Existing and Emerging Cyber Risks in the Healthcare Sector

By: Bill Bower, Kirsten Mickelson

May 01, 2024 — The healthcare industry is facing unprecedented challenges, not only as a result of COVID-19 but also from its existing and emerging cyber risks. The industry has historically been targeted by cybercriminals due to its vast collection of valuable medical data. However, the risks for the industry have grown even more acute recently, as COVID-19 forced more of the workforce to a remote work environment and increased the use of telehealth to provide care to patients and allow for the interconnectivity of the healthcare ecosystem. The risks have also grown due to the increased reliance on outside vendors and suppliers and a consolidation of those outside vendors and suppliers. All of this has resulted in an expanded attack surface for cybercriminals to exploit.

According to data reported by the U.S. Department of Health and Human Services (HHS), 2023 was an unprecedented year for healthcare data breaches. Between January 1, 2023, and October 31, 2023, more than 82.6 million healthcare records were exposed or impermissibly disclosed, compared to 45 million records in 2021 and 51.9 million records in 2022. As of November 17, 2023, more than 100 million records have been breached. (Alder, October 2023 Healthcare Data Breach Report 2023) In light of the Change Healthcare ransomware attack happening at the time of this article, the industry is waiting to see what 2024 will bring in terms of compromised records.

Ransomware, hacking, vulnerability exploits, and phishing attacks against organizations and their third-party vendors continued to rank among the top causes of data breaches in the industry. Not only are the costs of a data breach substantially higher for the healthcare industry as compared to other industries but the industry is also facing significant enforcement activity and class action lawsuits. The healthcare industry's ability to manage these exposures through cyber insurance is also becoming more costly and difficult, which is driven by greater scrutiny being placed on organizations' cybersecurity controls during the underwriting process.

The Ransomware Threat

One of the main drivers for the increase in data breaches in the healthcare sector over the past year is the growing threat of ransomware. According to the Health Insurance Portability and Accountability Act (HIPAA) Journal, 2023 was a significant year for ransomware attacks across the board. An analysis by the cybersecurity firm Emsisoft found that "46 hospital systems suffered ransomware attacks in 2023, up from 25 in 2022 and 27 in 2021. (Emisoft 2024) Across those 46 attacks, at least 141 hospitals were directly affected and experienced disruption due to the lack of access to IT systems and patient data." (Alder, At Least 141 Were Hospitals Directly Affected by Ransomware Attacks in 2023 2024) With the Change Healthcare ransomware attack, 2024 is shaping up to be another significant year for large-scale ransomware attacks.

As noted above, a key driver for this increase was the expansion of the attack surface, whether through remote working or increased use of vendors and suppliers. Cybercriminals exploited new vulnerabilities created by this transition to launch email phishing attacks, which are a top vector for ransomware attacks. (Coveware n.d.) Ransomware attacks are enormously disruptive to organizations from an operational, legal, financial, and patient care perspective.

The largest attack thus far in 2024 is the Change Healthcare incident. Change Healthcare, a unit of Optum and a subsidiary of UnitedHealth Group, provides a wide range of critical IT applications to healthcare sector organizations, from claims processing and pharmacy benefits to eligibility checks and prior authorization. The company says its technology is used to process 15 billion healthcare transactions annually, and its clinical connectivity solutions touch 1 in 3 patient records in the U.S. (McGee 2024) Millions of Americans use Change Healthcare's platform, either directly or indirectly, because it serves as a backend service provider for various healthcare insurance providers in the U.S.

On February 21, 2024, Change Healthcare publicly disclosed that it was hit with a ransomware attack by the BlackCat/ALPHV ransomware gang. The impact has been devastating for the healthcare industry and the hundreds of millions of Americans who rely on services powered by victimized providers. Physicians and hospitals have been impacted in their ability to bill, manage, and issue prescriptions and healthcare procedures. Pharmacies are unable to properly fill prescriptions, and many providers and individuals are experiencing financing hardships.

