Cyber-Insurance Considerations For Healthcare Providers Related To Ransomware

On May 7, 2021, the operator of a major pipeline system that
transports fuel across the East Coast fell victim to a ransomware
attack that resulted in a six-day shutdown. Over the following
week, East Coast stockpiles of gasoline dropped by about 4.6
million barrels and gas prices surged to their highest levels in
six and a half years. The 5,500-mile-long pipeline provides roughly
45 percent of the fuel supplies for the East Coast, representing
critical infrastructure for consumers from the Gulf Coast to
Linden, New Jersey. Under mounting public pressure to respond and
devastating losses to the company’s operational income, the
operator authorized a ransom payment of $4.4 million to hackers. On
May 31, 2021, one of the world’s largest meat suppliers
disclosed that it was targeted by a ransomware attack that forced
the company to shut down its meat processing plants in North
America. As the meat processing plants depend on automation and
computers for the production process, as well as processing of
orders, billing and shipping, the company had no choice but to shut
down operations. The company has not disclosed if it paid a ransom
as part of its efforts to get back online.

Health systems and healthcare providers, like public utility
companies and other service providers, are highly vulnerable to
ransomware attacks. In recent weeks, separate attacks disrupted the
IT networks of public healthcare systems
in Ireland and New Zealand and resulted in a
call for governments and industry to do more to hold cybercriminals
accountable. In 2020 alone, at least 91 U.S. healthcare providers
suffered attacks, up from 50 in 2019.

Criminal actors take advantage of unique network and
connectivity vulnerabilities to infiltrate health system servers,
encrypt data and prevent providers from accessing critical records.
Providers are then left with the difficult decision of whether to
pay a ransom to decrypt their records. A ransomware attack operates
on the premise that if the victim of the attack pays the amount
demanded, the criminals will provide software keys that decode the
data and enable the victim to continue its operations.

Increasing Impact of Ransomware on U.S. Healthcare

In a joint advisory from October 2020, the
Cybersecurity and Infrastructure Security Agency, the Federal
Bureau of Investigation and the Department of Health and Human
Services recommended not paying ransoms, as there is no guarantee
files can be recovered. However, ransomware attacks are typically
costly and highly disruptive for healthcare providers. In 2020, the
U.S. healthcare industry lost $20.8 billion due to downtime caused
by ransomware attacks. The University of Vermont Medical Center,
which suffered an attack in December 2020, is estimated to have lost approximately $64
million and furloughed 300 staff members as a result of the attack.
Nevertheless, ransom payments are controversial because they fund
and embolden criminal enterprises, leading to increasing ransom
demands. Last year, hackers demanded approximately $15.6 million
from more than 600 U.S. healthcare facilities, with at least $2.1
million of that amount paid.

Healthcare providers are uniquely vulnerable to ransomware
attacks for several reasons. Provider networks without tight access
control are highly susceptible to breaches. Furthermore,
web-connected medical devices and personal devices often do not
have built-in security features, enabling easier access to
important healthcare records. In addition, patient records —
which often retain medical records, payment histories and insurance
details in one place — may be compromised in cases of
improper disposal of patient information or the use of record
storage systems with deficient cyberattack protections. Security
risks have also increased as providers work remotely from home and
at COVID-19 testing and vaccination sites.

Importance of Cyber-Insurance Coverage

The increase in payouts related to ransomware attacks has
important implications for healthcare providers evaluating their
cyber-insurance coverage. Cyber insurance that covers the risk of a
ransomware attack has become widely available in recent years.
These types of policies or endorsements typically cover some or all
of the money spent to pay the ransom demand in the event of a
ransomware attack, allowing the policyholder to unlock its files
and systems upon payment and resume operations. This approach is
predicated on the assumption that, as a general rule, the ransom
amount will be less than the cost of replacing or restoring files
and equipment damaged or permanently locked as a result of the
attack, along with the associated downtime. However, if this ceases
to be true, cyber-insurance carriers will require insureds to
mitigate the damage rather than pay the ransom. Some insurers may
stop writing policies that reimburse customers for payments made in
response to ransomware attacks. (As one example, AXA, one of
Europe’s top five insurers, issued a statement on May 6, 2020, indicating that
it will no longer underwrite policies in France that reimburse
customers for extortion payments made to ransomware criminals.)

Over the past few years, cyber-insurance carriers have been
tightening their underwriting guidelines and scrutinizing
cybersecurity controls in greater detail. With the significant
increase in security risks resulting from the COVID-19 pandemic,
these trends will continue. Healthcare providers can also
anticipate more restrictive terms and conditions in their policies
as attacks continue and payment demands increase. These will likely
include more robust policy exclusions and sub-limits that cap
coverage for extortion payments. Insurers are also walking back the
costs they are willing to cover, such as the costs of investigating
and responding to attacks and lost operational income.

Preserving the Right to Coverage

Healthcare providers should, therefore, closely review the key
terms and limitations of their cyber-insurance policies or
endorsements. Most policies provide coverage only for costs
incurred after the insured notifies the insurance carrier that an
attack has occurred. Some policies also require the policyholder to
inform applicable law enforcement agencies prior to providing
coverage for any costs incurred. Further, insurers require prior
approval of the payment of any ransom. Accordingly, to preserve
their right to coverage, healthcare providers should have a basic
understanding of the coverage provisions of their cyber-insurance
policies and, in the event of a security incident, work with their
insurance agents or brokers, and counsel, to confirm they have
satisfied all of the insurer’s notice-of-loss requirements.

Additional Coverage Specific to Cyberattacks

Healthcare providers should also consider obtaining coverage for
the following types of expenses, which are usually associated with
services related to a breach of protected personal information
(PPI) during a ransomware attack:

  1. Crisis assistance services. These types of services generally
    include (i) providing notices of the attack to individuals whose
    PPI may have been improperly accessed, lost or stolen by the
    hackers; (ii) establishing a call center for impacted individuals
    to receive information; and (iii) designing and hosting a website
    for advising of any purported access, loss or theft of PPI as a
    result of the attack.
  2. Credit monitoring services.
  3. Identity theft services.
  4. Fraud resolution services.

Steps to Prevent Ransomware Attacks

To prevent ransomware attacks, healthcare providers should back
up their data to offline sites so the data remains accessible in
the event of a ransomware attack. Having local copies of backups is
preferable, since downloads from clouds are time-consuming and
costly. Experts also recommend that providers install monitoring

Read More: Cyber-Insurance Considerations For Healthcare Providers Related To Ransomware