Cyberattacks a Growing Threat for Healthcare

Because of the high value of medical records and healthcare databases to criminals, they pose ever more attractive targets. In fact, a number of reports have shown that cyberattacks are costing the healthcare industry billions of dollars annually, with a median loss of $150,000 per incident. Cybersecurity risks in healthcare have also drawn attention to the vulnerability of hospitals, clinics and other healthcare providers.

The infographic below, which is part of a series by Advisen and Hiscox, looks at:

  • The frequency of Health Insurance Portability and Accountability Act (HIPAA) violations over the past five years
  • The median loss in healthcare cyberattacks
  • The percentage increase of protected health information (PHI) losses between 2006 and 2011 for printed records, servers, laptops, desktop, website, portable data storage devices, and other sources.

It also examines which revenue groups suffered more PHI losses and the size of breaches that occurred more frequently.
cyber-hc1

The majority of losses involve printed records, which have increased to 45% since 2011 compared to 3% by email.
cyber-hc2

While some may think that the majority of breaches are large, in the past five years, almost 50% of breaches have been small, with fewer than 100 records lost.
cyber-hc3

Businesses Ignore Significant Cybersecurity Risks to Proprietary Data

Knowledge assets are critical to any business remaining functional and competitive, yet this data is routinely exposed to the risk of theft and overlooked in cybersecurity risk management. According to a new report from the Ponemon Institute and law firm Kilpatrick Townsend & Stockton, the organizations are increasingly ineffective at safeguarding data like trade secrets, product design, development or pricing, and other proprietary information.

As breach notification laws, regulatory requirements, and reputation considerations draw more focus to cybersecurity surrounding personal data of customers or personnel, businesses are leaving more risk on the table regarding their most valuable assets, and that risk has a notable price tag.

In the past year, the average cost of remediating these attacks was about $5.4 million, and half of respondents estimated the maximum cost would range over $250 million, with seven out of ten placing it over $100 million. What’s more, on average, respondents believe only 35% of the losses resulting from knowledge asset theft would be covered by their current insurance policies.

The primary drivers of these costs, respondents said, were (out of 100 points):

knowledge asset theft costs

Why are so many businesses failing to take action against the risks to knowledge assets?

knowledge asset data theft risk

Among the findings, the report noted:

  • Theft is rampant. Seventy-four percent of respondents say it is likely that their company failed to detect a data breach involving the loss or theft of knowledge assets, and 60% state it is likely one or more pieces of their company’s knowledge assets are now in the hands of a competitor.
  • Companies don’t know what they need to protect, or how to protect it. Only 31% of respondents say their company has a classification system that segments information assets based on value or priority to the organization. Merely 28% rate the ability of their companies to mitigate the loss or theft of knowledge assets by insiders and external attackers as effective. The great majority who rate their programs as not effective cite as the primary reasons a lack of in-house expertise (67%), lack of clear leadership (59%), and lack of collaboration between different job functions (56%).
  • Executives and boards aren’t focused on the issue and its resolution. A data breach involving knowledge assets would impact a company’s ability to continue as a going concern according to 59% of respondents, but 53% replied that senior management is more concerned about a data breach involving credit card information or Social Security numbers than the leakage of knowledge assets. Only 32% of respondents say their companies’ senior management understands the risk caused by unprotected knowledge assets, and 69% believe that senior management does not make the protection of knowledge assets a priority. The board of directors is often even more in the dark. Merely 23% of respondents say the board is made aware of all breaches involving the loss or theft of knowledge assets, and only 37% state that the board requires assurances that knowledge assets are managed and safeguarded appropriately.
  • Careless employees and unchecked cloud providers are key risk areas. The most likely root cause of a data breach involving knowledge assets is the careless employee, but employee access to knowledge assets is not often adequately controlled. Fifty percent of respondents replied that both privileged and ordinary users have access to the company’s knowledge assets. Likewise, 63% of respondents state that their company stores knowledge assets in the cloud, but only 33% say their companies carefully vet the cloud providers storing those assets.

Thanks in part to the lack of action currently, there is plenty businesses can easily do to improve.

