Cyberattacks on Health Facilities: A Rising Danger

By Max Dorfman, Research Writer, Triple-I

As cyberattacks have increased in recent years, one area of particular concern has been those that target hospitals and health systems. These attacks have affected not only private information but also threatened the lives and well-being of patients.

A major shift

Hospitals rely more than ever on computerized systems to manage their information and systems. With the added complications related to the COVID-19 pandemic, the dangers associated with cyberattacks have only worsened.

“It’s part of a trend we’ve seen building over the last couple years, even before the pandemic,” said Scott Shackelford, chairman of the IU Cybersecurity Risk Management Program. Unfortunately, health-care providers are very much in the crosshairs. Not only do they often have insurance and deep pockets, but doctors need access to patient information to perform procedures and provide required services.

Because of this vulnerability and urgency, Shackelford said, “They are more likely to pay up.”

“If you look at the surveys that have been done, about one-in-three health providers have been hit by ransomware attacks just since 2020, and there’s been a 45 percent uptick in that rate since last December,” Shackelford added.

One recent attack, on Johnson Memorial Health in Franklin, Indiana, disabled its computer system. Although the hospital said it could still manage its patient intake, the loss of computer capabilities slowed operations down dramatically.

“We’re used to sending lab orders via computer, sending prescriptions to pharmacies via computer, so we’re going back to a real reliance on paper again,” Johnson Memorial President and CEO David Dunkle said. “We’re using more human runners, people taking lab recs between the ER and the lab.”

Hospitals have been slow to respond

Although there have been major technological advancements in the medical field, not all health systems have provided robust IT teams or thorough safety protocols. One area of note is with new medical devices, which take years to earn FDA approval and can come with outmoded software and operating systems without the latest security mechanisms.

This has given hackers the ability to disable medical imaging devices like MRIs. They can then shut down or interfere with machines.  A recent study by McAfeeEnterprise’s Advanced Threat Research Team uncovered that an IV pump created by German medical manufacturer B. Braun possessed a susceptibility that would allow hackers to change medicine doses remotely.

And while traditional phishing attacks require a user to open a corrupted file — a trend that is now on the decline — new attacks can use so-called Zero Click malware, which can infect a system merely through receiving a text or email.

Additionally, sensitive data that health systems possess gives hackers the opportunity to sell this information online — or threaten to — with demands rising into the millions of dollars. After a 2009 U.S. law was passed that required Medicare and Medicaid providers to implement electronic health records, these risks have only accelerated.

Life and death circumstances

Hospitals are now not only seeing the financial risks with cyberattacks, but the threat to their patients’ lives.

In July 2019, Springhill Medical Center faced a massive ransomware attack that disabled its electronic devices. This failure created dire circumstances for one infant, causing doctors to be unable to monitor the child’s condition during delivery. The infant died, and the hospital is being sued by the mother for malpractice—a charge Springhill denies.

Another attack in Düsseldorf, Germany in 2020 saw the death of a 78-year-old woman from an aortic aneurysm. What was supposed to be a routine pick-up turned into a nightmare, when the local hospital’s system was disabled by a ransomware attack, forcing the emergency department to turn away the woman and causing the ambulance to travel much farther. During this time, the patient’s condition worsened, and she eventually died.

How much worse can it get?

By the middle of August of 2021, 38 attacks on health-care providers or systems had interrupted care at approximately 963 U.S. locations. For all of 2020, only 560 sites were affected in 80 separate incidents, according to Brett Callow, a threat analyst at security firm Emsisoft.

With the vast amount of data and equipment at each of these health facilities—as well as the linked networks of many systems—the threat of cyberattacks in health care will only continue to grow unless more action is taken.

Insuretech Connect: Showcasing Innovation

Sean Kevelighan leads Climate Risk and Resilience panel. (Photo/videos by Scott Holeman,
Media Relations Director, Triple-I)

By Loretta Worters, Vice President, Media Relations, Triple-I

Insuretech Connect – the world’s largest gathering of insurance leaders and innovators – last week brought together insurance technology stakeholders to network, share insights, and learn about leading-edge technology across all insurance lines.

Conference participants included Pete Miller, president and CEO of The Institutes, who discussed risk mitigation through new technology. 

“Capturing data about the things we do and then allowing us to mitigate risk before we even get to the insurance function, that’s really where I think this industry is going,” he said.

