Ransomware has never been a more serious threat for health care organizations, even small medical practices. So what should be done about it? Is it possible to defend yourself? Are there insurance products that can help protect your business in the event of a breach? To discuss these issues, Medical Economics® sat down with Peter A. Halprin, Esq., a partner in Pasich LLP’s New York office who specializes in complex insurance coverage matters in relation to cybercrime. The transcript below was edited for length and clarity.
Medical Economics® (ME): Let’s put the ransomware issue into context. How big of a problem is it in health care?
Peter A. Halprin: It is a massive problem. We’re talking about billions of dollars in impacts. And I think the average cost of a breach tends to be around $2 million, with about 10% of that being ransomware payments, and the rest being recovery. As I said, the numbers are going up and up and up. So any number I’d give you is already stale. Unfortunately, the trend is only going to continue.
I think health care is a particularly risky sector in this regard for two reasons. One is there is lots of personal information. So data-rich target, if you will, and then the flip side being you’ve got a lot of proprietary systems, you’ve got a lot of older systems that haven’t been updated, don’t get regularly updated. I think in some ways, doctors, like lawyers — they’re focused on their craft. And they’re not necessarily focused on these other things, assuming, Why would anyone do this? Why would anyone target a medical facility or doctor’s office or anything else? And the answer is you’re a target-rich environment and (cybersecurity is) not a priority. So I think health care has continued to be a particularly fertile source for ransomware actors.
ME: How has the COVID-19 pandemic affected cybersecurity?
Halprin: Negatively, for sure. I think that the bad guys have taken advantage of people working from home, people being distracted. It’s very hard to stay focused on your tasks. All of a sudden, you get an email that comes in and it looks very convincing. And I’m telling you, the bad guys are bad. For example, people were getting emails in March of 2020 talking about the cure for COVID-19, or the email looked like it was coming from the World Health Organization or the CDC. So they took advantage of that. Cyber hygiene was definitely down.
I think the other side of it is that the bad actors are targeting specifically vulnerable institutions and organizations. So we saw attacks on vaccine research centers, hospitals, doctor’s offices. For those vulnerable sectors, part of their vulnerability is that it is a matter of life and death. The bad actors take advantage of that vulnerability.
ME: Is being targeted by hackers inevitable?
Halprin: I’m hesitant to say that it’s inevitable because I don’t want people to just throw their hands up, so I don’t love the word. But it is highly, highly probable that there will be an attack or there will be some form of cyber incident or cybercrime involving a health care institution.
So the question is, knowing that there’s that high probability, how do you address that? You really want to beef up your security, what I call cyber hygiene. It’s protecting your business, it’s making sure that people don’t click those bad links, it’s making sure that you clearly identify when an email comes from an outside source, it’s making sure that sensitive areas in a business are closed off so that people can’t penetrate security.
The second instance can come in the form of limiting access. If someone’s able to access your account, then they can get no further than what you can access. It’s that kind of internal security.
ME: What about cyber liability insurance?
Halprin: Yes, the third layer is cyber insurance. So you get insurance for when things go wrong. This is the same kind of product. Once you have that in place, remember, it’s not a fail-safe; it’s not a defensive system. That’s why I say it’s the third and final resort. But it offers two things. It offers bottom-line protection: Let’s say you have $10 million worth of coverage, and then the bad thing happens. You know that you can be restored up to the $10 million that hit your bottom line.
The other thing that cyber insurance often entails is breach response services. So they can help you build out a program to protect yourself when something happens. They can provide you with vendors, they can provide you with legal counsel, they can provide you with public relations experts, and so they can help build that suite of services around you and your business that are needed to deal with an incident.
Now, most businesses have their own cybersecurity plans and their own incident response plans. One of the biggest flaws that I see in incident response planning is that a company will have its own incident response plan, and then it will also have these cyber insurance resources, but they won’t be integrated. And so the problem there is if you use your own people, and you don’t get consent to use them, the insurance company might say, Hey, we’re not paying for that. So the best thing that you can do is work to get insurance involved on the front end working to make sure the insurance company signed off on the plan so that seamlessly integrates. So when something bad happens, you can bring all those resources to bear.
ME: Should health care organizations ever pay the ransom?
Halprin: This is probably one of the trickiest moral and ethical dilemmas for businesses. As a lawyer, I can’t advise anyone to break the law. And if you speak to law enforcement, the overwhelming suggestion is don’t pay. The reason they don’t want you to pay is they don’t want the criminals to be incentivized to continue doing what they’re doing. There are also sometimes actors that are on the sanctions list, right? They’re people that we as a country do not permit our citizens to engage with. So there are a lot of considerations as to why it’s not a good idea to pay.
One other consideration about not paying is sometimes you pay and the actor stays in your system and continues to extort. So you’re not even promised that you’ll get free and clear access from paying. And then even the worst part is, you could get free and clear access, but everything’s corrupted now that they’ve left. And so you get very little for what you pay. Those are all the reasons not to.
But what I think businesses often do practically, especially those in the health care space, is they just pay. I can’t give you a number or a statistic. But overwhelmingly when clients are hiring me and they’re fighting with their insurer; oftentimes it’s because they want to get the insurer to cover the ransom. And I would say if you have a cyber policy that covers ransomware, insurers are amenable to you making those payments and to reimbursing those payments.
ME: Something we often hear from physicians at small or solo practices is they don’t believe they are really being targeted. How true is that?
Halprin: It’s not true at all. It’s more kind of a buckshot and goes in a lot of different directions. I don’t think (hackers) are necessarily saying, I want to hit small practices in the Midwest, but it may necessarily end up being that way. There are targeted attacks, for sure, which do end up hitting the larger organizations, but I think that for the smaller medical practices, it’s not necessarily because they picked you. It was more that you happen to have a vulnerability that’s not patched.
ME: Is there anything else that’s important for physicians to know about the subject that we haven’t discussed?
Halprin: Just to take this seriously. Some of the questions that physicians have: If I’m going to get hit with this anyway, what’s the point? Why bother? I think the answer is you still want to be prepared. And you still want to take precautions. Because if you’re too nonchalant about it, it could end your business.