Constant ransomware attacks, increasing technological complexity, and escalating medical device security concerns across the industry have put pressure on cybersecurity efforts for healthcare organizations. In the first half of 2022, covered entities reported 337 healthcare data breaches (impacting more than 500 individuals each) to the HHS Office for Civil Rights.

A report by Fortified Health Security shows that 80% of those breaches were attributed to hacking/IT incidents, compared to 73% at this time last year. Ransomware attacks continue to account for a large portion of healthcare data breaches, as threat actors repeatedly go after healthcare’s hold on sensitive, high-value data.

Healthcare is a lucrative business for cybercriminals because victims are likely to pay the ransoms. In fact, a recent Sophos study reported that healthcare was the most likely sector to pay a ransom. Just over 60% of survey respondents who experienced encryption admitted to paying the ransom, compared to a cross-industry average of 46%.

The Department of Health and Human Services (HHS) Office for Civil Rights reports that health information breaches at HIPAA-covered entities have affected more than 33 million people. Such breaches can result in exposure of sensitive patient information, increased healthcare delivery costs, and risk to patient health and safety.

In response, the Healthcare Cybersecurity Act of 2022 was introduced in the U.S. Senate on March 23. The bill aims to enhance the cybersecurity of the healthcare and public health sectors with new healthcare cybersecurity regulations. If passed and signed into law, the Cybersecurity and Infrastructure Security Agency (CISA) and HHS will collaborate to take specific actions including evaluating the cyber challenges of healthcare organizations, analyzing how cyber risks impact healthcare assets, and assessing the workforce shortage.

Evaluating the Challenges and Analyzing the Impact of Cyber Risks

Healthcare organizations face cybersecurity challenges daily because they collect, process, store, and send large amounts of electronic medical records that cybercriminals can hold for ransom or sell. Under the Healthcare Cybersecurity Act, CISA and HHS will evaluate what those challenges are. They will investigate how healthcare organizations secure their systems, devices and data, how they implement their security protocols, and how they respond to data breaches and attacks.

Strong security operations can reduce the effect of cyberattacks. Efficient detection, response, and prevention operations can stop and reduce the impact of incidents. Cybersecurity must keep up with the digital progress of healthcare organizations as they aim to address modern patient needs.

Healthcare cyber risks impact everything from operating budgets and privacy compliance to patient care. As a result, healthcare organizations have focused on maturing their cybersecurity infrastructure and investing in people, processes and technology. Many facilities work with a third-party vendor, such as a managed detection and response provider, to help minimize their cyber risks.

Cyber Risk Solutions for Healthcare

Healthcare facilities should secure the appropriate cyber insurance to seek to cover the costs of a ransomware event, as well as to provide network/forensic assistance. For example, a senior manager in a healthcare management firm opened an email from an established vendor that said: “Your computer is now blocked. You have 96 hours to pay or your files cannot be recovered. Our ransom is $500,000 in bitcoin.” The ransomware spread quickly and, according to the message, if the firm did not pay, its files would either be destroyed or remain inaccessible.

USI professionals worked with the management team to review all options, including the ransom amount and remediation cost, which totaled approximately $500,000 in ransom, $100,000 to secure the bitcoin, and $300,000 in forensics and other expenses. Since the firm had cyber coverage, the cost for the above incident was paid less the retentions (i.e., $900,000 minus a $50,000 SIR).

This is only one example of how ransomware can threaten your organization, and many considerations remain for healthcare facilities. View our cyber webinar for healthcare organizations to learn best practices before and after a cyber event.

In the U.S., state and local governments spend more than $250 billion every year constructing roads, bridges, rail lines, utilities, schools and other public infrastructure. The 2021 infrastructure bill plans to generate an additional $1.2 trillion in spending for construction projects.

However, companies must follow complex technology and cybersecurity requirements to qualify for many projects. In addition to tackling the usual cyber risks, construction firms must achieve increasing levels of cybersecurity just to compete for business.

For contractors of federal agencies, the NIST Cybersecurity Framework is required. That makes NIST 800-171, along with SOC II Type 2, the place to start.

• NIST (U.S. National Institute of Standards and Technology) addresses cyber risks and is considered the gold standard of cybersecurity regulations
• SOC II Type 2 enables organizations to obtain a certification of compliance
• ISO (International Standards Organization) frameworks, especially ISO 27001 and 27002, are international standards of security validation
• NERC-SIP is focused on third-party risk in the utility and power grid sector

Cyber Risk Solutions for Construction Companies

Cybercriminals can inflict harm by breaching intellectual property, stealing critical data, and causing downtime, resulting in financial losses and project delays. Further investment in cybersecurity, insurance and best practices can help.