“Companies face a serious challenge in the protection of their knowledge assets. The good news is there are steps to take to reduce the risk,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “First of all, understand the knowledge assets critical to your company and ensure they are secured. Make sure the protection of knowledge assets, especially when sharing with third parties, is an integral part of your security strategy, including incident response plans. To address the employee negligence problem, ensure training programs specifically address employee negligence when handling sensitive and high value data.”

Holding Executives Accountable for Cybersecurity Failures

The average cost of a data breach for companies surveyed has grown to $4 million, a 29% increase since 2013, with the per-record costs continuing to rise, according to the 2016 Ponemon Cost of a Data Breach Study, sponsored by IBM. The average cost hit $158 per record, but they are far more costly in highly regulated industries—in healthcare, for example, businesses are looking at $355 each, a full $100 more than in 2013. These incidents have grown in both volume and sophistication, with 64% more security incidents reported in 2015 than in 2014.

Ponemon wrote:

Leveraging an incident response team was the single biggest factor associated with reducing the cost of a data breach–saving companies nearly $400,000 on average (or $16 per record). In fact, response activities like incident forensics, communications, legal expenditures and regulatory mandates account for 59 percent of the cost of a data breach. Part of these high costs may be linked to the fact that 70 percent of U.S. security executives report they don’t have incident response plans in place.

With so much on the line, more and more companies and consumers continue to search for whom to hold accountable for cybersecurity failures, and the message is becoming clearer: executives need to get serious or watch out.

In a recent report from Bay Dynamics, “How Boards of Directors Really Feel About Cyber Security Reports,” board members expressed a surprising amount of confidence in their abilities to understand and act on cyberrisk threats and indicated there are real risks on the table for IT and security executives. Almost all of those surveyed said that some form of action will be taken should these executives not provide useful and actionable information, with 59% claiming there is a good chance one or more security executives would lose their job over such reporting failures.

More board members (26%) ranked cybersecurity risk as their highest corporate priority than any other risk, including financial, legal, regulatory and competitive risks, and 89% said they are “very involved” in making cybersecurity decisions.

Following the typical presentations from IT and security executives, more than three in five board members are both significantly or very “satisfied” (64%) and “inspired” (65%), but 32% are significantly or very “worried,” and 19% are significantly or very “confused” and “angry.”

According to the report:

Of the information provided to them during these presentations, the majority of board members (97%) say they know exactly what to do or have a good idea of what to do with the information. This statistic, however, does conflict with IT and security executives’ thoughts on the information they present. Based on our December 2015 survey, only 40% of IT and security executives believe the information they provide the board is actionable. There is a clear disconnect here between what the board perceives is actionable information, and what IT and security executives define as data that can be used to make informed decisions.

“IT and security executives are focusing on what they believe are the most impactful issues: a) forward-looking information about known vulnerabilities that could potentially harm the company in the future, b) specifics about data that was lost as a result of known infiltrations and data breaches, and c) the impact of these infiltrations and breaches,” Bay reports. “Interestingly, while information about how much is spent to address cyber risk is reported by IT and security executives in less than one-half of the companies surveyed, this was the most commonly cited information that board members said they needed to make investments for cyber risk planning and expenditures.”

Bay also pointed to a critical challenge in the education gap of many board members and the reliance upon information security executives: a large portion of the education board members have on infosec is from the organization’s IT and security executives, and “when the person education you on cybersecurity is the same individual tasted with measuring and reducing cyberrisk, there’s a fundamental disconnect.” It is extremely difficult for board members to understand what they are missing without education of their own and a third-party audit in place.

As cyberrisk continues to become a top enterprise risk priority, the consequences of failure may impact more of the C-suite than just chief information security officers or top IT executives. In May, following a social engineering fraud case that resulted in a wire transfer of 50 million euros, Austrian aircraft parts manufacturer FACC fired its chief executive of 17 years. Some regulators also want to start holding chief executives accountable in a way that truly speaks to them: their paychecks. According to a report from members of parliament on the British Culture, Media and Sport Select Committee, Britain’s status as the leading internet economy in the G20 is under threat from a combination of increasing reliance on digital infrastructure, and inadequate protection of it. To address the issue, they suggest that chief executives who fail to prevent cybersecurity breaches have a portion of their pay docked.

Such was the case with Baroness Harding, the chief executive of TalkTalk, Britain’s fourth-largest broadband provider, which suffered a high-profile cyberattack recently. Her performance bonus was slashed by more than a third as a result of the company’s security failings.

