Opinion: Cyberattacks continue to pose a significant risk to health services
By Chris Gamber, assistant vice president, healthcare, at CNA Hardy.
Cyberattacks continue to pose a significant risk to health services as cyber criminals regard the health sector as a lucrative target. A recent Trustwave report stated that health records could be worth over 46 times as much as the next most valuable data source (a payment card).
Exposing cyber vulnerabilities in the healthcare sector
The notorious 2017 WannaCry ransomware attack devastated the NHS when the malicious software spread through the world’s computer systems thanks to a Microsoft Windows vulnerability, infecting more than 200,000 machines in 150 countries.
This, the largest ransomware attack to date, affected organisations including the NHS, Spain’s Telefonica, FedEx in the US, German railway company Deutsche Bahn and LATAM Airlines. It cost the UK £92m and incurred global costs of £6bn. The attack brought the NHS to a standstill for several days, affecting hospitals, medical equipment, and GP surgeries, and resulted in thousands of cancelled operations and appointments.
More recently, there was a major outage in August this year in the NHS IT system Adastra. This Advance software system, impacting around 40 million patients, enables clinicians to record information about an episode of care and send details to the patient’s GP. The ransomware attack on multiple health and care systems provided by Advanced caused disruption for both public and private healthcare providers, including 85% of NHS 111 services.
The Adastra and WannaCry attacks show just how vulnerable the NHS continues to be to cyberattacks. The UK Government’s Cyber Security Breaches Survey 2022 found that in the previous 12 months, 39% of UK businesses identified a cyberattack.
The survey also found that enhanced cyber security leads to higher identification of attacks, but the NHS has been criticised for using outdated IT systems, which are more vulnerable. In 2020, BBC News reported that staff need to log into 15 different systems to do their jobs. Last year, nurses complained that NHS systems were slow, outdated and unreliable, according to the Royal College of Nursing.
Cyber incidents – the hidden risk your medical malpractice policy might not cover
However, there is often a lack of understanding about what cyber policies actually cover in the event of a cyberattack on the NHS – and how this could also impact private health providers.
We don’t insure the NHS – it is indemnified by the Government – however we do insure the private sector, which is equally vulnerable to devastating cyberattacks as many providers use the same IT systems employed by the NHS such as Adastra. So, while the initial target of the recent Adastra cyberattack might have been the NHS, any private healthcare provider using the same system also experienced major disruption, having to take the system offline and revert to paper-based administration for several weeks.
Without these specialist systems in place, the risk for human error increases. Should a key diagnosis be missed or prompt treatment not be arranged for time-critical patients, the insured could be exposed to potential medical malpractice claims for bodily injury and/or mental anguish. However, policies don’t always cover this.
Insureds should check whether they are covered for medical malpractice claims that occur as a direct result of a cyber incident including medical records going astray, missed diagnoses, failure to treat, and lack of systems. This is separate to cyber coverage which insures losses that arise directly from the cyber incident itself such as business interruption.
The role of the insurance industry in educating insureds
It is the role of the insurance industry, both insurers and brokers alike, to inform insureds on the potential risks they face and provide guidance on the cover they should purchase to ensure their business is protected as insureds may not realise that they could have a gap in coverage.
Following the recent Adastra cyberattack, very few of our clients raised queries about the potential impact of this incident, suggesting this is not an issue on most insured’s radar.
Cyberattacks not only endanger day-to-day business operations and patient safety, but also expose insureds to medical malpractice suits and bodily injury claims so it is vital insureds are aware of this ‘hidden’ cyber risk that their medical malpractice policy may not cover and purchase the appropriate policy to mitigate this exposure.