larger, more sophisticated organisations generally invest more in their IT resources and are therefore more aware of cyber risks. They are usually in compliance with data protection and HIPAA laws, so they may also be confident about their cybersecurity, but they run the risk of complacency and failure to keep up with new threats.
The healthcare industry uses the services of numerous external entities that will have access to IT networks, systems, and even physical data. A breach through one of these entities could lead to the breach of many others, so it’s essential to examine data security diligence and standards practices carefully when vetting service providers."
Elena Alhambra
Underwriting Manager, International Miscellaneous Medical & Life Sciences (London)
How we can help
The bottom line: don’t underestimate cyber risk
Some larger healthcare organisations are fortunate to have IT teams in place to address cyber risk. But even these organisations need to be cognisant that risk prevention is an ongoing need. Systems must be tested regularly, and running vulnerability tests and performing patches are essential to ensure your security is up to date. In addition, consistent employee training must be incorporated into a strong cybersecurity program. Small startups, despite being lean, can utilise third party tools to follow security best practices and can leverage preexisting education materials to keep their team up to date on the shifting threat landscape.
Every company can benefit from thinking about a Plan B should a breach occur. They need to be aware of the risks and not rely solely on their IT team to handle risk mitigation. Organisations are well-advised to prepare for the potentially massive financial loss and to consider how they would mitigate risk and respond in the event of a breach. Insurance can not only provide financial protection, but also serve as a great resource and source of support before, during and after a cyber incident.
The information set forth in this document is intended as general risk management information. It is made available with the understanding that Beazley does not render legal services or advice. Although reasonable care has been taken in preparing the information set forth in this document, Beazley accepts no responsibility for any errors it may contain or for any losses allegedly attributable to this information.
Cyber is a significant industry risk due to the sheer amount of personal, identifiable information attached to medical records. Each record contains an individual’s name, social security number, addresses current and past – basically everything needed to assume someone’s identity. This data is hugely profitable to those wanting to cause harm."
