by Mark Stenmark, MHSA, FACMPE
Senior Director, Insurance Services

During 2021, hospitals and health care organizations of all types and sizes will continue to face significant ransomware attacks that hit record highs last year. One estimate placed the average total cost of a data breaches during 2020 at $3.86 million, with health care having the highest average cost at $7.13 million. In my last blog, I shared five essential questions for hospital and health system chief executive officers to discuss with their chief information security officers (CISOs) in the new year. Today I’ll share a checklist of important steps CISOs should take to reduce the most common areas of risk.

Claims data from insurance carriers participating in Vizient Insurance Services have found that most cybersecurity breaches occur from breakdowns in three main areas: people, process and technology. CISOs should start the new year by reviewing the following checklist to ensure you  have a solid plan in place and address any gaps to help your organization minimize vulnerabilities and avoid a ransomware situation.

  • Enterprise-wide cyber security education—Help people know their role. Conduct routine phishing exercises. Set incident reporting protocols. Set expectations for all staff.
  • Business continuity planning—Your insurance carrier and broker can help provide resources to develop a custom business continuity plan. Know your insurance policies related to business interruption, cyber liability and directors and officers. Leaders should know exactly how to respond to a cyber security event.
  • Patching—As software providers provide frequent updates and patches, ensure that there is a comprehensive vulnerability assessment and asset patching program in place both for medical devices and regular IT assets. A recent Ponemon Institute study revealed that 57% of attack victims stated that applying a patch would have prevented their breach.
  • Offline backups—Organizations need to secure separate back up options that are disconnected from the internet, the cloud and their computer network. The latest malware will encrypt and destroy back-ups, often undetected. Create frequent, separate tape backups stored in a secure location.
  • Network segmentation—Much like the construction of a ship, you want to segregate or partition segments of your network from one another to prevent one area of damage from taking down the entire network. Segmentation allows you to isolate the damage to a smaller area.
  • Multi-factor authentication—The increased number of hospital employees working from home has accelerated the ransomware epidemic by providing increased opportunities for unforced human error. Multi-factor authentication inserts an added layer of protection by requiring a hacker who might gain access to a login credentials to also have access to an employee’s mobile phone to access the system.
  • Spam filters, email configuration and anti-virus—Using email software such as Microsoft 365, ensure that filters and scans for suspicious emails and attachments have been set up. Legacy anti-virus products use known rules and virus database signatures to identify malware. Use next-gen anti-virus products which use billions of data points and artificial intelligence to detect anomalies and changes in use, human behavior or environment at the network end points for possible malicious activity.   

In addition, a stand-alone, cyber liability and breach response insurance policy should be the primary component of your cyber security strategy. Work with your insurance broker to ensure you maintain a comprehensive policy with appropriate coverage for your risks, transparent terms and conditions, and necessary limits for your organization.

The COVID-19 pandemic has provided even more opportunities for cyber criminals to exploit vulnerabilities, create organizational chaos and potentially jeopardize care delivery and safety. It is insidious for our nation’s health care system to be attacked by cyber criminals while they are providing critical care, aid and comfort to our people. The imperative to ensure your organization has the plans in place to prevent such attacks and respond effectively to those that do, has never been more urgent.

If you need help in this area, let me know how Vizient can support you in your efforts. Vizient Insurance Services has business relationships with cyber liability and breach response experts. Whether you are evaluating a broker, insurance carrier or a trusted cyber security consulting firm, Vizient has resources and information to help.   

About the author: Mark Stenmark serves as the national property and casualty (P&C) leader for Vizient Insurance Services. He is responsible for strategy, product development, sales, marketing, P&L, contract negotiations and the maintenance of multi-year B2B relationships with national insurance carriers and P&C broker partners. In his 20 years with the company, Stenmark also held regional and national positions in market management, business development, sales operations and purchased services.

Published: January 20, 2021