Cyber Loss

Cyber-related losses are a growing area of risk for healthcare organizations. Healthcare organizations and practitioners are often easy targets for cyber-attacks and can suffer major data breaches, service interruptions, and financial losses. Canadian healthcare organizations, not only have a duty to protect the patient information that is entrusted with them, but also have to protect the systems and technology that help provide patient care and fulfill expectations. Most cyber-related losses result from malware, ransomware, or Trojan attacks designed to damage, disrupt, or steal information. Healthcare organizations are also subjected to phishing attacks that are designed to steal credentials, process financial transactions, or deliver malicious virus attacks.

Healthcare organizations and practitioners insured by HIROC are encouraged to promptly notify HIROC to ensure expert assistance, financial support, and guidance around disclosure requirements by contacting Marnie MacPhee, Director of Claims at mmacphee@hiroc.com or HIROC’s Claims Department at newclaims@hiroc.com.

Common Claim Themes

  • Phishing attacks resulting in stolen credentials, misdirected funds, and virus attacks from malicious attachments or links.
  • Ransomware attacks resulting in loss of access to information systems.
  • Cross-site scripting attacks that inject malicious code on hospital websites with the intention of compromising the websites’ visitors.
  • Website hack resulting in breach of past customers’ information.
  • Delayed notification to insurer or police.
  • Hackers exploiting vulnerabilities present in unpatched systems.
  • Use of unsupported or unlicensed tools and applications with security vulnerabilities.
  • Inadequate data backup strategy resulting in an inability to restore data.
  • Lack of consistent server and operating system security patching and upgrading practices.

Case Study 1

An employee of a hospital with outdated information technology infrastructure clicked on a malicious link from an email and malware was downloaded onto the hospital’s server. This malware encrypted all information and displayed a message demanding a ransom payment. The hospital IT staff were unable to successfully eradicate the malware or restore the systems from backups. As a result of this, email systems and electronic health records systems were not available. The employees had to resort to paper charts to transcribe patient information. The hospital decided not to pay the ransom and engaged a forensic investigation firm to locate the malware, contain, eradicate and restore the systems. Overall, the hospital sustained losses related to forensic investigation, legal consulting fees, operational interruption, equipment replacements, and costs associated with replacing lost or corrupted data.

Case Study 2

An employee of a long-term care facility’s finance department received an email disguised to look like it was from the organization’s chief executive officer. The email requested the employee to process a series of payments. The employee gave instructions and the authorization to make the payments to Accounts Payable resulting in five electronic fund transfers over $300,000. The bank alerted the facility of the suspicious transactions. The investigation revealed that the facility was a victim of a “CEO fraud” scam. Typical of other phishing scams, the email impersonated a high ranking individual who had the authority to make such requests. Expert review noted the finance department failed to follow their internal processes, including processing requests for payment without an invoice. The bank was able to recover partial payment and the authorities were reported of this scam. In line with the organization’s cyber loss and progressive disciplinary protocols, the department lead and the involved employees, were disciplined for their roles in the breach.

Mitigation Strategies

Reliable Prevention Strategies

  • Adopt standardized and enterprise-wide cyber security policy that includes (but is not limited to):
    • Roles and responsibilities of all employees, independent practitioners, volunteers, students, agents, partners, suppliers, and vendors;
    • A defined and common taxonomy for cyber-security risk;
    • Links and cross references to relevant risk management policies;
    • A targeted cyber security implementation plan (e.g., initiatives and timelines).
  • Implement a robust vulnerability and patch management process to address defects and security vulnerabilities in a timely manner. For organizations with limited IT resources, automate patching and upgrading of operating systems, applications, and software where possible, and manually managing the updates to the other devices.
  • Implement a formal and comprehensive information technology asset management (ITAM) process to manage the lifecycle and inventory of the organization’s technology assets. Ensure the ITMA includes current best practices related to (but not limited to) securing all active and inactive devices appropriately, including decommissioning of assets that past their end of life (i.e., systems no longer supported or receive security patch updates).
  • Customize and judiciously configure antivirus, antispam, and antimalware solutions to protect against threats posed by malware or phishing attack. Consider implementing the next generation endpoint protection with capabilities such as URL click protection via analytics, sandboxing, e-mail encryption, network behaviour monitoring, application and process behaviour analysis, automated malware removal, compromised asset identification, etc.
  • Adopt a standardized and strong identity and access management process that supports an effective administration of user accounts (e.g., granting, revoking, and managing user access to systems, processes, and network drives). At a minimum, ensure system and network administrators have two accounts: one to perform day-to-day activities and browse the internet, and a separate administrative account with access only to systems required to perform administration functions that include (but is not limited to):
    • Follows the ‘least privilege’ principle when providing administrative access to users’
    • Regular reviews and approvals of privileged accounts;
    • Ensure all security controls that have access to the organization’s information systems satisfy the healthcare industry’s privacy and security requirements. Where applicable, require vendors to provide industryrecognized information security certifications (e.g., ISO 27001, SOC 2, SOC 3).

Education

  • Implement formal strategies to ensure:
    • Employees, independent practitioners, volunteers, students, partners, third parties and vendors that work with the organization’s information systems participate in mandatory cyber security awareness education, that includes (but is not limited) to the need to verify all unusual funds and payment requests with two or more people before processing;
    • Educational opportunities and information (e.g., Canadian Centre for Cyber Security alerts & advisories) sharing to support and enhance the ongoing knowledge, skills, and experience of employees and consultants responsible for information security and cyber security.

Cyber Incident Response Plan and Protocol

  • Develop a standardized current evidence based cyber incident response plan/protocol that includes the specific steps/procedures necessary to immediately contain and control the cyberattack upon discovery including (but not limited to):
    • The immediate and coordinated response;
    • Clearly defined role and responsibility;
    • Data backup and recovery strategy;
    • Continuous internal reporting and communication;
    • Continuous external reporting and communication (including but not limited to the organization’s insurer);
    • The need to follow the organization’s privacy breach protocol where indicated;
    • Steps required for contacting security subject matter experts.

Monitoring and Measuring

  • Implement formal strategies to monitor and measure the effectiveness and efficiency of, and organization-wide adherence to cyber risk and response protocols including:
    • Conducting regular penetration tests of the network boundary to identify security control gaps;
    • Conducting regular cyber-attacks and recovery in situ simulations and/or table top exercises;
    • Centrally storing and analyzing all security event/cyber loss information for trends and correlations;
    • Undertaking penetration tests and vulnerability scans proactively to identify weaknesses and prioritized and begin remediation activities (according to the severity of the vulnerability).

References

  • HIROC claims files.
  • BLG, Cybersecurity Guidance for Small and Medium Organizations. (2019). Cybersecurity Guidance for Small and Medium Organizations.
  • Canadian Centre for Cyber Security. (2019). Baseline Cyber Security Controls for Small and Medium Organizations.
  • Healthcare & Public Health Sector Coordinating Councils, U.S. Department of Health & Human Services, Public Health Emergency. (2018). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.
  • Healthcare & Public Health Sector Coordinating Councils. (2018). Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations.
  • Healthcare & Public Health Sector Coordinating Councils. (2018). Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations.
  • HIROC. (2017). Cyber Risk Management: A guide for Healthcare Administrators and Risk Managers.
  • HIROC. (2018). Key Measures for Preventing and Mitigating cyber Attacks and Ransomware.
  • Nickelson M. (2017. Medical system hacks are scary, but medical device hacks could be even worse, Harvard Business Review