Written by Mark Stenmark, MHSA, FACMPE

photo of Mark Stenmark

About the Author
Mark Stenmark serves as the national property and casualty (P&C) leader for Vizient Insurance Services. He is responsible for strategy, product development, sales, marketing, P&L, contract negotiations and the maintenance of multi-year B2B relationships with national insurance carriers and P&C broker partners.

During 2020, hospitals and health systems across the nation were under siege by cyber criminals and bad actors attacking vital community institutions with malware to gain profit and cause harm. Paid cyber ransoms averaged six figure amounts, according to a report by Tokyo Marine, with some paid ransoms into the millions of dollars. Insurance Business America in its Special Cyber Insurance Report noted the average U.S. health care cyber breach cost $7.13 million last year. The damage is compounded by losses due to ongoing data exfiltration, business interruption, lost data privacy, required purchases of new IT equipment, inherent brand damage and a host of other liabilities that are accrued. We fully expect that in 2021, ransomware will continue to be a threat and a burden.

If you look at claims data for cyber security breaches, you will spot recurring themes. Human error. Intentional, criminal acts. Inadequate risk mitigation policies and procedures. Limited quantification of risk. Lack of funding for necessary infrastructure and services. Most experts will agree that you cannot 100% harden an organization against cyber threats. It is a constantly changing threat landscape. At Vizient, we recommend you pick a percentage that is attainable — 85%-90% — and act. Take care of the fundamental “blocking and tackling.” Absolutely work to close the gap but be judicious and targeted with how you fund strategies on your journey to perfection. As most leaders have experienced, the journey gets very expensive.

Where to Begin
  1. Assemble your internal and external experts to develop a cyber security strategy and roadmap to success.
    Your internal group should include the CEO, CFO, COO, CIO, CISO, IT leader, CMO, risk manager, cyber liability policy decision-makers. The external group should include a property and casualty (P&C) insurance broker, cyber liability carrier and a cyber security consultant. One of the most challenging things to accomplish is a fulsome, comprehensive assessment of risks. Every cyber security plan is different. Every organization has different IT architecture, budgets, skills sets, personnel, physical structures, security gaps and vulnerabilities. It is a custom job.

  2. Purchase a stand-alone cyber liability and breach response policy.
    Know your policy in specific detail. Focus on prevention services, incidence response and business continuity plans. Your policy includes operational structures and financial indemnification for your organization before, during and after a breach. Work with your broker and carrier very closely to make sure you have the insurance coverage you need. We recommend choosing a cyber liability and breach response carrier that has its own cyber security consulting firm. This combination will create a powerful force multiplier effect, allowing you to fully integrate your cyber security strategy, breach preparation, incidence response and remediation.

  3. Hire an outside consultant to help develop a cyber strategy.
    They should bring assessment tools and solutions to address cyber security challenges and help you stay in compliance with current federal and state mandates and requirements. Hire someone to monitor all system endpoints, 24/7. This serves as an early detection, early warning of an attempted or perhaps successful intrusion. Considering the alternatives and the value of early detection, it is well worth the investment.

  4. Address unforced human error.
    While deliberate criminal acts by cyber hackers is a rapidly growing percentage of cyber breaches, there remains a significant percentage of breaches that are the result of health care organization employees. Ramp up your organization’s efforts to help staff understand their role in risk mitigation through education and phishing training. Criminals are preying on human curiosity and lack of attention to detail. Teach. Educate. Drill. Continued infractions or failure to perform to standards should be addressed as a human resources matter. Help your team do their part and achieve success keeping your organization safe.

  5. Identify and implement baseline requirements for system security.
    There are many factors that go into cyber security and cyber risk exposure and your IT team can help. This will include policies and procedures, IT infrastructure, system maintenance and testing, patching, offline backups, enterprise cloud solutions, network segmentation, encryption, multi-factor authentication and implementation of next-gen anti-virus products. Make a checklist of key processes that you expect to be managed 100% of the time and demand consistency in performance.

It’s been a tough year. COVID-19 has strained and stretched the nation’s hospitals, and it is an abomination that on top of everything else hospitals are managing right now, they must also focus attention and resources to defeat cybercrime before it victimizes organizations. But as hospitals work to help their communities and employees stay safe and healthy during this pandemic, they must also work for the safety and security of the organization’s systems and technologies. The threat is growing, and the stakes are high. We all need to remain vigilant, with a long-game mindset to defeat this scourge.

The good news is that there are people, processes and technology that can help protect hospitals and help them respond in the event of an attack. Vizient Insurance Services was founded in 2015 to help organizations meet the challenges of risk mitigation and increasing costs. We are alarmed by the recent growth of ransomware in health care and decided to produce a series of articles to stimulate conversations and ongoing dialog. Our aim is to help organizations address their vulnerabilities and gaps in their cyber security strategy. One thing we know for certain, when health care leaders decide to take on a challenge, it will eventually be defeated. We believe ransomware deserves attention.

We hope this article results in crucial conversations at your organization on the topic of cyber security and specifically on the prevention of ransomware events at your organization. To continue the discussion, contact Vizient.

This sponsored section is underwritten by THA Member Solutions. Vizient is endorsed by the Texas Hospital Association. For more information, visit www.vizientinc.com.