This year, threat actors were after a bigger piece of the PII (rimshot). After adecline in ransomware frequency in 2022 — following successful law enforcement actions against ransomware gangs — we saw a surge of activity in 2023.
Based on data from external threat intelligence and our book of business, this post will spotlight the cyber risks healthcare entities face and how they’ve rolled with the punches (and hit back).
An industry that can't catch a break
COVID-19 pushed an entire industry to the brink. While the rest of us celebrated the heroism of healthcare workers amid a crisis, ransomware actors saw something else: a target ripe for exploitation.
Vaccine research, precarious supply chains, and devastating consequences for downtime made any organization in possession of personal health information a prime victim. In 2020, hackers collected over $21 billion in ransom payments from the healthcare industry alone.
The last few years haven’t been much easier. Even as surges in the pandemic waned, threat actors still prioritized attacks on healthcare providers. The heavy regulatory penalties associated with PHI and the literal life-or-death consequence suggested the likelihood of hefty ransom payouts. So, good odds for hackers?
What healthcare faces now
This year, healthcare has become a key target for cybercriminals making up for lost time. The industry experienced a 141.6% increase from 2021 to 2023. Ransomware rates were 48% higher in Q2 2023 than any other quarter in the past two years. What’s happening?
The pixel problem
During the pandemic, hospitals and healthcare providers had to learn to meet their patients where they were going in the marketplace: online.
To better understand how to cater to patients, many providers implemented ad-tracking technology to understand the user experience. Rapid digitization brought unintended consequences; some healthcare websites featuring pixel technology allegedly sent information such as full names, descriptions of allergic reactions, and medication details to third-parties, like Meta.
One-third of the top 100 hospitals in the United States sent patient data to a third-party media platform, necessitating involvement from the Office of Civil Rights (OCR). The OCR released strict guidance in December, declaring that “there is a presumption of a breach unless the entity can demonstrate a low probability that the PHI has been compromised.”
Advocate Aurora Health and Community Health Network were some of the first (and some of the largest) healthcare entities to notify patients of a breach due to their use of pixel technology, with over 5 million patients collectively.
Vendor breach claims
While the overall cause of claims in the healthcare sector is generally on par with Corvus’s overall book of business, claims filed under “Vendor Breach” and “third-party ransomware” far exceeded the average of all other industries. The explanation may be more straightforward (and less disastrous) than you’d expect — healthcare providers simply have to reportbreaches more than other industries, due to US regulations around protected health information.
For context, picture a hospital that outsources MRI scans for some patients to a third party, which houses those patients’ information. If the MRI vendor experiences a breach they are required to notify the hospital, and the hospital in turn is required to notify the affected patients. This triggers a Vendor Breach claim for the hospital.
Since ransomware typically involves the access and exfiltration of data, the same applies for third-party ransomware claims.
The bright side: More security, less ransom payments
Standing down attackers
While the industry grappled with an onslaught of attacks, they followed the advice of cybersecurity experts to step up their cyber hygiene. Industry-wide, healthcare organizations cracked down on threat awareness and preparedness among employees following the spike in attacks in 2020 and 2021.
We saw a notable reduction in the cost of claims due to underwriting standards that mandated more stringent controls for Corvus policyholders. The implementation of multifactor authentication, strong backup strategies, and endpoint detection and response (EDR) tools led to a 50% reduction in incident costs.
Less likely to pay up
Ransomware attacks on healthcare providers are likely to lead to media attention. As critical infrastructure, most hospitals (and their patients) can’t afford downtime. Because of this, they tend to prioritize resiliency by implementing all of the right security controls, with an emphasis on rigorous backups. This makes them less dependent on paying a ransom to get back up and running (they do, however, see a larger average ransom payment if they pay).
Corvus x Healthcare
As an ideal target for cybercriminals, the healthcare industry prioritizes investing in cybersecurity — second only to the tech sector in annual security budget (13.3% of their overall IT spend), according to IANS Research.
They are also getting better at anticipating breaches. In the first half of 2023, providers reported a 15% reduction in data breaches compared to the latter half of 2022.
Corvus is offering coverage enhancements for the healthcare industry, made with their specific challenges in mind. As the industry continues to make positive strides to combat the ongoing epidemic of cybercrime, we’re here to help them withstand the constantly evolving threat landscape. Our underwriters have the necessary cyber expertise and real-time data insights to meet the healthcare industry’s needs.