Protecting Your Hospital from Ransomware Part 1: Five Essential Questions for CEOs in 2021

by Mark Stenmark, MHSA, FACMPE

Senior Director, Insurance Services

During 2020, hospitals and health systems across the nation were under siege by cyber criminals and bad actors attacking vital community institutions with malware to gain profit and cause harm. According to Ponemon Institute research, the average total cost of a data breach last year exceeded $3.8 million, with the average U.S. health care cyber breach costing $7.13M. The average paid ransom has skyrocketed to $178K according to Coveware, with some paid ransoms now into the millions of dollars. Health care leaders will continue to face ransomware’s the triple threat of business interruption, extortion and data privacy events in the new year.

Late last year, the Federal Bureau of Investigation and the Department of Health and Human Services issued a nationwide warning to all health care organizations about the imminent danger of ransomware malware known as “Ryuk” that locks up computers and disables critical information technology (IT) systems until a ransom payment is received. Some project the damage related to cybercrime—phishing, ransomware and social engineering tactics—to hit $6 trillion annually by 2021.

With the threats never greater and the stakes never higher, it is essential for hospital and health system chief executive officers (CEO) to start the new year with a conversation with their chief information security officers. Here’s a list of five essential questions you’ll want to discuss.

1. When was the last time we thoroughly reviewed our cyber liability insurance policy and are we sure we have exactly what we need? Consider a stand-alone, cyber liability and breach response insurance policy. It’s an important component of your cyber security strategy and is designed to designed to indemnify or try to make “whole” an organization following an event. Work with your insurance broker to ensure you maintain a comprehensive policy with appropriate coverage for your risks, transparent terms and conditions, and necessary limits for your organization. An insurance carrier that owns a cybersecurity consulting firm has access to the most current information about the size, scope, tools and processes that cyber criminals are using.
2. Have we provided our IT security professionals with the roadmap for cyber security success?  Consider starting with a proven professional cyber security consulting firm to conduct a comprehensive risk assessment of your organization’s IT infrastructure, policies and procedures. You’ll identify your vulnerabilities and gaps, quantify your risk, and identify key data sets to protect. The assessment will provide a clear picture of current and anticipated future vulnerabilities and weakness as well as a robust strategy to address them, giving your IT team a roadmap for success. You can start with a ransomware or e-mail hardening assessment that are relatively inexpensive.
3. Have we adequately funded our cyber security strategy implementation? Implement your detailed, prioritized cyber security plan. Ensure you have secured funding to address your organization’s most critical vulnerabilities. Also ensure you can monitor and protect all end points 24 hours a day, seven days a week. This creates a reliable, swift warning system to help detect and defend your organization against an attack.
4. Is cyber security an active part of our enterprise risk management program? Choose a forward-facing cyber security framework and follow the advice of your experts. Continue to stay up to date and follow cyber threat information from federal agencies such as the Department of Homeland Security, Cybersecurity and Infrastructure Agency, Federal Bureau of Investigation, Department of Health and Human Services, National Security Agency and United States Secret Service. Follow and understand the most current state and federal regulations, such as the HIPPA Security Rule. The National Institute of Standards and Technology provides the latest cybersecurity best practice frameworks and guidelines.
5. How can we collaborate to keep our Board of Directors up to date and share key priorities? Every person in your organization has a role to play. It is important to ensure your board is update to date on your cybersecurity strategy. Discuss options for keeping the board up to date and key information they will need to know.

As you move into 2021, there is no doubt that our nation’s health care system will continue to experience targeted cybersecurity attacks. Cyber criminals’ prey on our human instincts and very often enter our organizations through human error. Every single person must be vigilant, and aware and know how to respond to common threats. It’s never been more critical to ensure your organization has the plans and needed resources to prevent those attacks and to respond effectively to those that happen.

If you need help in this area, let me know how Vizient can support you in your efforts. Vizient Insurance Services has business relationships with cyber liability and breach response experts. Whether you are evaluating a broker, insurance carrier or a trusted cyber security consulting firm, Vizient has resources and information to help.