We talk a lot about medical malpractice claims – but what about the unseen risks posed by cyber criminals?
The threat of cyberattacks has been on the rise in recent years, spurred on by the Covid-19 pandemic and a growing sophistication among cyber criminals According to a recent report, cyber-related losses in the UK totalled to over £3 billion across 2021 and 2022, and in the same period more than 80% of UK organisations suffered a successful cyberattack.[1]
While all sectors are reacting to the threat of these attacks, healthcare faces a unique set of challenges which could cause major disruption if left unchecked. Cyberattacks in this space go beyond financial, reputational, and data privacy losses, with risks such as loss of patient data posing an actual threat to lives.
As a consultant, you will know just how valuable patient information is – arguably, it’s the most personal and sensitive information of all. With all this information potentially accessible, healthcare consultants become the ideal target for a range of cyber-threats including phishing attacks (fraudulent phone calls, emails or text messages), malware or ransomware, and cloud threats.
There’s a lot at stake with cyberattacks, it’s no wonder the healthcare sector is becoming a key target for ransomware attacks. According to a recent survey, In the last year alone, there has been a 94% increase in Ransomware attacks on healthcare organisations[2].
The rise of ransomware attacks in healthcare
Malware – or malicious software – is installed on your practice devices by hackers, causing them to become unusable whilst also giving them access to sensitive patient information. Ransomware works in a similar way, except attacks will contact you and request payment to make your computer network functional again and/or prevent any confidential information from being leaked. If unpaid, hackers can still release this information to the public, meaning you could face a large-scale breach of patient confidentiality claim
When looking at the effects ransomware has on the healthcare sector, the situation in the US is worrying. Ransomware attacks have led to delayed chemotherapy treatments and ambulances being diverted from a San Diego emergency room after computer systems were frozen. Adding to this already stark picture, in 2021, a lawsuit filed by the mother of a baby who died in Alabama alleged the first “death by ransomware”, blaming a 2019 hack of a hospital for fatal brain damage of the new-born after heart rate monitors failed.
When bringing this back to the UK, the picture isn’t as severe, but still comes with some major risks to consultants. In December 2020, a hospital group was subject to a cybersecurity attack that put sensitive patient data at risk. A prominent ransomware group (known for targeting celebrities and political figures) was able to obtain patient documents, including “intimate photographs”. They provided evidence of the stolen information and threatened to leak it unless the hospital paid a ransom to protect the images.
The hospital informed the affected patients of the leak and reported the breach to the Information Commissioner’s Office. To this date, no sensitive images or information are known to have been leaked.
Cyber risk management – our 3 top tips to prevent cyberattacks affecting you, your practice, and your patients:
Ransomware and malware attacks within the healthcare industry are not uncommon – so how can you prevent these risks?
1) Implement a culture with governance at the core
- Regardless of the origin of cyber exposures, implementing a robust cyber risk management framework is crucial. You should promote a security-first culture throughout your entire practice. Policies should be followed to the letter by all, and employees made aware of all potential threats and how to mitigate them.
2) Invest in specialist training to avoid human error
- Invest in training for yourself and your employees around malware and ransomware, as this will discourage anyone from clicking harmful links or downloading something accidentally.
- Training around phishing will help employees to discern suspicious emails or texts, meaning they’re less likely to be drawn in by them. Plus, employees should be educated about the risks of human error so that no sensitive information or documents are ever left lying around, computers are locked when left unattended, and employees are always sure of who they’re speaking to on the phone.
3) Ensure strong security protocols are in place
- Make sure to update your computers and systems regularly, as these updates often contain improvements to security systems which can prevent malware, ransomware, and cloud-based threats.
- All computers should have strong passwords which differ for each account or programme, as this prevents hackers from accessing a mass of information from multiple sources. You can easily track passwords using a secure password tracker – don’t write them down on paper or leave them in an unlocked document.
- Limit your file sharing wherever possible to prevent them from becoming corrupted, and download a robust antivirus and firewall software on all your computers to spot the signs of an attack early.
Cyber protection through your medical indemnity insurance
You must take these risks as seriously as you would a medical malpractice claim – luckily, you can protect yourself through your medical indemnity insurance.
At Practition, we offer cover for data breaches, whether actual or suspected. This cover importantly extends to cover you in the event that you are the source of a cyberattack which could disrupt services within a hospital; if the hospital or clinic pursues you for any associated losses, our product will protect you and our helpful advice line will offer you peace of mind.
If you would like to know more about how to protect yourself against cybersecurity threats through your medical indemnity insurance, please get in touch with:
Charlotte Bark
Vice President – Healthcare
M: +44 (0)7741 232 107
E: charlotte.bark@lockton.com
[1] https://www.comparitech.com/blog/information-security/uk-cyber-security-statistics/ [2] https://www.sophos.com/en-us/press-office/press-releases/2022/06/ransomware-attacks-on-healthcare-organizations-increased-94-percent-in-2021