Construction firms commonly rely on service providers for everything from electronic bill payment to material sourcing and distribution. Contractors’ systems may be integrated within construction organizations’ networks. As a result, an attack launched through a contractor’s system represents an easy way to gain access to a more valuable organization.

Not surprisingly, a common coverage gap for construction companies is poorly managed IT security. For example, USI risk management professionals and our Answerlytics™ cyber partners helped a construction firm evaluate its in-house data logs and identify and address two emergent threats. This made a significant financial impact by improving SIR by $500,000 versus the quoted amount ($1 million SIR) due to implementing managed security services, including a 24/7 security operation center and endpoint detection and response functions.

View our cyber webinar for construction companies to learn best practices before and after a cyber event.

The manufacturing and distribution industries are seeing an accelerated change in technology due to emerging trends. According to Deloitte’s report “Cyber risk in advanced manufacturing,” the most prominent trends are:

• Large-scale investments in intellectual property and exponential technologies
• Exploration of industry digital manufacturing opportunities and increased interconnectivity of the industrial ecosystem
• Rapid adoption of sensor technology, smart products, and Internet of Things (IoT) strategies and analytics to drive increased customer service and business efficiency

This existing technology footprint, along with its accelerating pace of change in business and manufacturing technology, is having a dramatic impact on the breadth and complexity of cyber risks for manufacturers.

Cyber Risk Solutions for Manufacturers and Distributors

For manufacturers and distributors, cyberattacks and cost per attack are rising at an historical rate. Cyber losses mean cyber risk management shortcomings negatively impact an insured’s risk transfer costs, SIR, limit availability and terms of cyber coverage.

Companies rely on USI’s cyber solutions to:

• Assist them in bridging the cyber knowledge gap and mitigating vulnerabilities
• Improve their cost of risk (both premium and overall risk cost) and provide ongoing cyber risk management
• Create positive premium, terms and SIR/limit outcomes and better cyber risks.

View our cyber webinar for manufacturers and distributors to learn best practices before and after a cyber event.

Real estate transactions contain large amounts of personal information, such as financial data, social security numbers, driver’s license numbers, passport numbers, insurance information, and passwords. Cybercriminals know this and are ready to exploit vulnerabilities at any point. In addition, the growing demand of Internet-of-Things-enabled buildings, expected to reach about 142 billion globally by 2028 (PR Newswire), puts increasing pressure on the real estate industry to adopt solutions to help protect against potential Internet of Things attacks and other cyberthreats.

For example, one of USI’s clients, a property manager, was concerned about cyber insurance coverage after attending a trade association meeting and learning about a major cyberattack on a similar company. The property manager maintained an online payment portal that allowed tenants to pay rent and association fees by credit card. While the property manager carried $50,000 in data breach coverage, their policy did not provide coverage for payment card industry (PCI) fines and penalties.

USI used our cost of breach calculator to illustrate that a major breach of the online payment system could lead to nearly $100,000 in PCI fines and fraud assessment costs. After sharing this significant uninsured exposure, USI worked with the client’s cyber underwriter on the upcoming renewal, and endorsed the policy to include coverage for PCI-related exposures, eliminating uninsured exposures that could exceed $100K with no significant impact on premium.

Cyber Risk Solutions for Real Estate Companies

Cyber insurance can provide critical protection for direct loss and liability arising out of the use of technology and data in day-to-day operations, assisting real estate businesses in mitigating their exposures to cyber risk and successfully recovering from cyber incidents.

Most real estate companies focus on protecting personal identifiable information, but there’s an array of other first and third-party exposures when it comes to cyber liability. Coverage for these exposures can include:

• Network interruption/extra expense
• Contingent network interruption/extra expense
• Data reconstruction
• Cyber extortion
• Bricking coverage
• Voluntary shutdown
• Reputational harm business interruption/extra expense

USI analyzes the organization’s risk and exposures, then reviews its existing insurance program for deficiencies. Based on our conversations with the client about its contractual obligations, security controls, and the evolving threat landscape, we then recommend a program of coverage to address first- and third-party exposures. The financial impact from reducing exposure to uncovered losses is typically $1 million to $5 million.

View our cyber webinar for real estate companies to learn best practices before and after a cyber event.