In a recent Client Advisory, USI’s Executive and Professional Risk Solutions (EPS) team discusses a recent Joint Cybersecurity Advisory, co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) regarding targeted Ransomware attacks against healthcare firms.
Healthcare has the highest average Cyber and Privacy event cost of all business classes, with an average cost of $7.1M — and now, the industry is being specifically targeted with Ransomware attacks. Ransomware is malware that can block access to, steal or destroy all or part of a victim’s network unless a ransom is paid. Ransomware attacks and costs are increasing rapidly. In the US, there has been a 98% jump in average daily attacks reported in Q3 2020 and average Ransomware event cost has exploded to $4.44 million in 2H 2020.
On October 30th, the FBI issued a warning for the Healthcare sector that a group of attackers using specific ransomware (Trickbot and Ryuk) had initiated attacks against US hospitals and healthcare providers beginning in late October. The FBI advisory, along with critical technical update data, can be found at the link below:
Ransomware Activity Targeting the Healthcare and Public Health Sector
Anonymous sources with knowledge of matters behind the joint task force advisory report up to twenty mid and large size healthcare providers have been hit by late October with Ransomware attacks. The FBI advisory indicates that Ransomware attacks targeting healthcare focused organizations are likely to increase in the near term.
Healthcare ransomware victims face losses that can go well beyond the cost of a ransom payment. With business interrupted, providers may lose revenue and may face regulatory penalties from local, state and federal authorities, payment card companies and other groups. They may face liability claims from various third parties in a Cyber Event – an evolving area of risk. Healthcare ransomware risk is multifaceted, and its costs extend much farther than a one-time ransom payment.
Thankfully, there are ways that healthcare organizations can seek to mitigate their Ransomware risk. The Cybersecurity Advisory joint task force recommendations include:
All organizations are at increasing risk of more sophisticated and more disruptive Ransomware. However, given the Joint Task Forces’ Cybersecurity Advisory, Healthcare and related organizations may wish to push Ransomware preparedness to the forefront of their Cyber risk management strategy. Contact us to learn more about protecting your organization against cyber threats.
With massive data breaches at organizations such as Target, Dairy Queen, and JPMorgan, businesses are becoming more aware of the threat of hackers and external threats to their data. And while it’s important to protect yourself from such exposures, history has shown that the real enemy lies within our own companies. Don’t believe it?
What should you do to prevent a cyber attack and what should you do if it happens to your business?
One of the most valuable lessons is simply a greater awareness and respect for this type of threat. Many business owners and executives do know fully understand the risk or have the it won't-happen-to-me syndrome. As a result, they don’t do enough to prevent cyber crimes. Businesses should establish a disaster recovery plan so they are prepared if they do experience a significant loss — and, if still necessary, protect themselves with insurance coverage.
Send a Message
Find a Location