As we all saw in 2015, hospitals and health insurers are prime targets for cyber attacks designed to obtain personal and health information of individuals. Those attacks are bad for all the obvious reasons. Worse attacks can happen though, and they can bring a hospital to its knees. Events in February 2016 are a good illustration.
On February 5, 2016 criminals launched a cyber attack on Hollywood Presbyterian Medical Center in Los Angeles. We don’t know what attack vector was used, but somehow the criminals managed to infect the hospital’s computer systems with ransomware. The malware, like other ransomware, encrypted the hospital’s systems and then demanded that a ransom be paid in return for which the hospital would receive the code to decrypt its systems. Early reports stated that the ransom demand was 9000 Bitcoins ($3.4 million). The hospital later released a statement saying that those reports were wrong, and that the ransom was actually only Ƀ40, roughly $17,000.
The attack created an “internal emergency” at Hollywood Presbyterian. While the malware was active the hospital was unable to communicate electronically. Instead of using email, hospital staff had to use telephones and fax machines. The attack also affected the hospital’s electronic medical records. That forced hospital staff to use paper. The attack reportedly led the hospital to take certain computer systems offline to prevent the malware from spreading.
Because its systems were compromised the hospital’s ability to deliver care was impacted, and reports have said that patients were transported to other hospitals as a result. Fortunately, the hospital has found no evidence that any patient or employee information was exposed or taken.
The hospital ultimately paid the $17,000 ransom because they concluded that it was the “quickest and most efficient way” to restore the computer systems. The malware was fully removed by February 15, 2016.
These attacks could have been so much worse.
Although the attacks against Hollywood Presbyterian and other hospitals were alarming and expensive to address, they fortunately do not appear to have done lasting damage. It would be an overstatement to say that this attack brought Hollywood Presbyterian to its knees. But what would have happened if the malware locked up computer systems involved in delivering patient care? It’s certainly possible; cyber attacks against medical devices are already a fact of life. If such an attack happened, it obviously could cost lives. At the same time, it could decimate a hospital’s business and reputation. The attack would be a true catastrophe on multiple levels.
What can hospitals do in the face of threats like this? Considering that hospitals are critical infrastructure, the advice in my earlier post on that subject applies equally to them. Put simply, they must identify and manage their cyber risks and the financial consequences of those risks should they materialize.
So, how would insurance respond to an attack like the one against Hollywood Presbyterian? Quite well, if the right cyber policy is in place.
Cyber insurance policies can, but don’t always, include coverage for cyber extortion. This coverage, potentially in combination with computer security breach event coverage, should cover the cost to investigate the attack, necessary legal expenses, public relations costs, and ransom amounts. To the extent that a hospital’s business is impacted by the attack, network business interruption coverage, if purchased, could cover the resulting financial loss. If data is damaged or lost there is coverage available that would pay the hospital’s cost to recreate or replace it. Cyber policies are not all alike though, so they need to be evaluated and negotiated carefully to ensure that the necessary coverage is there.
Could insurance cover bodily injury resulting from a ransomware attack that affects a hospital’s patients? That is much more difficult. Insurers increasingly are excluding losses resulting from cyber events under general liability and other non-cyber policies. That could leave hospitals with a significant coverage gap. As I mentioned in my critical infrastructure post, insurance products are becoming available that are designed to fill that gap. Hospitals and other healthcare providers would do well to carefully evaluate whether they need that coverage.