While it is unclear how many patient records may have been compromised, the ransomware gang claims it has stolen six terabytes worth of data, including medical records, patient Social Security numbers, and information on active military personnel. The American Hospital Association has called it "the most significant cyberattack on the U.S. healthcare system in American history." (Pollack 2024)

Before Change Healthcare, one of the most significant attacks of 2023 was the attack on Ardent Health Services (Ardent), which oversees 30 hospitals across the U.S. One report noted that Ardent's hospitals in three states had to divert patients from their emergency rooms as a result of the ransomware attack. Ardent had to shut down a significant number of its computerized services, "including clinical programs and its use of Epic Systems, a program that tracks patients' healthcare records." (Collier 2023) Patient care can also be impacted at the nearby facilities accepting the diverted patients. A research paper published in May 2023 concluded that nearby hospitals that need to deal with the additional patients may experience "resource constraints affecting time-sensitive care for conditions such as acute stroke. These findings suggest that targeted hospital cyberattacks may be associated with disruptions of healthcare delivery at non-targeted hospitals within a community and should be considered a regional disaster." (Dameff, et al. 2023)

Another attack on Postmeds, Inc., a company that does business as Truepill and fulfills mail-order prescriptions for pharmacies, resulted in a massive data breach that affected over 2.3 million individuals. As is common, a breach of this magnitude will almost certainly result in a slew of class action lawsuits, some of which have already been filed. The cost of this ransomware attack is yet to be determined, but it could cost Postmeds in the tens of millions of dollars. (Page 2023)

Cybercriminals are continuing to evolve their ransomware attacks to maximize payouts. Most notable in 2023 was the exploitation by the CL0P ransomware group of Progress Software's MOVEit Transfer product. In the attack, the cybercriminals exploited a bug in the product, which is used by thousands of organizations, including healthcare organizations, to transfer sensitive files. More than 2,300 organizations are known to have been affected, with more than 60 million records stolen. (Alder, October 2023 Healthcare Data Breach Report 2023)The MOVEit attack demonstrates the devastating downstream effects when cybercriminals target a commonly used product.

What Happens Immediately Following a Ransomware Incident?

One of the first questions that must be addressed following a ransomware incident is whether or not the organization should pay the ransom. This requires thoughtful consideration of a number of factors. For example, a question to consider is whether the organization has viable backups from which to restore its data if it does not pay the ransom. Even if it does have viable backups, it could still take weeks or longer to fully restore an organization's data. Under such circumstances, paying a ransom might be the most expedient solution.

Another consideration is whether the criminal organization behind the incident has a history of living up to its promises. It is also critical to know whether the cybercriminals may have exfiltrated data off the victim's network and are threatening to publish it if payment is not made, which is increasingly the case.

Most recently, cybercriminals have been using the double extortion method of demanding ransom for both the decryption and deletion of exfiltrated data. If an organization does decide to make a ransom payment, before the payment is made, it must confirm that the threat actor is not a sanctioned group under the U.S. Department of the Treasury's Office of Foreign Assets Control or it risks potential sanctions.

Cybersecurity vendors who specialize in negotiating and responding to ransomware incidents can provide critical assistance to organizations when dealing with a ransomware incident. One of the many benefits of cyber insurance is having immediate access to the cyber insurance carrier's panel of experienced and vetted cybersecurity vendors, including breach counsel, forensics, and ransom negotiators. These vendors can help organizations assess and effectively respond to ransomware incidents. The breach counsel is instrumental in protecting the attorney-client privilege of the investigation and advising on the regulatory and consumer notification requirements and the timing of such requirements. Counsel will also work with victims to notify law enforcement, such as the FBI's Internet Crime Complaint Center, since reporting such incidents provides law enforcement with a greater understanding of the threat.

Other Cyber Risks Affecting Healthcare Organizations

Aside from ransomware incidents, there are numerous other types of cyber threats that healthcare organizations need to manage and avoid. While this article will not detail all of the cyber threats impacting the healthcare sector, we focus on several of the most significant risks below.

