25 October 2024
Weaponisation of Healthcare
Why healthcare is an emerging cyber battleground and how organisations can improve resilience
Over the past decade, the healthcare sector has emerged as a significant and growing target for cyber-attacks. Cyber-attacks on medical-related institutions and organisations have become almost commonplace, with 67% of healthcare organisations hit by ransomware in the past 12 months, two-thirds of which proved successful.
As cybercriminals shift to double and triple extortion tactics, most ransomware attacks in the past year (95%) attempted to compromise backups. Data breach is both disruptive and costly for healthcare providers. In 2024, for the 14th consecutive year, healthcare had the most expensive data breaches out of any sector, at an average cost of nearly USD10 million.
Healthcare businesses possess sensitive information that appeals to hackers for the purpose of extortion. The sector is also viewed as ‘low-hanging fruit’ by attackers given an overall lack of investment in security measures in comparison to other sectors and the ability to exploit vulnerabilities in legacy systems and laterally, within supply chains.
“In many ways, healthcare organisations are easy pickings for hackers,” says Nick Barker, Technology and Cyber Practice Leader at Gallagher Specialty. “The industry is particularly susceptible to threat actors.”
Rise of politically motivated attacks: insurance perspective
The targeting of hospital and healthcare systems is one way for state and state-sponsored actors to inflict harm and mayhem upon their enemies without ever having to enter a physical battlefield. Even if healthcare firms are not the main target, organisations risk being caught in the crossfire, thanks to increasingly complex and interconnected digital supply chains.
The UK government warns there is a high likelihood of a cyber-attack on the health and social care system. The worst-case scenario, according to the risk assessment, would result in significant systemic service disruption, with widespread data loss and “immediate direct clinical care impacts”.
While the sector is improving its investment in and approach to cyber security, the threat of politically-motivated attacks targeting healthcare and other critical entities remain high in the current risk landscape. “The potential for state-on-state cyber-attacks is a big talking point in the insurance sector, especially given the current geopolitical environment,” Barker reveals.
Inevitably, the changing threat landscape is impacting cyber insurance coverage wordings and exclusions. As of March 2023, Lloyd’s of London has required all market policies to include a state-backed cyber-attack exclusion to state whether losses arising from a war, if the policy does not already have a separate war exclusion, or other state-backed campaign will be covered.
The intention is to provide greater clarity on attacks arising from explicit acts of cyber warfare and state-sponsored attacks. The challenge historically, with events such as NotPetya, has been proving which actors are ultimately responsible, and whether they have been directly funded by governments seeking to do harm.
As the insurance and reinsurance industry seeks to better understand and mitigate its exposure to systemic-type events, exclusions will continue to be interrogated and put to the test in legal rulings. Brokers, as part of the wider tripartite relationship, will remain a critical source of guidance on coverage and losses arising state-sponsored attacks.
A brief history of attacks on healthcare
Cyber-attacks on healthcare organisations are already all too familiar. They stretch back at least to 2017, when the now-infamous WannaCry attack affected as many as 70,000 digital devices used by the UK National Health Service (NHS), including computers, MRI scanners, refrigerators for blood and plasma, CT machines, intravenous pumps, and even operating-theatre equipment.
The ransomware attack was widely attributed to North Korean actors, targeting an unpatched vulnerability on computers running on Microsoft Windows operating systems. While the NHS was not a direct target, it ultimately cost the UK as much as GBP92 million and showed the potentially systemic nature of cyber events.
More recent attacks on UK healthcare show the sector remains vulnerable. In 2022 a ransomware attack hit an NHS service provider, taking down the NHS 111 non-emergency service, compromising patient data and disrupting systems for mental health services and emergency prescriptions.
And in June 2024, an attack on another third-party provider, Synnovis, caused the cancellation of 1,608 procedures and 8,349 outpatient appointments. The breaching of Synnovis, which provides laboratory and diagnostic services to the NHS, cut off essential servers, causing days of disruption at several large London hospitals. NHS England also confirmed large quantities of patient data had been stolen by the Russian cyber-criminal gang.
