Posted on: June 29, 2017 by Manchester Specialty
May 2017’s WannaCry ransomware attack hit more than 250,000 victims in more than 150 countries, shutting down servers, locking data and causing business income losses and patient-portal problems in multiple instances. The United Kingdom’s National Health Service, for example, had 16 medical center data systems taken down in the attack. Medical care systems are of particular interest to cyber criminals: They hold private data worth a lot of money, they are critical systems that owners need for potentially life-saving/life-altering purposes, and they provide access to many other prospective victims’ systems.
For these reasons and others, home healthcare providers need to practice the most rigorous cyber security possible. Full employee training to avoid human error that allows criminals entrée is the first, best step and is tied integrally to immediately downloading all patches your applications and systems providers make available. Monitoring access to your systems (and access attempts) is the next step. Knowing and logging who is in your system or attempting to get in can help you shut down or cordon off malicious activity before it metastasizes.
These three steps were sorely missing from many of the enterprises that got harmed by the WannaCry attack. Many of the groups affected were using out-of-date software that no longer is supported with security patches by the producing companies. Unfortunately, not taking basic security precautions may disqualify an organization from procuring Cyber Liability insurance coverage. Without basic cyber protection/protocols and basic insurance coverage, payouts for ransom, the costs of recovery/restoration, and losses of business income will all come out of the business’s own pockets.
Depending on the damage done, such as privacy violations (think HIPAA), a home healthcare provider that fails to protect its data could face stiff regulatory penalties on top of the other costs. And, if physical harm were to come to a patient because of a home care company’s cyber errors or negligence, the company could also face a personal injury lawsuit—one that typically falls outside General Liability insurance coverage if there is a cyber exclusion clause.
All this said, it is clear that no home healthcare business is too small to become a cyber-crime victim. You must adopt stringent cyber-security practices and consider purchasing Cyber Risk insurance. These insurance policies cover many of the most common costs associated with cyber-security problems: notification of affected parties, credit-monitoring costs for victims, regulatory proceedings expenses, restoration of electronic data, ransom payments, business income and extra expenses associated with the attack, and public relations costs, to name a handful. It may also be possible to get coverage for an “inside job,” one where an employee is the culprit or abets the criminal. Many insurers now also provide proactive cyber risk management advice and access to third-party consultants who help customers avoid becoming a victim and respond if an attack occurs.
Though ransomware demands are typically pretty low, about $350 on average, just paying off the criminal isn’t a good answer. In many cases, the code given to decrypt the locked data doesn’t work, and in some cases other malware/spyware has been installed on your files while outside your custody. (Plus, who knows how to use bitcoin—the currency most often demanded by cyber thieves?) Dealing with that plus the time to restore the data (and your company reputation) can cost days in lost business and potentially many lost customers. Why chance it? Your best bet is to partner with solid cyber-risk protection firms and get appropriate, wide-ranging Cyber insurance designed for the home healthcare industry.
As a provider of healthcare services, your company may well have online interface with doctors, hospitals, the Centers for Medicare and Medicaid Services, banking accounts, pharmacies and multiple other health, financial and government entities. Cyber criminals are always looking for pathways to sneak into those systems and may well blaze a trail through your company’s unsecured digital avenues. Don’t be the weak link. Be part of the solution by taking your own cyber security seriously and working with experts who can improve your systems.