On May 7, 2021, the operator of a major pipeline system that transports fuel across the East Coast fell victim to a ransomware attack that resulted in a six-day shutdown. Over the following week, East Coast stockpiles of gasoline dropped by about 4.6 million barrels and gas prices surged to their highest levels in six and a half years. The 5,500-mile-long pipeline provides roughly 45 percent of the fuel supplies for the East Coast, representing critical infrastructure for consumers from the Gulf Coast to Linden, New Jersey. Under mounting public pressure to respond and devastating losses to the company’s operational income, the operator authorized a ransom payment of $4.4 million to hackers. On May 31, 2021, one of the world’s largest meat suppliers disclosed that it was targeted by a ransomware attack that forced the company to shut down its meat processing plants in North America. As the meat processing plants depend on automation and computers for the production process, as well as processing of orders, billing and shipping, the company had no choice but to shut down operations. The company has not disclosed if it paid a ransom as part of its efforts to get back online.
Health systems and healthcare providers, like public utility companies and other service providers, are highly vulnerable to ransomware attacks. In recent weeks, separate attacks disrupted the IT networks of public healthcare systems in Ireland and New Zealand and resulted in a call for governments and industry to do more to hold cybercriminals accountable. In 2020 alone, at least 91 U.S. healthcare providers suffered attacks, up from 50 in 2019.
Criminal actors take advantage of unique network and connectivity vulnerabilities to infiltrate health system servers, encrypt data and prevent providers from accessing critical records. Providers are then left with the difficult decision of whether to pay a ransom to decrypt their records. A ransomware attack operates on the premise that if the victim of the attack pays the amount demanded, the criminals will provide software keys that decode the data and enable the victim to continue its operations.
Increasing Impact of Ransomware on U.S. Healthcare Industry
In a joint advisory from October 2020, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the Department of Health and Human Services recommended not paying ransoms, as there is no guarantee files can be recovered. However, ransomware attacks are typically costly and highly disruptive for healthcare providers. In 2020, the U.S. healthcare industry lost $20.8 billion due to downtime caused by ransomware attacks. The University of Vermont Medical Center, which suffered an attack in December 2020, is estimated to have lost approximately $64 million and furloughed 300 staff members as a result of the attack. Nevertheless, ransom payments are controversial because they fund and embolden criminal enterprises, leading to increasing ransom demands. Last year, hackers demanded approximately $15.6 million from more than 600 U.S. healthcare facilities, with at least $2.1 million of that amount paid.
Healthcare providers are uniquely vulnerable to ransomware attacks for several reasons. Provider networks without tight access control are highly susceptible to breaches. Furthermore, web-connected medical devices and personal devices often do not have built-in security features, enabling easier access to important healthcare records. In addition, patient records — which often retain medical records, payment histories and insurance details in one place — may be compromised in cases of improper disposal of patient information or the use of record storage systems with deficient cyberattack protections. Security risks have also increased as providers work remotely from home and at COVID-19 testing and vaccination sites.
Importance of Cyber-Insurance Coverage
The increase in payouts related to ransomware attacks has important implications for healthcare providers evaluating their cyber-insurance coverage. Cyber insurance that covers the risk of a ransomware attack has become widely available in recent years. These types of policies or endorsements typically cover some or all of the money spent to pay the ransom demand in the event of a ransomware attack, allowing the policyholder to unlock its files and systems upon payment and resume operations. This approach is predicated on the assumption that, as a general rule, the ransom amount will be less than the cost of replacing or restoring files and equipment damaged or permanently locked as a result of the attack, along with the associated downtime. However, if this ceases to be true, cyber-insurance carriers will require insureds to mitigate the damage rather than pay the ransom. Some insurers may stop writing policies that reimburse customers for payments made in response to ransomware attacks. (As one example, AXA, one of Europe’s top five insurers, issued a statement on May 6, 2020, indicating that it will no longer underwrite policies in France that reimburse customers for extortion payments made to ransomware criminals.)
Over the past few years, cyber-insurance carriers have been tightening their underwriting guidelines and scrutinizing cybersecurity controls in greater detail. With the significant increase in security risks resulting from the COVID-19 pandemic, these trends will continue. Healthcare providers can also anticipate more restrictive terms and conditions in their policies as attacks continue and payment demands increase. These will likely include more robust policy exclusions and sub-limits that cap coverage for extortion payments. Insurers are also walking back the costs they are willing to cover, such as the costs of investigating and responding to attacks and lost operational income.
Preserving the Right to Coverage
Healthcare providers should, therefore, closely review the key terms and limitations of their cyber-insurance policies or endorsements. Most policies provide coverage only for costs incurred after the insured notifies the insurance carrier that an attack has occurred. Some policies also require the policyholder to inform applicable law enforcement agencies prior to providing coverage for any costs incurred. Further, insurers require prior approval of the payment of any ransom. Accordingly, to preserve their right to coverage, healthcare providers should have a basic understanding of the coverage provisions of their cyber-insurance policies and, in the event of a security incident, work with their insurance agents or brokers, and counsel, to confirm they have satisfied all of the insurer’s notice-of-loss requirements.
Additional Coverage Specific to Cyberattacks
Healthcare providers should also consider obtaining coverage for the following types of expenses, which are usually associated with services related to a breach of protected personal information (PPI) during a ransomware attack:
- Crisis assistance services. These types of services generally include (i) providing notices of the attack to individuals whose PPI may have been improperly accessed, lost or stolen by the hackers; (ii) establishing a call center for impacted individuals to receive information; and (iii) designing and hosting a website for advising of any purported access, loss or theft of PPI as a result of the attack.
- Credit monitoring services.
- Identity theft services.
- Fraud resolution services.
Steps to Prevent Ransomware Attacks
To prevent ransomware attacks, healthcare providers should back up their data to offline sites so the data remains accessible in the event of a ransomware attack. Having local copies of backups is preferable, since downloads from clouds are time-consuming and costly. Experts also recommend that providers install monitoring tools that can quickly notify administrators of any server outages. This limits the number of machines hackers can encrypt and hold hostage, which can greatly reduce recovery time. Providers should procure medical devices with the appropriate security features and update the cybersecurity capabilities of their existing IT infrastructure. Finally, insurance contacts, policy numbers, and vendor and support contract information should be saved in hard copy and kept readily available to enable the provider to deploy a rapid response in the event of a security incident.