Preparing health systems for cyber risks and insurance coverage

Our healthcare systems are at risk of infiltration by threat actors, potentially disrupting services, compromising sensitive data, and even jeopardizing patient outcomes. Among the people addressing these challenges is Dennis Fridrich, VP of Cybersecurity at TRIMEDX, who not only understands these risks but also guides strategic responses to them.

In this Help Net Security interview, Fridrich delves into the hidden costs of cyberattacks on health systems, the role of insurers in promoting cybersecurity preparedness, and how organizations can better manage their cyber risk.

health systems insurers

Since not all cyber breaches are reported, how can insurers obtain a more comprehensive understanding of the total cost and impact of cyberattacks?

Direct financial impacts of cyberattacks, whether they are ransom payments, lawsuits, fines, or fees for third-party service providers like ransom negotiators, are definitely a major factor in shaping cyber insurance. Yet they don’t always give the full picture. Finding additional ways to measure how a breach affects day-to-day operations within an organization can reveal a lot of hidden costs and help insurers understand what they need to prepare for in a shifting security landscape.

For health systems, the ideal metric would be the impact on patient outcomes. However, accurately assessing how patient health would be different had a cyberattack not occurred is extremely difficult. Insurers, just like health systems themselves, need the full context of clinical operations to see the true impact.

How can we overcome the lack of historical data in cyberattack cases? Are there alternative data sources that insurers could leverage for underwriting these policies?

While it is often difficult to quantify the comprehensive impact of cyberattacks, there are several metrics that can provide more context. Insurers and health systems can look at downtime of IT resources and equipment, how long it takes to respond to attacks, and how long it takes to resolve the breach. These data points are helpful in determining revenue disruption and financial damages. It’s also key for insurers to understand how health systems are striving to prevent breaches across their technology portfolio.

This is a more reliable way to understand overall risk, instead of simply looking at breaches after they happen. Health systems and insurers should first know the sheer number of possible vulnerabilities across a variety of technologies. Insurers should also ask if health systems have access to a database of vulnerabilities. It should be asked whether the health system has a process in place to accurately match vulnerabilities to their IT and medical device inventory.

Next, it’s vital for health systems to identify the risk levels associated with their technology in the event of a breach, in terms of patient safety. For example, if an infusion pump fails because of a cyberattack, there is a potentially dangerous—even deadly—direct consequence for the patient. On the other hand, while heart monitors are crucial for monitoring the health of a patient, they are not life-sustaining on their own. A compromised heart monitor is not likely to harm the patient directly, but there could still be serious and life-threatening ramifications.

An Alabama hospital faced a lawsuit alleging it did not properly disclose that its computer systems had been crippled by a cyberattack, which resulted in a baby’s death. The lawsuit claimed a doctor could not properly monitor the baby during delivery because electronic devices had failed. This tragedy illustrates why it is so crucial to understand the risk level associated with each piece of connected equipment.

Given the increasing frequency and complexity of cyberattacks, how can insurers maintain their appetite for risk in the cyber insurance space?

Insurers should take an active role in creating a more educated, and therefore more insurable, market. Better informed health systems with strong cybersecurity governance will pose a lower risk to insurers, creating greater opportunity for a more sustainable insurance market.

Can you discuss strategies to bridge the awareness gap within organizations about their cyber readiness and the available insurance coverage options?

Insurers should educate health systems on the best practices that will increase insurability and align resources to the key requirements in the underwriting process. This is mutually beneficial to the insurer and the health system. If health systems have an increased awareness of their cyber vulnerabilities and risk, they can put better preventative strategies in place, protecting themselves from cyberattacks while also making themselves more insurable. Insurers can raise awareness about the need to break down silos between healthcare technology management (HTM) and IT teams.

Clinical technology is becoming increasingly digitized and network-connected, so all the teams and associates managing that technology should have a strong understanding of their organization’s cybersecurity risk posture. It is no longer sustainable for health systems to rely solely on IT teams to handle cybersecurity. Insurers could provide resources that equip all health system associates to be more vigilant of cybersecurity risks, not just technology and executive teams.

In your view, how should geographical coverage be defined in the context of cyberattacks that can be perpetrated from anywhere in the world?

The way we connect to and use the internet in the U.S. is highly decentralized, which makes geography less relevant as networked technology becomes more ubiquitous in every aspect of our lives, including health care. Cyberattacks originate all over the globe and reach across international borders. Because cybercriminals ignore geographical boundaries, our response must go beyond them too. For cyber insurance coverage to be effective, it must reflect the international online space in which we operate.

What is the optimal balance between investing in preventative measures and purchasing cyber insurance? Can these strategies coexist, or must organizations choose one over the other?

Sustainable insurance cannot exist without preventative measures. On average, health systems in the United States face 1,410 attempted breaches per week. Attempted cyberattacks are occurring so frequently there is hardly an organization who would not be overwhelmed and irreparably damaged without cybersecurity measures in place. Especially in the case of health systems, where reliable operations can be a matter of life and death, the damage of cyberattacks goes well beyond financial losses. Cyber insurance is an important component in shoring up an organization’s cybersecurity strategy, but it should also be the last line of defense.

Health systems should equip their people, processes, and technology to prevent breaches from happening in the first place. This includes training associates on methods of attack like social engineering, standardizing measures like two-factor authentication to secure access to networks & devices, and deploying technologies that can help recognize potential threats faster. In addition to these tactics, maintaining coverage remains an important component for mitigating damage if a breach were to occur.

Don't miss