Cyber-attacks in the healthcare sector pose an international threat that can affect anyone regardless of health, age, ethnicity, and gender. Everyone needs healthcare and everyone has patient records. Information held by healthcare organisations is arguably the most sensitive data available - perfect fodder for cyber-attacks.
Unsurprisingly then, the healthcare sector is repeatedly suffering large data breaches and is increasingly being held to ransom. Most recently, Advanced fell victim to a cyber-attack in August 2022. Advanced software is used by 85% of NHS 111 providers (opens a new window)and the cyber-attacks resulted in delayed ambulance dispatch, limited or no access to mental health records, and emergency prescriptions not being issued. Months later, many services that form part of the advanced software are still not operating as they should (opens a new window). This example encapsulates the catastrophic systemic, operational, and physical impact cyber breaches can have on the healthcare sector.
Why do cyber-attacks happen?
Motives behind such attacks vary. Attacks are usually financially driven, but could also be politically motivated, or simply opportunistic.
A typical scenario is the planting of malware (malicious software) in computers in an attempt to take control of them, rendering them unusable and providing hackers with access to highly sensitive data.
The negative impacts include:
The possibility for medical disruption is endless; without access to patient records, it is difficult to deliver effective care, crucial appointments might not be followed up, and medication could be incorrectly administered.
Healthcare providers hold incredibly personal data about a person – issues of mental health, fertility, genetic disease, and addiction amongst others. Leaks of such information can lead to emotional distress in patients, hefty data protection fines, reputational damage, and, ultimately, complex claims.
Identity theft. Data held in medical records can form the basis of a new identity. Again, data breach compensation claims are common and could be brought against an individual or organisation.
There is no doubt that the use of technology in healthcare has made life easier. Advances in healthcare and technology are ones which we should all embrace but with this progress, must come education. At the heart of digital health is people. Organisations must reframe the culture around virtual security and insist buy-in from all within it. Of course, human error is inevitable but there are various steps which can be taken to instill good cyber hygiene standards:
Create an environment where people feel able to speak up when they are aware of potential breaches or cyber-attacks.
Instill in staff good e-health; the use of double-factor authentication, strong passwords, and not sharing passwords.
Create spoof scenarios. Sending regular fake phishing emails and text messages is a great way to familiarise staff with what real phishing communication may look like.
Send regular reminders on the repercussions of cyber-attacks.
Implement mandatory training modules and annual refreshers courses.
Despite best efforts, cyber-attacks do happen. In these events, you need a specialist response and robust indemnity. Survey responses have shown that 76% of health and wellness companies do not have a single insurance policy tailored to cyber risks that they face (opens a new window). Organisations and individuals alike should consider insurance policies which have detailed incident response plans and access to specialists who can help minimise the damage from cyber-attacks and get you or your business back on its feet. Lockton have specialist brokers with vast experience in cyber insurance (which contemplates cover for third party liability as well as first party costs, including business interruption losses and potentially reputational damage), as well as medical malpractice insurance (which extends to bodily injury, typically excluded from cyber policies). Those brokers will help you to understand where you are exposed to potential risk, what limits of indemnity you need, and which insurers can help protect your business.
For more information on how we can support, please contact:
Head of Advocacy and Risk Management - Senior Vice President
T. +44 (0)20 7933 2516
M. +44 (0)77 7542 9377
Assistant Vice President
T. +44 (0)20 7933 1217
M. +44 (0)77 7083 3030