Cyber Risk Aggregation in Healthcare

Cyber risk aggregation arises both internally and externally to the organization, and represents a multiplier effect to the scale and scope of a cyber incident. As healthcare organizations rely increasingly on data, connectivity and outside services to support their business platforms, a single cyber incident has the potential to impact more of the organization, and a greater number of its peers, partners and vendors (all of them likely cyber insureds), with resulting aggregated exposure to cyber insurers and reinsurers.

The risk to individual healthcare organizations is that they suffer larger losses than would otherwise be the case, and the risk to cyber insurers is that they suffer losses from the same incident under multiple policies without having correctly priced that risk or managed their capacity in light of that aggregation risk. Ultimately, both are a concern to risk managers looking to manage their exposures and secure stability.

Within the organization, aggregation can arise from a lack of segregation of data and systems—for example, centralizing too much data in one depository or allowing one individual too much access to data by not implementing access controls based on need. In both cases, a single event has the potential to affect more data than necessary for the good running of the business.

As healthcare has experienced an explosion of ransomware attacks in recent years, we see clearly that organizations that segregate data and systems are more likely to deny intruders access to all their resources, helping to stem the attack and get the organization back up and running faster.

It's a classic example: A physician downloads unnecessary data onto his laptop, which is then stolen from the trunk of his car. This represents a larger than necessary risk that can be addressed simply by implementing the correct protocols.

At the same time, healthcare organizations rely increasingly on single vendors/partners to support operations across their entire business. This ranges from a single EHR provider to a businesswide cloud provider, endpoint security provider or IT service provider. This concentrates the internal risks so that a single incident will affect multiple departments, locations and operations.

Similarly, a physician group might have its revenue stream exposed to a cyber incident at its key hospital employer, which is itself the victim of a cyberattack and unable to stay open for business.

These internal instances of aggregation of cyber risk and effect are contrasted with external threats and consequences that are growing as healthcare organizations outsource and share data with each other through an increasingly complex network of connections, relationships and dependencies. The chain of connectivity among providers and payors, affiliates and counterparties, and their vendors of all types creates the potential for a single incident to affect each of those entities, multiplying the resulting damage and cost of that one incident. This common vulnerability to threats and incidents that simultaneously (or consequently) affect multiple organizations is a concern for healthcare organizations and their insurers (and reinsurers).

There are many examples of this already both inside and outside healthcare. A major health plan breach in 2015 surprised many in healthcare by affecting not only the plan itself but also the providers accessed by the plan’s members. Some of their cyber insurers were surprised, too, having failed to make or understand the connection between a major plan’s members and their simultaneous existence as patients of providers. The breach prompted not only the plan to put its cyber insurer(s) on notice of the incident, but also caused many providers to make equivalent notice under their cyber policies of the exact same incident/situation and the same patient/member individuals. The cyber market reacted immediately to this unexpected aggregation of risk, withdrawing capacity (and in some cases, open quotes) for healthcare organizations and causing rates to increase, particularly for health plans.

In 2017 a major provider of voice and language services to the healthcare sector was one of many victims of the global NotPetya cyberattack, which was designed to cause business disruption and destroy hardware and data. NotPetya spread on its own, infecting computers across continents, and is thought by many to have been instigated by a state intelligence or cyberwarfare agency—yet another possible aggregation risk.

The WannaCry ransomware attack affected more than 230,000 computers worldwide by encrypting data and demanding ransomware payments. This example of systemic cyber risk caused losses that are estimated to aggregate from hundreds of millions to billions of dollars, but (happily for cyber insurers) most of the affected parties were not insured, a situation that is less likely nowadays. The Mirai botnet is another recent example.

The use of a single EHR creates aggregation risk within the provider (as a loss of access will affect operations across the business) and also at all the other affected providers that use the same EHR with the same vulnerability. In this way, one cyber insurer may see losses under multiple policies from the same triggering cyber incident (at the EHR), and one reinsurer may then see losses from multiple reinsureds. The aggregation works itself up the chain, ultimately concentrating that loss among fewer parties.

Indeed, cyber insurers (and their reinsurers) are paying increasing attention to their aggregation risk, just as they would for earthquake risk. The difference with cyber risk is that the threats are changing and the underwriting data is very incomplete—it’s a challenging task for insurers to measure and model their exposure to all the concentration points, including aggregate exposure to cyber terrorism. In this soft market, it is not uncommon for insurers to write cyber policies with minimal information, including information about vendors. A recent report by Lloyd’s of London and Cyence concluded that a catastrophic attack against a cloud provider could result in losses of $53 billion in just a few days.

At the same time, as the risks change and we stay in a soft insurance market for cyber, the coverage is broadening and single incidents have the potential to trigger multiple insuring clauses in the cyber policy, effectively cramming more loss into the available limit. For example, a ransomware incident might trigger the need to incur forensics fees (to determine what data is at risk and to what extent the attackers have gained access/control); payment of ransom; breach response costs (legal and notification regarding PHI exposed); business income loss; data restoration; hardware replacement; and regulatory defense, fines and penalties. The policy limit needs to be reasonably sufficient to address all these buckets of costs—another point of concentration or aggregation of risk.

Healthcare risk managers can take the following steps to address the various aggregations (batching) of cyber risk:

• Inside the organization. Partner with security and privacy teams to address aggregation of cyber risk internally, and communicate the positive aspects of the management of those risks to cyber insurers.
• Outside the organization. Understand the aggregation points caused by relationships and reliance on partners and vendors, and work with security and legal to manage those risks.
• Vendors/business associates. Vendors must be vetted as far as possible—your business depends on it. This means due diligence before entering a contract, as well as securing a Business Associate Agreement that holds your vendors responsible as far as possible, limits their use of subcontractors, clarifies their use of your data, allows you to associate with their response to an incident, and includes your right to monitor and audit, etc.
• Insurer (and reinsurer). Choose your cyber insurers with an eye on their understanding and commitment to writing healthcare cyber risk, as well as their financial capacity for risk within their cyber book of business (including retained versus reinsured capacity).
• Cyber insurance. Select a policy limit that, reasonably and to your desired confidence level, will address the loss and liability that could arise from an incident that triggers multiple insuring clauses. Make sure that the policy covers cyberterrorism.

In summary, as healthcare organizations centralize and standardize their operations, becoming ever more connected to vendors and partners, those relationships create ecosystems that are vulnerable to systemic (aggregated) cyber risk, both internally and externally. In response, healthcare risk managers can consider the internal and external cyber threats, communicate positively with insurers, and secure risk transfer that addresses the aggregations of cyber risk.

For more information on cyber risks in the healthcare industry, contact Trevor Weyland or a member of your Gallagher team.