In healthcare, the number of people affected by a data breach has tripled since 2018. “This is primarily because healthcare attackers get all the pieces of information they want in one place,” says Aaron Woods with Dynamic Quest. Data handled at most healthcare entities not only includes credit cards, but email addresses, date of birth, social security number, insurance information, and health information.
With this explosive rise in attacks, insurers that provide cyber insurance have become more cautious and thorough in their renewal requirements. 2022 renewal applications ask applicants many more questions regarding their system security protocol than in previous years. In fact, according to Woods, with nearly 80 percent of the questions, clients have to answer “no.”
The two big reasons for being denied during the annual renewal are a lack of user awareness training, which involves unscheduled simulated phishing attacks with employees, and multifactor authentication (MFA).
MFA requires users to verify their identity in at least two forms to gain access to data or a workstation, which generally involves entering a password and then a code that is sent to their phone.
“MFA is pretty easy to implement and it’s free,” Woods says. “However, many healthcare professionals resent the time it takes for the extra step throughout their day, so clinics put off installing it. But insurance companies know if that you’re doing MFA, the chance of you getting breached is less than one percent.
“Three weeks ago, a salesperson at a client that had not implemented MFA got hacked through his mailbox. The malware forwarded every email to the attacker. The hacker then generated a fake email impersonating a vendor, asking for their payment of $330,000 to be wired to their new bank, and the salesperson did.”
Knowing the reliable protection that one extra step adds, cyber insurance renewals have become adamant about MFA being used for specific accounts. “If cyber insurance does not renew, most all the time it’s because of questions about MFA on privileged accounts,” Woods says. These accounts require administrative-level credentials to access. Larger entities are often expected to invest in software to specifically track those accounts and auto generate new passwords on a weekly or daily basis.
Woods knew of one healthcare entity that needed to implement MFA along with higher-end scanning of their internal software and an insurgent-prevention device that uses artificial intelligence that can shut down traffic automatically, but they refused because of price. They got hacked, and it closed them down for four days. “They still didn’t sign off on what they needed,” Woods says. “Unfortunately, six weeks later, they got hit again by the same group. After that, they made the changes. They have been running that same security for three years and not had any issues.”
The area where healthcare regularly falls short on their cyber insurance requirements relates to third-party vendors. Specialty practices are specifically vulnerable with hosts of state-of-the-art devices that tap into their network to integrate with their EHR, such as for imaging and monitoring. Vendors for that equipment regularly require access to the network to support their software and perform upgrades. “We see time and again, where clinics give them unattended access to get into the system without disabling vendor accounts when they’re finished. There should be no open door access,” Woods says. “And business associate agreements do not compensate for security measures when it comes to gaining cyber insurance coverage.”
Woods says there is no reason to think the trend in escalating cyber attacks will lessen. “This has been the story for the last five years,” he says. “You think you’re not going to get hit, but essentially everybody has probably been exposed and just not known it.”
As a result, cyber insurance requirements will continue to become more stringent. Hackers now burrow in behind the scenes looking for the cache of data and spend months not doing anything malicious. Then they forklift all the accounting data and medical records through legitimate software used in everyday tasks, like email, and sell the data. “That can be stopped with good internal auditing software that monitors activity on the network. It would trigger an investigation of that data movement,” Woods says.
With the goldmine of data now available through healthcare facilities, cyber insurers are shifting their security requirements ever closer to the level of the banking industry. “Healthcare data demands the highest prices on the dark web,” Wood says.