The National Security Agency (NSA) Cybersecurity Directorate and the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) recently issued an emergency directive to Microsoft Windows 10 users, including healthcare organizations, to patch critical vulnerabilities and beef up their cyber security defenses in the face of new cyber risks. The NSA advised Microsoft of a bug, prompting the tech giant to release software fixes to address 49 vulnerabilities.
Without the corrective measures, attackers, according to the NSA, will be able to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Healthcare providers, with their many servers and connected devices along with the fact that they work with multiple third-party entities, are prime targets for cyber attackers infecting their systems and compromising the integrity of the valuable confidential patient data they possess.
“The consequences of not patching the vulnerabilities are severe and widespread. Remote exploitation tools will likely be made quickly and widely available. Rapid adoption of the patch is the only known mitigation at this time,” the NSA said.
In addition, Microsoft is ending its support for the Windows 7 operating system, which will make those enterprises using this version more vulnerable to malware and hacking.
The message is clear: It’s important that healthcare organizations – from hospitals to medical facilities, home health care providers, and hospice, among others – beef up their cyber security by taking the steps now to upgrade and migrate their systems.
Healthcare Sector: Prime Target for Cyber Security Breaches
Healthcare is one of the top sectors impacted by cyber crime. In fact, cyber criminals are increasingly targeting hospitals and healthcare organizations, with attacks jumping 60% in the first nine months of 2019, compared to all of 2018, according to a report published by anti-malware firm Malwarebytes. The healthcare industry also tops the list for the average cost per record at $429 as a result of a data breach, according to a recent IBM Security report. Compare this amount with the hospitality industry, for example, which has an average per-record cost of $123 as a result of a breach.
Typical expenses involving a data breach are comprised of:
- Detection Costs: Forensics to pinpoint whether a breach occurred and how it occurred.
- Notification Costs: Notify patients who potentially had their data compromised in the breach. This may include help-desk activities/inbound communications and regulatory interventions (fines). Communicate with regulators.
- Post-Data Breach Response Costs: Includes costs associated with redress and reparation along with crisis management to manage public relations in the wake of a breach.
- Lost Business: Includes the cost of system downtime, business disruption and reputational damage.
The cost of a breach also impacts organizations beyond the first year. According to the IBM report, businesses in general experienced an average 67% of data breach costs within the first year. However, 22% of costs were incurred in the second year and 11% of costs occurred more than two years after a data breach. Organizations in high regulatory environments, such as healthcare, experienced a longer tail of costs: 53% in the first year, 31% in the second year and 16% more than two years after the incident.
Cyber Liability insurance is critical for healthcare organizations to address the costs associated with a data breach and other cyber-related threats such as phishing, ransomware and cyber extortion. Together with a strong cyber security plan, Cyber Liability insurance assists healthcare providers in mitigating and transferring their risks.
Manchester Specialty Programs offers the Home Care, Allied Health and Human/Social Services sectors a comprehensive, industry-tailored Cyber insurance solution. For more information about how our Cyber program can help protect your insureds, please contact us at 855.972.9399
Sources: Fierce Healthcare, NSA, IBM Security