By Kerri Flores, Heffernan Insurance Brokers

The health care industry is under attack. In late October 2020, the Cybersecurity & Infrastructure Security Agency (CISA), along with the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS), issued an advisory warning that cybercriminals were launching a ransomware attack against the health care industry. This is merely the latest in a long string of cyber threats against the industry. Following are the three most common and harmful cyber threats for your business to be aware of in 2021 and beyond.

Threat #1: Malware That Holds Your Computer System Hostage

Modern health care facilities depend on electronic health records and other digital tools. If a ransomware program infects a facility's computer system and encrypts the files, regular operations may become impossible until the files are recovered. This actually happened in 2017 when the WannaCry ransomware attack forced some hospitals in the United Kingdom to cancel appointments and divert patients.

Ransomware attacks can cause expensive disruptions for all kinds of organizations, but for health care facilities, they can prove downright deadly. According to the National Law Review, various news reports indicate that a patient in Germany died after a ransomware attack delayed the urgent medical treatment she needed. This is believed to be the first death directly linked to a cyberattack on a hospital, but it may not be the last.

The FBI has urged organizations not to pay ransomware demands, as doing so can fund criminal activity and encourage more attacks, while there is no guarantee that files will be restored as promised. The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) also has issued an advisory warning that ransomware payments could violate OFAC regulations. Nevertheless, faced with no other way to resume operations, many organizations have decided they have no choice but to pay up.

The situation can become even more desperate with new versions of ransomware that don't simply encrypt data to make it unusable, but also threaten to release the data to the public.

Now, CISA, the FBI and HHS are warning about a cyberattack targeting health care organizations. According to the advisory issued in late October, malicious cyber actors are using TrickBot and BazarLoader malware to target the health care and public health sectors. The malware can result in ransomware, data theft and disruption. The advisory also warns that dealing with this threat during the coronavirus pandemic may become especially difficult.

TrickBot malware can be used to infect computer systems with Ryuk ransomware. Once Ryuk infects a system, the attackers typically demand payment via Bitcoin to have the files restored. Ryuk can also interfere with security applications that may be in place to prevent malware. This is an especially dangerous type of ransomware that has been associated with numerous, often very targeted attacks that result in large ransom demands.

Threat #2: Data Breaches That Expose Your Patients' Private Information

Health care facilities are especially vulnerable to cyberattacks because they have highly valuable patient records. Without access to this data, operations can be severely disrupted, and this can quickly become a matter of life and death for the patients impacted by the disruption. This means that hospitals may be willing to pay up quickly to restore operations as soon as possible.

All this data also makes health care facilities vulnerable to another threat: data breaches. Personal data is often sold on the black market. Medical records, which can be used in identity theft, fetch an especially high price.

Data breaches can occur in multiple ways. In some cases, they are linked to malware attacks, and some new ransomware attacks have included threats to expose data. Data breaches can also stem from computer vulnerabilities that allow hackers to access data.

Not all data breaches have high-tech roots, though. Data breaches can also occur when flash drives, laptops, other pieces of electronic equipment or even paper documents containing sensitive data are lost or stolen and fall into the wrong hands. It's also possible for employees or former employees to provide access accidentally or maliciously, or because they'e been tricked by someone.

Regardless of the cause, a data breach is a serious issue. Organizations that experience data breaches must follow data breach notification laws, and this can be costly. At the same time, organizations may be hit with regulatory fines for failing to keep records safe.

Fines are especially likely for health care organizations that must comply with HIPAA regulations. The HHS newsroom has numerous reports of organizations that were fined following potential data breaches, including these recent examples:

• The New Haven (CT) Health Department agreed to pay a fine of $202,400 to the Office for Civil Rights (OCR) at the HHS after it was discovered that a former employee may have accessed a file containing protected health information.
• Aetna has agreed to pay $1 million to settle three potential HIPAA breaches. One of the incidents involved web services that allowed access without login credentials and could be indexed by search engines.
• Premera Blue Cross has agreed to pay $6.85 million to settle potential violations after cyber attackers gained unauthorized access and caused a breach that impacted more than 10.4 million people.
• Lifespan Health System Affiliated Covered Entity has agreed to pay $1.04 million to settle potential violations after an unencrypted laptop was stolen.

Threat #3: Social Engineering Schemes That Trick Your Team

Cyber threats often rely on human error. Cybercriminals may use schemes to try to trick people into clicking malicious links, opening malicious attachments or providing sensitive information that can be used to launch an attack. Phishing attacks—and the similar but more targeted spear phishing attacks— often appear as legitimate correspondences, but are, in fact, launched by malicious cyber actors.

Business email compromise (BEC) schemes have emerged as especially insidious threats. In these schemes, the perpetrator typically targets a victim by posing as a legitimate party—such as a CEO, vendor or client—and engages in email communications to gain the victim's trust. Then the perpetrator will request a wire transfer or other transaction. In 2019, the FBI's Internet Crime Complaint Center received 23,775 complaints about BEC schemes and documented more than $1.7 billion in losses.

Health care organizations, like other types of organizations, are vulnerable to these attacks. Malicious cyber actors may also pose as health care organizations, the World Health Organization or the U.S. Centers for Disease Control and Prevention to manipulate individuals.

How to Defend Your Practice

To cybercriminals looking for valuable data, health care organizations might as well have targets on their backs. To avoid potentially devastating disruption and costs, proactive cybersecurity measures are needed.

• Have a cybersecurity expert assess your computer systems for potential vulnerabilities that hackers could exploit and take steps to reduce any risks that are found.
• Train all workers to follow basic cybersecurity measures, such as using strong passwords, running antivirus software and installing security patches as soon as they become available, as well as avoiding suspicious links and attachments.
• Protect portable devices. Protective measures may include implementing policies on remote work to limit risks and encrypting devices with sensitive data.
• Ensure that former employees do not continue to have access to sensitive files. Change passwords and take other measures as needed.
• Implement policies designed to prevent business email compromise schemes. For example, have procedures in place to flag external emails and to verify requests for funds or sensitive information made via email.
• Maintain secure backups of all essential files.
• Have a cyber-incident response plan in place. If a cyberattack occurs, prompt action is needed to mitigate the risk and to comply with all relevant data breach notification regulations.

Finally, be sure to protect your organization with robust cyber insurance. (See sidebar.) In today's world, cyber coverage is not a nice-to-have—it's a must-have. When you purchase coverage, your insurer may provide some valuable extras—such as risk assessment, compliance review and training—to help you prevent losses. If you're the victim of a cyberattack, your coverage will provide guidance and resources to help you control the damage.

AmSpa members receive QP every quarter. Click here to learn how to become a member and make your med spa the next aesthetic success story.

Kerri Flores is a client advocate at Heffernan Insurance Brokers. She specializes in helping health care businesses with their short- and long-term insurance goals. With five years of experience in the industry, she has helped hundreds of clients by finding innovative, reliable and cost-efficient methods of transferring risk. She can be contacted at 925.448.2612 or kerrif@heffins.com.