Healthcare organizations have taken the cake for the industry most impacted by the pandemic. There was so much to deal with when it came to patient care and employee retention that cybersecurity was the least of these organizations’ worries.
“The healthcare space has always been perceived as a target for cyber criminals,” Bill Bower, senior vice president and director of healthcare at Gallagher Bassett Specialty, told Insurance Business.
“Even though healthcare systems have been given the responsibility of protecting sensitive information, their core business is patient care, not engaging in a robust cyber security infrastructure.”
Cyber exposures for healthcare organizations have naturally increased due to the pandemic, and Bower explained that with more remote access, endpoint exposures are created through every laptop or phone.
“Healthcare institutions have been overwhelmed and focusing energy on the influx of patients,” he added. “With alarming decreases in staff, the priority shifted to an all-hands-on-deck approach, meaning they may not be paying attention to cybersecurity.”
For insurers, this raises concerns about whether the right cyber protocols and training are in place to protect sensitive information, so these organizations are not disrupted to an even larger extent.
“An organization has to establish and strengthen their cybersecurity infrastructure by having processes in place that identify vulnerabilities,” said Bower. “It’s not if an event happens, but when it happens.
“If patient information is corrupted or taken out of your system, it is incredibly dangerous,” he emphasized. “It’s one thing to freeze a system, place a code and hold it for ransom. Extracting data to use it elsewhere is another story.”
An organization is only as strong as its weakest link. All it takes is one employee to invite a cybercriminal into their system, which is why education and training around ransomware should be a priority for these organizations.
“With the migration of nurses away from healthcare organizations, it is becoming more difficult to terminate them within a system, resulting in past employees having credentials to access a system,” Bower noted. “This can go on for months. It’s not that an individual will intentionally go into a system to corrupt information, it is the fact that they’re walking around with credentials that could be gained by a cybercriminal.”
Telehealth has also become a new normal during the pandemic. Healthcare entities have moved away from building new hospitals to building immediate care centers, increasing exposures in remote working environments.
“The patient population doesn’t necessarily want to establish a physician-patient relationship anymore,” Bower said. “Patients and employees are accessing their healthcare information remotely which introduces more threats with this transmission of data.
“The more we engage in remote access, which is the way the world operates at this point, the need to make sure all endpoints are properly protected is the new frontier organizations need to pay attention to.”
From a broker perspective, things that should be top of mind, according to Bower, are managing the expectations of your clients, going back to submissions that are up for renewal, and ensuring clients have the cyber protection in place that underwriters are looking for.
“Premiums are going way up, and capacity is shrinking. The more aware clients are before renewals the better,” he said. “It’s not just an issue of premium at this point, it’s a possibility of non-renewal and that conversation can’t start soon enough.”