One panel, Climate Risk and Resilience, focused on the importance of Insurtech and innovation to the success and sustainability of the industry. Moderated by Triple-I CEO Sean Kevelighan, the panel included Sean Ringsted, chief digital officer at Chubb; Christie McNeill, associate partner with McKinsey & Company and leader of ESG and Climate Change for the Insurance Practice in North America; Alisa Valderrama, CEO and co-founder of FutureProof Technologies, a venture-backed financial analytics software company specializing in climate risk; and Susan Holliday, Triple-I nonresident scholar and senior advisor to the International Finance Corporation (IFC) and the World Bank, where she focuses on insurance and Insuretech.

“Insurers are no stranger to climate and extreme weather,” Kevelighan said. “They have had a financial stake in it for decades.”

He noted that insured losses caused by natural disasters have grown by nearly 700 percent since the 1980s and four of the five costliest natural disasters in U.S. history have occurred over the past decade.

U.S. insurers paid out $67 billion in 2020 due to natural disasters. The insured losses emerged in part as the result of 13 hurricanes, five of the six largest wildfires in California’s history, and a derecho that caused significant damage in Iowa. 

This year’s Hurricane Ida is expected to cost insurers at least $31 billion and to push Hurricane Andrew out of the top five damaging storms. 2021 has been another record year for wildfires. January 1 to September 19, 2021 there were 45,118 wildfires, compared with 43,556 in the same period in 2020. 

The panelists talked about how insurers have long been aware of climate risk and – to the extent that existing data-gathering and modeling technologies allowed – considered it in risk pricing and reserving. As information storage and processing have vastly improved, the industry has not only gotten better at underwriting and reserving for these risks – it has identified opportunities in areas it once could only view as problems.

Improved modeling, for example, has increased insurers’ comfort with and appetite for writing flood coverage and spurred the development of new products. 

“Insurers are and always will be financial first responders, but there’s a growing realization that risk transfer alone isn’t enough,” Kevelighan said.  “Insurance is one important step toward resilience.  It’s well documented that better-insured communities recover faster from disasters.  But more is required to address increasingly complex global risks.”

Building a Robust
Cyber Insurance Market
Is Focus of Oct. 13 Panel

Triple-I CEO Sean Kevelighan will join a virtual panel on Wednesday, Oct. 13, at 11 a.m., ET, to brief public policymakers on ways to build a robust cyber risk insurance market.

“To allow businesses to operate safely in an increasingly interconnected world, insurers are working closely with their commercial customers to mitigate cyber risks and to make sure businesses have the right types, and amounts, of cyber insurance,” Kevelighan said.  “However, as we are seeing increasing uncertainty in the extensiveness of cyber risk, it is also essential that we better understand the role government needs to play in particular around law enforcement and international diplomacy.”

As previously noted in The Triple-I Blog, some in the national security world have compared U.S. cybersecurity preparedness today to its readiness for large terrorist acts prior to 9/11. Before those attacks, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded, therefore covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act to stabilize the market.

“A balanced public-private partnership that recognizes where insurance can be a helpful financial responder, and how government is an essential preventative tool, will be critical to helping mitigate the ever-increasing cyber risks we are facing in the world,” Kevelighan said.

Presented by Indiana University’s Ostrom Workshop and Cybersecurity Risk Management Program in collaboration with The Institutes Griffith Insurance Education Foundation, the discussion can be viewed free of charge by public policymakers who register online in advance. It is one of three Cybersecurity Policy Bootcamp sessions the two organizations are co-hosting in October as part of Cyber Security Awareness Month.

The one-hour session will focus on Deepening Partnerships Between States, the Federal Government, the Private Sector, and Academia to Build a Robust Cyber Risk Insurance Market.

Along with Kevelighan on the panel will be three other subject matter experts:

  • Elizabeth Kelleher Dwyer, Esq., superintendent of Financial Services for Rhode Island Department of Business Regulation;
  • Scott J. Shackelford, JD, PhD, chair of the Cybersecurity Program at Indiana University, Bloomington; and
  • Douglas Swetnam, section chief for Data Privacy & Identity Theft in the Indiana Attorney General’s Office

Frank Tomasello, executive director for the Institutes Griffith Insurance Education Foundation, will be the panel’s moderator.

Learn More:

Article:                 Cyber Liability Risks

Video:                  Seven Cybersecurity Tips to Safeguard Your Business

Triple-I Blog:  

 Cyber Insurance’s “Perfect Storm”

 “Silent” Echoes Of 9/11 in Today’s Management of Cyber Risks

 Brokers, Policyholders Need Greater Clarity on Cyber Coverage

  Cyber Risk Gets Real, Demands New Approaches