Healthcare Ransomware Attacks Double, Driving Up Cyber Premiums

Across the board, we’ve seen a rise in cybercrime over the past few years, and the healthcare sector is being hit especially hard. HIPAA Journal reports that between 2009 and 2022, there were a combined total of 5,150 healthcare data breaches of 500 records or more.

Healthcare data breaches have continued to rise over the last decade. (Source: HIPPA Journal)

Not only is the frequency of healthcare data breaches rising, so are the resulting costs. According to IBM’s 2022 Data Breach Report, the average total cost of a healthcare data breach is $10.10M. This puts healthcare in the lead for the highest average data breach cost for any industry for 12 straight years. 

Healthcare leads the way as the industry with the highest average cost for a data breach. (Source: IBM)

Rise of Ransomware Attacks in Healthcare

A data breach occurs when someone gains unauthorized access to sensitive or confidential data, like names, addresses, birthdates, social security numbers, and credit card numbers. For healthcare organizations, this might also include medical records and insurance information. 

Although there are a number of different types of data breach attacks (phishing, DDoS, malware, and keystroke recording, just to name a few), the sharp rise of ransomware attacks on healthcare organizations is particularly troubling. 

According to a recent study published in JAMA by researchers at the University of Minnesota and University of Florida, ransomware attacks on U.S. healthcare organizations more than doubled from 2016 to 2019 (from 43 to 91). In that five year span, a total of 374 ransomware attacks exposed the personal health data of almost 42 million patients.

Ransomware Attacks Cripple Healthcare Business Operations

In a ransomware attack, a cyber criminal holds an organization’s data “hostage” by encrypting it and denying access. The criminal demands a ransom fee in exchange for releasing access back to the organization. In other types of data breach attacks (phishing or malware, for example), the goal is to steal data. But in the case of ransomware, the goal is typically to disrupt business operations so severely that the organization is compelled to pay the ransom. 

Though disruptions to business operations can cripple any business, for healthcare organizations, disruptions such as these can have life-threatening consequences. The University of Minnesota and University of Florida researchers explain: 

“News coverage of individual attacks suggests that ransomware attacks are substantially disruptive to care delivery, with reports of computers and electronic health records being disabled or encrypted, clinicians forced to document care using pen and paper, appointments and surgeries delayed or canceled, emergency departments forced to divert ambulances, and practice infrastructure so damaged that some practices have opted to close rather than try to restore systems.”

The researchers found that facilities most commonly impacted by ransom attacks are clinics, followed by hospitals, delivery organizations, and ambulatory surgical centers. 

Lack of Reporting Masks Full Impact of Ransomware

In their report, researchers noted that the true number of healthcare ransomware attacks is actually larger than what they reported. The federal database intended to document and track these breaches is woefully lacking. Although healthcare organizations are required to report breaches, some don’t, and a staggering 58 percent report outside the mandated 60-day reporting window. 

In addition, the federal database’s reporting doesn’t collect important information necessary to fully understand the scope of ransomware damage. For instance, there’s no requirement to report the operational disruptions experienced during an attack or whether paying the ransom actually resulted in data being successfully and safely released. 

Impact of Data Breaches on Insurance Coverage

Ransomware is one of many important coverages within a Cyber Liability policy. Though specific terms can vary depending on the policy, ransomware protection can help a company recoup the financial costs associated with an attack, which can be profound. 

On average, downtime for a ransomware attack is 23 days. During that time, healthcare facilities may need to cancel appointments or send patients elsewhere, which translates to a loss of income. Those business income losses can tack on an additional 30-45 percent to the total cost of a ransomware attack.  

Even more troubling, the total cost of a ransomware event has been steadily rising. According to Lindsey Nelson, cyber development leader from CFC Underwriting, “We’re seeing it cost 10 times the amount of what a ransomware event would have cost about three years ago, so naturally the market has had to respond to that.” 

In an effort to curb their losses, carriers are raising premiums, reducing coverage limits, increasing retentions, adding coinsurance clauses, and tightening up on security control requirements.

Demonstrating Cyber Resiliency Is Key when Negotiating Terms

When reviewing cyber policy applications, cyber underwriters are paying more attention to things like security controls, data management, and their business resilience plans. It’s imperative that healthcare organizations demonstrate their ability to not only protect themselves against attacks, but also provide specifics on incident response plans in order to guard against losses in the event of an attack.     

Jencap’s specialized cyber brokers provide the knowledge, guidance, and market access required to secure a comprehensive insurance solution for your healthcare clients. Contact our cyber experts for more information.