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment,” said Jesse Norman, chairman of the committee. “Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”

Cyber Insurance Purchasing Up, But Breaches Felt in Prices and Limits

NEW YORK—At yesterday’s Advisen Cyber Insights Conference, Zurich and Advisen released the fifth annual Advisen Cyber Survey of U.S. risk managers, finding a 9% acceleration in cyber liability insurance purchasing from 2014 to 2015. The firm has seen a 26% increase in the number of respondents who have coverage since the first survey in 2011.

Companies are taking cyberliability more seriously, Zurich reports, with the number of organizations developing data breach response plans up 10% from last year. What’s more, companies appear to be better recognizing the sheer amount of value at risk, with two-thirds of respondents saying they have either increased their policy limits or are considering doing so. While Zurich found that more organizations view information security as an organizational challenge rather than the purview of the IT department alone, and respondents said that boards and executive management are taking cyberrisk more seriously, those who have not yet obtained cyber coverage say it is because their superiors still do not see the need. There is also still a considerable difference in take-up rates among large corporations and small and mid-sized businesses, with Catherine Mulligan, senior vice president and national underwriting manager of specialty E&O, telling the audience there is an approximate 20-point spread between the groups.

“This year’s cyber survey shows that demand for coverage and higher limits has increased tremendously and we at Zurich have seen double digit growth year over year,” said Bryan Salvatore, president of specialty products for Zurich North America. “That is why we are heavily invested in identifying risks and delivering solutions and why we are committed to staying at the forefront of this issue.”

Marsh has also seen considerable growth in cyber liability insurance purchasing among its clients. According to the insurer’s new midyear cyber benchmarking report, the number of U.S.-based Marsh clients purchasing standalone cyber insurance increased 32% in the first half of 2015, up from 26% growth during this period in 2014. By sector, members of the education industry made up the biggest growth, with 155% more clients purchasing the coverage, followed by power and utilities with a 100% increase and manufacturing with a 76% increase. The healthcare sector remains Marsh’s largest buyer of cyber coverage, with 41% of all clients in this industry purchasing it by the end of the first half of 2015.

Cyber liability insurance growth rates

Sessions throughout the conference made clear that insurers—and the industry at large—are still struggling with what is also risk managers’ biggest challenge: data. Completely evaluating the true value at risk with cyber liability continues to elude both sides, although many new approaches and consultancy services are emerging. Further, the dearth of actuarial data not only compounds the challenges of the cyberrisk assessment process, but make it hard for the industry to set pricing and limits with confidence.

“It is hard for insurers to be prudent with cyber as risk managers often do not fully understand how to measure their exposure,” Mulligan said.

“Actuarial data is the Holy Grail of the cyberinsurance market: we’re all searching for it and it’s just not there,” said Bob Parisi, cyber product leader at Marsh, who moderated a session on the struggle to quantify and model cyberrisk.

In addition to the actuarial uncertainty, the considerable number of large losses over the past few years is continuing to push up the cost of cyber, forming what Willis executive vice president Peter Foster described as a “hot” market that will have to cool and solidify with time. Parisi chose to describe the market as “brittle” after absorbing several hundred million dollars in losses, and a range of insurers and brokers reported that premiums have increased dramatically as a result. The Marsh study found that price increases across industries averaged 19%, with 32% increases among retailers, the most frequently breached sector over the past few years.

cyber insurance limits purchased

While these breaches and better estimates of the real cost of cyber incidents have helped many companies realize they may be underinsuring for cyber liability, the move to correct this is getting more difficult. Insurers have said repeatedly that there is plenty of capacity in the cyberinsurance market and many buyers have increased the limits purchased, but higher limits of liability are increasingly hard to come by, and none really exist in excess of $100 million. Particularly for businesses that have yet to implement serious efforts to address information security, rate increases appear sure to continue, and simply buying more coverage will not only be unsustainable, but may not even be possible as insurers give more thought to the capacity they are willing to commit to these risks.

“There is just not enough capacity to extend $50 to $100 million limits to every account,” said Greg Vernaci, AIG’s head of cyber in the United States and Canada. “We are looking to reward those companies with a robust information security posture who go beyond and take a multifaceted approach to managing cyberrisk.”