Third-Party Vendors and Supply-Chain Attacks

According to the HIPAA Journal, cyberattacks on vendors and business associates of healthcare organizations have "increased to the point where attacks on business associates now outnumber attacks on healthcare providers." (Alder, Healthcare Organizations Most Common Victims in 3rd Party Data Breaches 2023) In 2023, Black Kite, a vendor risk management company, analyzed 63 third-party breaches that affected at least 298 companies and reported a doubling of the impact and destruction caused by those breaches. In 2021, an average of 2.46 companies were affected by each third-party breach, with the number of affected companies increasing to an average of 4.73 per breach in 2022. (Alder, Healthcare Organizations Most Common Victims in 3rd Party Data Breaches 2023)

In addition to the Change Healthcare ransomware attack, the MOVEit incident in 2023 also highlighted the risks to the healthcare industry in relation to third-party vendors. MOVEit, a popular managed file transfer tool owned by Progress Software, contained a vulnerability that was exploited by the CL0P ransomware gang for monetary gain, impacting thousands of companies and approximately 77 million people globally. (Kaur 2023) CL0P threatened to identify these victim companies and publish stolen data if a ransom was not paid. Several healthcare organizations were affected, and sensitive data was exposed, including patient medical histories and personal information.

Progress Software is now facing regulatory investigations as well as more than 20 lawsuits for negligence, breach of contract, and invasion of privacy. Several healthcare organizations are also now being named in class action lawsuits arising out of the MOVEit incident, and more lawsuits are expected to be filed in 2024.

Hacking Incidents

Hacking is the largest root cause of data breaches in the healthcare industry. In 2023, hacking was responsible for about 77.5% of all reported breaches and 99.13% of all breached records. (Alder, October 2023 Healthcare Data Breach Report 2023) The average data breach size for these hacking incidents was 114,152 records, and the median data breach size was 4,049 records. (Alder, October 2023 Healthcare Data Breach Report 2023) Hacking incidents can often be traced to leaked credentials. One reason the costs of a data breach are higher for the healthcare industry than other industries is that the average time to identify and contain a data breach in the healthcare industry is longer than in other industries. In general, the length of the hacking incident is correlated to the cost of the incident.

Phishing

Hackers are also continuing to rely on email phishing as a key strategy to target victims in healthcare organizations. Phishing emails are frequently used to spoof a trusted sender and trick unsuspecting victims into inputting their credentials onto a fake log-in page. In addition, phishing campaigns frequently deliver malware, including ransomware. Other malware variants can allow hackers to steal data, capture keystrokes, take screenshots, and launch malicious code. One of the largest phishing attacks for the healthcare industry in 2023 involved AllCare Plus Pharmacy. In that attack, nearly 6,000 individuals potentially had their protected health information (PHI) exposed due to an email phishing attack that led to unauthorized access to specific email accounts of several AllCare Plus Pharmacy employees. (Rodriguez 2023)

Insider Threats

While high-profile data breaches by cybercriminals generally capture news headlines, a significant percentage of breaches are the result of basic employee negligence, including unauthorized access or disclosure incidents. This includes employees bringing PHI home or sending PHI to a personal account or device, viewing data without the proper authorization, and making email errors, such as sending PHI to incorrect recipients. However, healthcare organizations have made significant strides in tightening their administrative, physical, and technical controls, leading to a decrease in these types of incidents.

Artificial Intelligence

Many healthcare organizations are adopting artificial intelligence (AI) to assist medical professionals and staff, provide 24/7 patient services, deliver quicker diagnoses and treatment, reduce costs, and provide better scalability across all business functions. However, cybercriminals are similarly adopting the use of AI in cyberattacks. Cybercriminals can use AI to easily create new malware, find new zero-day vulnerabilities, and bypass detection. Cybercriminals can also create more sophisticated, original, and targeted phishing attacks and draft phishing emails in multiple languages that appear more credible to the eye. Finally, cybercriminals can use AI to quickly analyze exfiltrated data to locate valuable personally identifiable information (PII) and personal health information to make more credible threats and extort more money. AI models themselves can also be targeted. AI attacks can manipulate AI algorithms to provide incorrect diagnoses or treatment recommendations, potentially endangering patients' lives.

