1.  Beyond Breaches

With ransomware, cybersecurity in healthcare has gone far beyond HIPAA compliance, breaches of PHI or identity theft.  For the unprepared healthcare provider not able to prevent ransomware or contain it to prevent more harm quickly, ransomware  interrupts cancer treatment, renders the patient record unavailable, threatens physical harm and death.

Ransomware has been with us for a long time.  The major difference now is that it targets victims like healthcare providers whose complex independent networks and critical need for real-time information can make reliance on backups difficult and potentially life-threatening.

2.  Technical Safeguards and Culture Change

Best practices for security programs to deal with this transformative threat are straightforward and widely available. Here are the ones that the Government recommends:

• Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
• Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
• Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
• Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
• Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
• Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the Web. See Good Security Habits and Safeguarding Your Data for additional details.
• Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.

The last bullet, however, hits the nub of the greatest challenge, the need to treat social engineering threats with the seriousness that they have always deserved but have generally avoided.  How can ransomware and similar targeted threats lead to new network lockdowns like those seen in other areas of the critical infrastructure, just as healthcare moves into new worlds of interactive health promotion and care management with patients?  To do so, technical safeguards such as careful network segmentation, endpoint security and monitoring software, virtualized services and regular snapshotting need to be combined with new levels of security awareness and culture change across the workforce, probably stimulated by new rules as well as effective, memorable training.

3.  Ransomware Risk Transfer

The size of the potential risks to healthcare providers associated with ransomware and the impossibility of avoiding those risks entirely make transfer of those risks through cyber-insurance important, and assurance that ransomware risks are covered by the providers’ cyber-insurance critical.  Cyber-insurance needs to protect providers against both first-party losses and third-party liability:

First-Party Losses 

Most available cyber-insurance policies contain “cyber-extortion” insurance coverage, which applies to the organization’s payment of ransom to avoid the impacts of ransomware.  Cyber-extortion insurance generally requires notification and consent by the carrier before a ransom can be paid.  Also, such policies often contain “network interruption” insurance, which would apply to a company’s business interruption loss arising out of a ransomware attack that shuts down its network.  Network interruption insurance generally requires a waiting period (effectively, a deductible/retention) to occur before the insurance applies.  In some policies, there is also a “period of interruption” limit of 90 or 120 days.

Some policies also cover the costs incurred to recover and restore digital assets impacted by a covered cause of loss.  This coverage is not provided by all carriers, and is significantly narrower under some coverage forms than others.  For example, some policies will cover the direct costs to “restore, recreate,  and recollect” electronic assets, but will not cover employee time or other company overhead.  Others have broader coverage which includes materials, machine time, employee workload/overhead, mitigation costs, or the costs to restore software licenses that cannot be accessed due to the covered cause of loss.

Some carriers provide these first-party coverages only as an “opt-in” coverage, and in any event, these first-party insurance coverage sections may be sub-limited within the cyber-insurance policy.  Moreover, if the organization is large enough to carry excess cyber-insurance, it should be aware that many excess insurance policies explicitly exclude, and do not apply excess of, sub-limited coverages in the primary.  Organizations should work closely with their brokers to ensure they have sufficient limits for these first-party coverages.

Third-Party Liability

Cyber-insurance policies also cover third-party liability, including, in most cyber-insurance policies, regulatory liability, arising out of a covered privacy or security event.  Regulatory liability, like first-party coverages, often is sub-limited, so organizations should discuss regulatory limits with their brokers.

Many policies specify that liability covered under a cyber-insurance policy must arise “solely  as a result of an alleged privacy or security event.  Healthcare providers may therefore want to purchase cyber-insurance from their professional liability carriers, to avoid finger-pointing as to whether the organization’s liability in the wake of a ransomware attack arises “solely” out of the attack.

Other Limitations

Other limitations or exclusions in cyber-insurance policies could impact full recovery for ransomware losses incurred by healthcare organizations.  First, cyber-extortion coverage generally is limited to privacy/security threats for the purpose of obtaining money or other valuable property from the organization.  As we have seen with many attacks, however, cyber-extortion events are not always for the purpose of obtaining money, but may focus instead on forcing actions on the victims.  Also, all cyber-insurance policies contain “war,” “government action,” or “acts of foreign enemies” exclusions that might apply to limit coverage should the attack be conducted by hackers tied to a foreign government.  Some carriers have recently begun addressing these potential gaps by providing a separate coverage, usually by endorsement extending the definition of “security event,” for “cyber-terrorism,” defined to include, for example, disruptive activities or threats, “with the intention to cause harm, [or] further social, ideological, religious, political or similar objectives . . . .”

Finally, and perhaps most important for healthcare organizations given the threats of physical harm and death with which we began, almost every cyber-insurance policy available on the market contains an exclusion that applies to liability for bodily injury or property damage. Healthcare providers should push for exceptions to such exclusions to the extent they are available.  In addition, providers should ensure that their professional services and/or commercial general liability policies that typically respond to malpractice allegations do not exclude cyber/privacy losses, and also do not contain bodily injury/property damage exclusions that would impact recovery in a ransomware case.