Getting your Trinity Audio player ready...
null

Healthcare is one of the most targeted industries for cyber attacks due to the vast amount of sensitive data stored: especially personally identifiable information (PII) kept in patient records.

Telehealth and online providers who deliver their services by leveraging technology and data are especially targeted by cyber criminals because they offer broad attack surfaces where vulnerabilities may be exploited.

While there are a number of protections that healthcare organisations can employ to safeguard their systems and private information, cyber criminals are constantly devising new ways to infiltrate systems or trick people into disclosing information that enables access.

The costs involved range from business interruption to legal actions and can take multiple forms — amounting to huge losses for the organisations involved.

Smaller businesses in the healthcare sector may not have the resources to deal with attacks and may struggle to recover financially, reputationally and in retrieving lost data.

Technology-related cyber security threats to healthcare providers: key areas

Sensitive personal data

If your organisation collects, stores, processes or has access to personally identifiable information (PII) or personal health information (PHI), both types of data are subject to regulations.

Local authorities govern how this sort of information is collected, used and stored, and failure to observe these requirements can result in regulatory fines and penalties.

If sensitive information is compromised through unauthorised access or disclosure, the affected individuals may need to be told about the breach and may need to be provided with credit monitoring services, involving legal and forensic costs.

Case study: privacy liability

When a telehealth provider's systems were hacked, blocking access to patients' medical records (EMR) software, this disrupted care services, at the same time the personal data was released on the dark web.
The Privacy Commissioner launched an investigation into whether the practice had met its obligations in protecting the patient data. The insurance included costs associated with the provider's privacy liability, investigations by the regulator, incident response costs arising out of the cyber event including legal, forensic and the engagement of a public relations firm to assist with their crisis communications and protection of their brand.

Operational downtime

Can your business operate without access to computer systems and the data they hold for hours, or even minutes? Many healthcare providers rely on technology for multiple functions, from record keeping to dispensing prescriptions via SMS.

This provides multiple potential access points for cyber criminals and makes healthcare practices more susceptible to ransomware and extortion risks. They also often target and disable backups, leaving businesses with limited options for data restoration.

Technology providers servicing healthcare businesses

Healthcare adjacent technology service providers may be subject to liability for errors that cause injury or financial loss to patients of their client practices.

The outsourcing business may also be held liable for technology services provided on the practice's behalf and responsible for notifying affected individuals and the expenses of regulatory actions.

Providing patient services across multiple jurisdictions

As the relevant regulations governing personal data are updated across Australia's different states and territories healthcare businesses are subject to evolving responsibilities — and risks.

It's important to stay current with regulatory requirements in all regions where the business practises.

Accepting and using electronic payment systems

An increasing number of electronic fund transfers are being targeted, often by hacking into email accounts, assuming a false identity and sending fraudulent instructions. With evolving technologies they're also becoming more sophisticated and convincing.

AI-driven attacks, such as deepfakes and AI-based exploitation may not be adequately covered under traditional cyber insurance policies, necessitating policy reviews.

Case study: extortion through remote access vulnerability

Using a scanning tool a cyber criminal discovered that a telehealth provider was using a remote desktop protocol with a port that was exposed directly to the internet.
After employing techniques exploiting the provider's lack of strong cyber protections, the hacker stole electronic patient data and encrypted its systems, leaving a ransom note.
The telehealth provider had insurance which enabled mobilising a team of experts and covering costs associated with negotiating with the cyber criminal, while removing them from their network and notifying any affected patients as to the breach of their data.

How cyber insurance offers essential protections for healthcare providers

Cyber insurance not only gives healthcare providers access to a range of technical experts to help get back online fast, it can cover the financial losses incurred as a result of business interruption and the costs of re-creating any corrupted data. It can also cover the reputational impact of cancelled contracts and customers choosing to go elsewhere.

How Gallagher can help

Brokers remain a critical source of guidance on cyber coverage, combined with expertise in healthcare sector risks and insurance solutions. In addition to cyber insurance protection, Gallagher offers expertise, advice and resources for building business resilience to withstand cyber security incidents.

connect with us

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312

MORE NEWS & INSIGHTS