Why employers should care about cybersecurity
A recent assessment of cybersecurity preparedness among 17 industries showed healthcare ranked among the bottom performers.
The survey, conducted by SecurityScorecard, is particularly worrisome given how frequently hackers target organizations that handle healthcare data. Indeed, healthcare records are among the most valuable on the dark web, with the average credit card number and information selling for $.30 and a full personal healthcare profile fetching approximately $40 per record.
To address this escalating financial risk, the following highlights a few cyber-related business issues, the financial risks to healthcare companies and the tools management can employ to tackle these exposures.
Regulatory fines and penalties
Not only is healthcare one of the most hacked classes of business, it is among the most regulated industries. Since regulatory fines and penalties are a major exposure to healthcare companies, it is important to obtain fines and penalties coverage up to the full limit available, typically between $5 million to $10 million, in a standard cyber insurance policy layer.
Real world example: A regional clinic network discovered the benefits of cyber coverage when hackers gained access to sensitive patient health data and personally identifiable information of employees. While the clinic was able to notify breach affected patients and provide credit monitoring services for a year under the cyber coverage, a weak security architecture also drew the anger of several states attorney generals and the Office for Civil Rights because it was the second breach in 18 months. Fortunately, the expenses associated with the regulatory actions were covered under a comprehensive cyber policy that included coverage for regulatory fines and penalties.
Symantec’s 2016 Internet Security Threat Report estimates conservatively that more than half a billion records were lost or stolen in 2015 due to data breaches. The year ended with a record-setting total of 9 mega-breaches, with attacks against the healthcare industry, such as Hollywood Hospitals, attracting the most attention and headlines.
Several industry experts estimate that for each record stolen or cyber breach, businesses spent:
- Between $5 to $10 per person on notification expense;
- $9 to $10 dollars a month per record for credit monitoring;
- Crisis management expense ranging from $150 to $200 per hour;
- $300 to $500 per hour to restore damaged systems;
- A range of $200,000 to $500,000 in defense costs; and
- $150,000 to $300,000 on average in damages.
Companies need to assess their cyber and privacy vulnerabilities while evaluating the right cyber and privacy liability insurance based on need. Cyber liability is associated with electronic systems, Internet, network access and network security systems of an organization. Privacy liability is associated with privacy issues, specifically unauthorized dissemination, lack of protection for or release of personally identifiable information such as credit card information and social security numbers.
Nearly every company is exposed to cyber and privacy liability, but healthcare organizations (HCOs) are especially at risk as medical and business functions occur online. For example, HCOs accept credit card payments, manage devices and networks, and possess highly coveted “full ID” information from patients and employees. Breaches and liability costs include notification expense, credit monitoring, forensic expenses and crisis management. In addition, coverage for defense and damages is becoming another critical piece to include in a policy.
Real world example: A cyber liability policy covered $355,000 in credit monitoring and notification expenses for a large physician-owned clinic that suffered a breach due to exposure of health data and personally identifiable information of roughly 38,000 patients. Because the clinic had a comprehensive cyber policy in place, they were able to notify affected customers quickly and provide credit monitoring services for a year, thereby minimizing their out of pocket expenses and loss of business due to the breach.
The Federal Bureau of Investigation reports that between October 2013 and February 2016, law enforcement agencies received reports of business email compromise scams, also known as social engineering fraud, involving 17,642 victims. According to the FBI, complaints involving such fraudulent schemes have risen in every state and 79 different countries, amounting to more than $2.3 billion losses.
Similar to hacking, social engineering schemes are targeting businesses of all types and sizes. Given how prevalent and costly social engineering schemes have become, healthcare companies need to make certain they are covered for the actual loss of monies not reimbursed by a bank due to the scam. This is a complex cover area requiring an experienced broker.
Real world example: A scammer pretending to be the CEO of a large healthcare equipment company emailed firm’s director of treasury in an attempt to induce the transfer of $50,000. The scam email claimed the funds were needed to finalize a transaction. Fortunately for the company, the quick-thinking director noticed several red flags, including the fact that the request did not follow company protocol. Had the loss not been averted, the negotiated social engineering coverage would have paid the final loss of money from this attack (minus any bank recoveries).
Holding network-connected devices hostage for a ransom has become increasingly profitable for cybercriminals.
The Symantec report indicates that in 2015 ransomware – malicious software that is used to encrypt files and lock computer screens until a ransom release code is inserted – found new targets and moved beyond its focus on PCs to smartphone, Mac and Linux systems. According to some authorities, the average remediation and ransom cost is somewhere between $50,000 and $75,000.
Real world example: A senior purchasing manager at a hospital opened an email with a link purporting to come from a long-time vendor. Immediately after clicking on the link, the manager’s computer froze and a message flashed announcing that the computer had been locked. The message also warned that if company did not pay a ransom in 96 hours, this computer and other files would either be destroyed or remain inaccessible because of the ransomware. The management team reviewed their options, including the ransom amount and remediation cost, which totaled approximately $50,000. Since the company had a cyber policy with cyber extortion cover, the cost was paid in full less the retention amount.
These are a few examples of how choosing the right cyber coverage can provide healthcare companies critical protection from a threat that is real and growing. In addition, working with a team that has demonstrated success in handling different types of real-life cyber claims, and understands the intricacies of cyber threats is almost as important as the terms negotiated on a cyber policy.