Duty to Notify Patients, Regulators, and Business Partners

Following a cyber incident, including a data breach, organizations may have a legal duty to report the incident, depending on the nature of the incident and/or the type of data that was potentially compromised. Such duty may be based on contractual requirements, state law, or federal law. Healthcare organizations that are considered a "covered entity" under the HIPAA, as well as their business associates, will be required to report certain cyber incidents to the Office of Civil Rights (OCR) pursuant to HIPAA. Under the HIPAA Security Rule, a ransomware attack is considered a "security incident." Once the ransomware is detected, the covered entity or business associate must initiate its security incident, response, and reporting procedures. For those organizations governed by the Securities and Exchange Commission, a new rule promulgated on December 15, 2023, requires domestic public companies to report material cybersecurity incidents on Form 8-K within four business days of discovery (with limited exceptions).

Organizations may also have a duty under state law to notify affected individuals and/or regulatory authorities of a breach of PII and PHI. Organizations must comply with the notification laws of the states in which the affected individuals reside, which may have different definitions of what constitutes PII, as well as different notification requirements. Organizations may also have contractual obligations to notify certain business partners in the event of a data breach. The decision of whether to notify, who to notify, and how to notify often requires complex legal analysis. Therefore, it is strongly recommended that organizations consult with legal counsel prior to sending out any notifications. Notifying improperly could have negative consequences for an organization, including an increased likelihood of class actions, regulatory actions, and regulatory fines. Furthermore, consulting with a legal counsel experienced in handling data breach matters can help organizations better respond to the numerous inquiries they are likely to receive following the breach notification. Finally, having the proper incident response plan in place, which includes breach counsel and other incident response vendors, can help the affected organization become more resilient.

Post-Breach Regulatory Investigations and Class Action Litigation

The completion of an investigation and notification of a breach, unfortunately, does not necessarily signify the end of a cyber incident. In many cases, it merely marks the beginning of class action lawsuits and regulatory proceedings against the organization, both of which can result in multimillion-dollar settlements.

The U.S. Department of HHS' OCR has the responsibility to enforce the Privacy and Security Rules of the HIPAA, the standards for the protection of certain PHI through voluntary compliance activities, and the imposition of civil monetary penalties. In 2023, the OCR engaged in significant enforcement activity against healthcare organizations. One major development was the OCR's recent settlement with Blackbaud, a company that provides donor relationship management software. Blackbaud agreed to a $49.5 million settlement and substantial corrective action to settle potential violations of the HIPAA Privacy and Security Rules relating to a 2020 data breach that exposed the PHI of nearly 5.5 million individuals. The OCR also entered into a $1.4 million settlement with Inmediata over HIPAA Privacy and Security Rules violations stemming from a 2019 data breach that impacted over 1.5 million individuals' PHI. In light of the Change Healthcare ransomware attack affecting countless organizations and individuals, 2024 will also be a year of significant enforcement activity.

The OCR's enforcement activity is also likely to ramp up in light of the HHS' concept paper published in December 2023 that outlines cybersecurity strategy for the healthcare sector. (U.S. Department of Health and Human Services 2023) The strategy advises that HHS will establish voluntary Cybersecurity Performance Goals to help healthcare institutions plan and prioritize the implementation of high-impact cybersecurity practices. In addition, the strategy indicates that HHS will implement plans to support greater enforcement and accountability. Such strategies include requesting that Congress expand its enforcement authority and increasing civil monetary penalties. This concept paper was recently published and will be closely followed by the healthcare sector, as the Cybersecurity Performance Goals may very likely become regulatory requirements.

