Cyberattacks – from data breaches to ransomware and extortion claims – are on the rise, including in the health care industry. For example, through October of this year, 66 ransomware attacks have already occurred on 1,568 medical organizations, leading to more than 7.3 million breached patient records, according to Comparitech, a cybersecurity research firm. There were 84 ransomware attacks on health care entities in 2022.
The spike in cyber threats has government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), calling for a reboot of cybersecurity measures across the health care sector – from large integrated health systems to hospitals, IT vendors, medical device manufacturers, and small, independent practitioners.
Recent High-Profile Health Care Breaches
One high-profile case involved Johnson & Johnson Health Care Systems in which a data breach exposed the protected health information of thousands of people using its Janssen CarePath patient assistance program. IBM manages the application and database of the Janssen CarePath platform. The information accessed by the cybercriminals included names, contact information, dates of birth, health insurance information, medications, and health care conditions. A class-action lawsuit was filed against IBM and Johnson & Johnson Health Care Systems, claiming they failed to properly secure the individuals’ protected health information and those failures violated HIPAA’s Privacy and Security Rules, according to The HIPAA Journal.
The MOVEit software breach, the largest cyberattack this year, affected 1.2 million patients across the country among the many millions impacted across multiple industry sectors, according to a filing with the Department of Health and Human Services. MOVEit is a tool used by hospitals, health systems, corporations, and government agencies to share large files over the internet, with the breach resulting in a serious ransomware threat against critical infrastructure.
The Importance of an Effective Cyber Incident Response Plan
The HHS Cybersecurity Program provides the health care industry with vetted cybersecurity practices to help mitigate cyber threats. The HHS also stresses having an effective cybersecurity incident response plan in place.
A cybersecurity incident response plan explains the duties and responsibilities of key individuals in the organizations, including workers and third parties, in the case of a cybersecurity incident. The plans should include:
- Contact information for all individuals involved in the response
- Documented policies and procedures that take a systematic approach to responding to incidents
- Plans for communicating with affected parties
- Standard protocols and playbooks tailored to the organization and specific types of attacks
- Documentation and notification requirements
- Steps to measure the effectiveness of the response to improve the plan for future incidents
A cybersecurity incident response plan should also include a data backup strategy, disaster recovery plan, emergency mode operations plan, strategies and processes for testing and updating contingency plans, and an application and data criticality analysis. Additionally, the plans should contain procedures for minimizing the incident, preserving evidence, and recording the incident and outcome.
Cyber Insurance
Cyber Liability insurance is critical in helping health care entities with the costs involved with a cyber incident. We provide a Cyber program for health care organizations that can be packaged with our Liability and Professional Liability policy. Or you can offer clients more robust coverage with a stand-alone policy. Our program includes the following coverages:
- Security Breach Expense
- Security Breach Liability & Regulatory Proceeding Expense Sublimit
- Replacement or Restoration of Electronic Data
- Programming E&O Liability
- Extortion Threats
- Business Income & Extra Expenses
- Crisis Public Relations Expense
Additional policy enhancements are also available as well as access to cyber management and loss prevention assistance through our carriers and third-party consultants.
About One80 Intermediaries/Manchester Specialty
Manchester Specialty, a division of One80 Intermediaries, is a national specialty underwriting and insurance program management firm, licensed to do business as a program administrator in all 50 states and the District of Columbia. Our agent/broker partners and their Allied Health clients look to us for our expertise, broad product capability, and commitment to the market, as well as the quality and stability of our insurance programs for Home Care, Medical Staffing, Allied Health and Human Services organizations. For more information, call us toll-free at 1-855-972-9399 or visit Allied Health Firms – One80 Intermediaries.