With health insurers handling huge volumes of sensitive personal data daily, it’s no wonder malicious actors target the industry for its valuable data-rich healthcare records – worth more than 10 times a credit card on the black market.
Compliance with the U.K. DPA and GDPR threaten health insurers businesses due to heavy penalties from the FCA and ICO combined for major information security breaches such as the loss of large datasets of personal information.
Firstly, every health insurer now needs to fully understand how vulnerable from data breaches all of its data is due to external cyber-attacks, its own staff and third parties it depends on to process its information.
Secondly, it must apply appropriate defences capable of preventing or containing the damage when a breach occurs by establishing effective risk management to identify the exposure and choose the right technical controls to deal with them.
Finally, it needs to ensure it has the right cyber insurance package in place to cover the potential losses.
Find out more about the key considerations for information security for Health Insurers.
Cyber Protection
Cyber Hygiene
Good basic cyber hygiene (such as incorporating the UK NCSC recommended Cyber Essentials since 2014) is an excellent standard adopted by many organisations as a basic strategy to reduce cyber risk along with adequate cyber insurance and meet regulatory demands, but considering the higher risk of cyber attack they face, health insurance organisations need to go further and take a more dynamic and analytical approach to cyber hygiene to protect their own business and understand how best to support clients in doing the same.
The whole healthcare industry has widely been reported to have deficits in cyber hygiene as a report from Grand View Research reveals: “The healthcare end users are very vulnerable to cyber warfare, due to bureaucratic hierarchy structure, lack of comprehensive network security policy, low investments in IT, employee engagement and education on cyber crime issues.” Such deficits are also apparent in the U.K. public health sector, who as a result of a number of NHS patient data breaches caused as a result of trusting data with third-parties lacking adequate cyber hygiene are now mandating that third parties have the necessary cyber hygiene before exchanging information with them.
Read our case study, which outlines how we continue to support a health insurance provider by implementing our supplier management reviews.
Cyber Risk Insurance
Healthcare insurance providers take out cyber risk insurance themselves, but beyond ensuring their own cyber defences provide adequate protection to avoid being a third-party supplier risk to their clients, cyber insurance companies have a business need to understand the cyber risk faced by healthcare insurers to effectively protect their end customers and mutual reputations by having the right package in place.
Underwriters need expert assistance in advanced cyber risk analytics to offer compelling packages to their clients with the right premium attached to make optimal profit margins, model security posture of applicants and insureds to generate leads, and overcome negotiation obstacles by confidently clarifying the likelihood of a cyber event and the cost impact.
Brokers need expert cyber insight and data to strengthen negotiations, identify target customers, illustrate loss/potential loss for clients, gauge their exposure within insurance towers and overcome negotiation obstacles by confidently clarifying the likelihood of a cyber event and the cost impact.
Cyber Threats
Technical Cyber Attack (Ransomeware & Cryptojacking)
Infamous ransomware attacks (such as Wannacry in 2017) have had huge consequences, resulting in this type of cyber attack becoming the most feared in the healthcare sector even today. Subsequently, the industry has invested money to improve its defences against ransomware to good effect as various recent reports show, however new forms of cyber attacks have taken their place, and now cryptojacking is predicted to pose the greatest overall threat in 2019 according to industry reports (such as Grand View** and Skybox***).
End clients of healthcare insurance (principally companies which provide healthcare as part of their benefits packages) are generally less concerned with ransomware in 2019 (which delivers rewards only if the ransom is paid, which is not guaranteed, and can only be triggered once before being detected) and more concerned with cryptojacking (where smaller amounts are extorted, however the income is guaranteed when an attack is successful and far more attacks can be made without detection for long periods of time).
Social Engineering Cyber Attack (Phishing)
Healthcare insurers (like any other supplier) form a third-party risk to their end clients since a lot of the employee information end clients trust them can be used to gain information that can be used to target key personnel in the organisation, since a breach affecting all employees data greatly increases the opportunity for cyber criminals to launch targeted social engineering attacks (such as ‘spear-phishing’).
This situation underlines the business need for healthcare insurers to support their end clients risk reduction by strategically embedding cyber hygiene as a proactive ongoing process into their operations rather than approach it as a tactical ‘one-off’ solution, left to fix only after the risk becomes extreme.
A tactical approach to cyber defence is only effective for as long as the threat landscape stays the same (so once it changes, the investment in protection is lost), and suffers from logistical problems of needing to gear-up staff or engage cyber professionals at a time where everybody else needs them, resulting in higher supplier costs or difficulties due to supply-and-demand shortfalls.
Data loss due to internal staff and suppliers
While a lot of reported data breaches and cyber incidents have focussed on malicious attacks from external hackers, many losses are in fact due to non-deliberate actions carried out by staff with poor cyber and general information security awareness (e.g. infection from malware contained in emails, or leaving paper files unprotected) and lack of procedures for them to follow. Some basic training and simple technical controls can prevent such occurrences.
The same goes for third parties, since regardless of how good the defences are in your own organisation, if the third party you trust to process your information does not carry out the equivalent or higher level of protection you are indirectly at risk – and your organisation often remains liable to fines from the ICO if its data is breached entirely a result of the (formerly) trusted third parties negligence. Conversely, if you are the third party and cannot provide the required level of data protection to current or prospective clients and healthcare providers, then you are liable to lose business as a result.
Conclusion
Health insurers and Cyber risk insurers typically cannot afford or justify the cost of maintaining their own full-time in-house cyber expertise to keep on top of the changing landscape strategically, since it is not part of their core business objectives : nevertheless, regulation and customer focus on removing third-party risks demand that adequate protection is put in place and evidenced.
Thus, meeting the requirements to ensure the supply chain end the end clients are satisfied with the cover to meet their statutory and regulatory requirements around cyber risk requires health insurers to partner with Cyber Security Consultants to provide both the necessary security technical and analytical expertise to advise on the specific threats their own and their client organisations face.
Optimising IT has been helping health insurers by putting in place robust, on-going cyber-security strategies tailored to the industry’s cyber-threats. We provide our independent Cyber Fit service consisting of cyber assessments, resulting in a detailed breakdown of vulnerabilities and actionable improvements.
With the Top 3 issues for the ICO including Cyber Resilience, Suppliers and Change Managing Data Assets, we can also conduct a Supplier Cyber-Security Review designed to identify weak links in supply chains, especially when Supplier Management is also a key focus for the FCA in 2019. Get in touch today to discuss how you can manage and reduce your cyber-security risk.
Author: Graham Clements, Certified Information Systems Security Professional (CISSP), Senior Cyber-Security Consultant at Optimising IT.
Sources: * PRA Rulebook: CRR Firms: Internal Governance Instrument 2017 – 2.1A A firm’s risk management procedures must include effective procedures for risk assessment.” ** Grand View Research. *** Skybox.
