In 2020, more than a third of healthcare organizations in America experienced a ransomware attack. These events often fly under the radar, but that doesn’t make them any less devastating than incidents that make headlines, like the recent attack on the Colonial Pipeline. According to a study by Sophos, the average ransomware attack on a healthcare organization costs more than $1 million — but ransomware attacks have more than just a financial impact.
“Hospitals, medical facilities, and their physicians have sensitive patient information on their systems,” says Monica DiCesare, chief underwriting officer at IronHealth®, a division of Ironshore. “That information is critical to protect, because it’s critical to ensure patient safety.” A cyberattack could put patient lives at risk and open the hospital to even more costly medical malpractice and liability claims. Here are three interconnected risks that healthcare organizations might face in the wake of a ransomware attack — and how they can help mitigate their exposure.
1. Encrypted data and medical malpractice suits
Doctors and nurses rely on technology to do their jobs — so when those systems go down, hospitals are at an increased risk of medical malpractice suits. “We’ve become so reliant on technology. When we don’t have that technology and data, we become inhibited. The physician can’t practice medicine to its fullest, which can later be construed as negligence, because they weren’t able to provide adequate or appropriate care,” says Dennis Cook, president of IronHealth.
Lack of access to patient data is a major problem for healthcare providers. When bad actors encrypt critical patient data, like drug allergies or prescription information, healthcare workers are more likely to make a mistake that may harm a patient. Delayed lab reports and other critical information may cause hold-ups in treatment, which can have dangerous consequences. On top of that, ransomware attacks can also lock intake systems. That means that ambulances carrying patients in critical condition may be rerouted to facilities miles away — costing precious time that many patients can’t spare.
“We’ve become so reliant on technology. When we don’t have that technology and data, we become inhibited. The physician can’t practice medicine to its fullest, which can later be construed as negligence, because they weren’t able to provide adequate or appropriate care.” – Dennis Cook, president of IronHealth
In fact, the first medical malpractice suit for a ransomware-related death is already on its way to the courts. In July 2019, ransomware paralyzed the systems at the Springfield Medical Center in Mobile, Alabama. Computers across the hospital failed, including data from fetal heartbeat monitors in 12 delivery rooms. The suit alleges this outage led to the death of a newborn baby. The outcome of the case won’t be known for some time, but the human cost of ransomware is undeniable.
2. Hacked medical devices and product liability
Hospital information systems aren’t the only targets of cyberattacks. Medical devices themselves can be targeted by hackers. Insulin pumps, ventilators, and pacemakers can all be infiltrated by cybercriminals. In fact, in 2017, the FDA had to recall an implantable pacemaker because of increased cyber risk.
What can healthcare organizations do to help reduce risk? “Making sure your medical devices are using the most updated software and having all the patches in place can go a long way in protecting yourself against these attacks,” DiCesare says. Cook adds that “Healthcare facilities are used to emergency and disaster planning. Cyber preparedness should be no different. Running through emergency planning for a cyber event should reflect that disaster preparedness approach.”
Hospitals can help keep patients safe by carefully vetting all medical device vendors during their procurement processes and ensuring purchased equipment has adequate cybersecurity protection throughout their use.
Healthcare systems are not the only ones that can face product liability risk because of a ransomware attack. Medical device manufacturers can also be found liable for unprotected equipment. That’s why it’s critical that hospitals do their due diligence when selecting machinery and ensure that manufacturers and vendor partners understand how a cyber event can impact devices and have the necessary safeguards in place.
3. Billing errors and compliance concerns
Finally, hospitals can come under fire from governments and advisory boards if a hack leads to billing errors. Cybercriminals can infiltrate and miscode billing systems, which can lead to overbilling and even embezzlement. “The hacker could be siphoning off that money without the facility realizing. And then, when the bills aren’t adding up, the healthcare system can be hit with large penalties,” says Cook.
According to a study by Sophos, the average ransomware attack on a healthcare organization costs more than $1 million.
Government agencies are aware of the increased risk of ransomware attacks on healthcare organizations and are taking steps to mitigate risk. Both federal and state governments are continually updating cybersecurity compliance policies to ensure that organizations take the necessary steps to protect themselves. Some states have even considered banning healthcare organizations from paying ransoms, to help reduce the appeal for bad actors to engage in cyberattacks.
Notes Cook, “That could lead to another type of regulatory concern for healthcare facilities. Will they comply or will they pay a ransom to gain back access to the critical information they need for patient care?”
Protecting patients — and hospitals — from cyberattacks
Cyberattacks are more than just a costly event — they can have lasting repercussions on patients, their families, and healthcare organizations. To help protect patients and their own reputations, hospitals should work with their insurance companies to evaluate these complex, interconnected risks and better understand their coverage needs.
To address these complex exposures, IronHealth, a division of Ironshore, takes a collaborative approach. DiCesare explains: “Not only do we have the policies; we also offer support from a risk-management viewpoint. We are looking to point our clients in the right direction when it comes to the solutions they need to address the risks where cyber and healthcare intersect. We’re equipped to partner them with the right experts, so they’ve got the right risk-management plans in place.” With this expertise and support, healthcare organizations can avoid attacks — and better protect their patients.
This website is general in nature, and is provided as a courtesy to you. Information is accurate to the best of Liberty Mutual’s knowledge, but companies and individuals should not rely on it to prevent and mitigate all risks as an explanation of coverage or benefits under an insurance policy. Consult your professional advisor regarding your particular facts and circumstance. By citing external authorities or linking to other websites, Liberty Mutual is not endorsing them.