Healthcare organizations also face significant potential exposure from state and federal class action lawsuits following a data breach. Such lawsuits will typically assert common law causes of action, including negligence, breach of contract, fraud, etc., as well as statutory claims. The California Consumer Privacy Act and the Illinois Biometric Information Privacy Act are some statutes that have become a recent focus for plaintiffs' counsel in data breach litigation. Finally, many healthcare organizations are facing legal scrutiny over alleged improper gathering and disclosure of PHI and other sensitive information via a web browser tracker called Meta Pixel and other session reply code programs, which are used to share and analyze data.

The sharp increase in security incidents impacting healthcare organizations in 2023 coupled with the litigation that will result from the Change Healthcare ransomware mega-attack means that a proportionate increase in data breach litigation is expected in 2024.

Cyber Insurance Coverage for Healthcare Organizations

Cyber liability insurance policies provide first- and third-party protection to businesses in the event that sensitive information is compromised. They cover the first-party costs (expenses that an organization incurs directly due to a cyber incident), such as the cost to investigate and respond to a breach. They also provide first-party coverage for other types of loss resulting from a cyber incident, such as business interruption loss, data recovery costs, reputational harm, and extortion demands. Furthermore, a cyber insurance policy provides access to the carrier's panel of experienced and vetted cybersecurity providers who can quickly assist policyholders with investigating and responding to a data security incident.

Cyber insurance policies further provide liability coverage to policyholders for third-party lawsuits or regulatory proceedings against policyholders that arise out of a cyber incident. Third-party liability coverage helps pay for damages (settlements and judgments) the policyholder is legally obligated to pay and claim expenses (attorney's fees and court costs) to defend the policyholder against the claims.

Finally, many cyber insurance policies now also include limited eCrime coverage. This may include certain coverages typically found under a crime policy, such as social engineering, funds transfer fraud, and invoice manipulation coverage. It is evident that the costs of a cyber incident can be devastating to a business. Research has shown that healthcare has the most expensive data breach costs on average, at $11 million per incident in 2023, signifying a $1 million increase from the previous year's report and a 53% increase since 2020. (McKeon 2023)

Cyber insurance is the most effective mechanism available for businesses to cover financial losses due to a cyber incident. However, with an uptick in the severity of losses and a lack of historical data for pricing, cyber insurance carriers have started making significant changes in their underwriting practices to manage their increased exposure. Such changes include pursuing rate increases of up to 50% per year, doubling and tripling deductibles and retentions, reducing policy limits, using sublimits or coinsurance to manage ransomware exposure, and narrowing and tightening coverage wordings. Carriers are also becoming increasingly disciplined in the risk selection process, requiring a greater amount of data from applicants and scrutinizing applicants' data protection controls and compliance with regulatory requirements. Supplemental applications that address ransomware risks specifically are also becoming more common. Carriers are increasingly relying on security scans and attack surface monitoring to gain a better understanding of the organization's cybersecurity vulnerabilities. Some carriers also have nonrenewed policies, where the organization cannot show that multifactor authentication has been implemented across the organization.

Conclusion

Healthcare organizations face growing and evolving cyber risks that threaten not only their bottom line and reputation but also critical services and patients' health and safety. There is no indication that these risks will abate at any time in the foreseeable future. Just as the best defense is a good offense, healthcare organizations should invest in cybersecurity, such as endpoint monitoring and detection and segregated and segmented offline encrypted backups, to reduce the average time to identify and respond to a breach and the potential cost of a breach. Employee training, particularly in relation to avoiding phishing emails, can be very effective in reducing the risk of a ransomware attack and protecting PHI. Moreover, the forthcoming cybersecurity framework outlined in the December 2023 HHS concept paper will help inform the healthcare sector on where to focus organizational efforts and resources for high-impact results. Finally, cyber insurance, though it may be more costly and difficult to acquire than in previous years, is still an effective mechanism to manage an organization's cyber risk exposure and help an organization respond more quickly and effectively to a data breach.