In the US, an attack on Change Healthcare, one of the largest health payment processing companies in the world, threatened patients’ access to care when it took place in February 2024. The organisation’s failure to implement multifactor authentication (MFA) protocols is one factor attributed to the breach.
The latest attacks show how vulnerable, and dependent, healthcare companies are on their third-party suppliers. It is an exposure that continues to grow as digital systems are outsourced and moved to the cloud. “A robust security posture, is no longer enough with attackers shifting their focus to vulnerabilities across an organisation’s complex supply chain,” warns Nick Robinson, Consultant, Crisis and Security Strategy for Gallagher consultancy AnotherDay.
While it was not caused by a cyber-attack, a major IT outage in July, shone a light on the dependencies in our highly-connected digital ecosystem. The outage, which impacted IT systems globally, affected hospitals and other healthcare providers. Many were unable to access patient records or make referrals, with non-urgent visits cancelled, surgeries rescheduled and doctors resorting to handwritten prescriptions. Lab results were delayed by an average of 62% compared to normal turnarounds.
Alongside the sector’s central role in society and its increasing attack surface, healthcare is in hackers’ sights because it can be seen to be behind the curve on cybersecurity.
“The level of cybersecurity maturity varies significantly across healthcare organisations,” Nick Barker says. “Front-line education has been pushed globally, but in the UK, if you looked at 30 healthcare organisations, you’d see 30 variations. But security improvements require time and money. There’s no flip-a-switch cure, so vulnerabilities remain while funding is allocated and spent, but end-of-life systems continue to operate.”
Governments and regulators are also on the back foot, but this is starting to change. In Europe, a legislative initiative to spur healthcare organisations into defensive action is the Critical Entities Resilience Directive. It sets out areas in which 11 sectors — including health — must strengthen their protective measures in the face of disasters including cyber-attacks. Each member state must adopt local law implementing the provisions of the Directive by October this year.
Building a proactive defence
Healthcare’s recent spate of disruptive cyber-attacks highlights the essential need for all organisations to dispense with legacy systems and adopt robust security controls, including:
- the imposition, entity-wide, of MFA, accompanied by training to ensure it is neither avoided nor disabled;
- a continuous cyber education programme, teaching and reinforcing best practice across the organisation through activities such as simulated phishing attacks.
- an IT-department fix: the implementation of end-point detection and response tools over 100% of the IT ecosystem. Such tools monitor and defend against anything out of the ordinary;
- regular, comprehensive, air-gapped backups, and excellent back-up hygiene; and
- Privileged Access Management tools.
Even with this armoury, attacks, at some point, are almost inevitable. After an attack, those organisations that have prepared in advance tend to recover quicker and fare far better than those without a tried and tested response plan. A comprehensive incident response and disaster recovery plan can therefore significantly boost resilience, if and when the worst happens.
In addition to our incident response services, Gallagher Specialty brokers and consultants play an essential role in ensuring healthcare clients have thought through all the potential scenarios, based on the latest threat intelligence, and have stress tested how their policies are likely to respond. Such exercises can help identify gaps in coverage and/or the need for more explicit wordings.
We work closely with clients to build a comprehensive picture of their organisation and its exposure, designing a bespoke cyber insurance solution. Risk transfer is one part of the overall solution, which also includes pre- and post-loss services, such as advice and assistance with cyber risk management and response team recommendations.
Gallagher Specialty’s risk assessments are guided by the latest claims data and cyber controls, which provide a detailed representation of each organisation’s cyber security posture and approach to risk management. Through this we can identify both strengths and weaknesses, offering guidance on where investment may be needed.
Given the deliberate targeting of digital supply chains, we continuously review common vulnerabilities and exposures (CVEs) to identify known weaknesses in software, networks and systems that attackers may seek to exploit. These earning warnings help us forewarn clients, getting them to instal critical software patches and checking network perimeters are secure through dynamic vulnerability scanning and pen testing.
Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.