Latest In Healthcare Management

A Silent and Emerging Threat: Ransomware

By Trevor Weyland

In the first quarter of 2016, we saw a large increase in ransomware attacks across the United States. According to the Federal Bureau of Investigation, victims of ransomware paid $209 million in ransom in the first three months of this year alone — more than 10 times the
amount paid in all of 2015.

Ransomware is a type of malicious software that infects a computer and then holds the data hostage by encrypting the files until victims pay to have them unlocked. Ransomware isn’t new — criminals have long sought to extort payment from victims. It is often spread in one
of three ways — through phishing emails that include malicious attachments, through a user visiting a website from which malware is downloaded without the user’s knowledge, and through social media applications.

The consequences of ransomware include (temporary) loss of access to data, disruption of normal business activities and loss of revenue, as well as the costs of restoring data/files, paying the ransom and damage to reputation.

Ransomware in Healthcare

In February 2016, Hollywood Presbyterian Medical Center in Los Angeles reported paying the bitcoin equivalent of $17,000 to cyber criminals after patient and doctor records were locked, forcing the hospital to work with paper records and divert some patients to other hospitals.

“The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said. “In the best interest of restoring normal operations, we did this.”

—Allen Stefanek, Chief Executive Officer
Hollywood Presbyterian Medical Center
[Los Angeles Times, February 16, 2016]

In March of this year, Methodist Hospital in Henderson, Kentucky, was attacked by ransomware that limited the hospital’s use of its electronic web-based services. The hospital was able to activate its backup systems and continued to operate, without paying a ransom.

Also in March, MedStar Health, in Columbia, Maryland, shut down its computer networks to stop the spread of malware. There were reports that the malware was actually ransomware and that the demand was the equivalent of $19,000 in bitcoins.

Additionally, the Los Angeles County Health Department recently reported to the Los Angeles district attorney and county chief information officer that they found traces of ransomware on five of its computers.

Response

These incidents are becoming increasingly common, and healthcare organizations have begun to analyze their security and response plans accordingly.

Although various federal and state laws require healthcare organizations and their business associates to provide notification following a breach of unsecured protected health information (PHI), there is currently no requirement to provide notification of a ransomware attack. The U.S. government discourages individuals and organizations from paying the ransom (since this does not guarantee that files will be released) and requests that cases of fraud be reported to the FBI.

Coverage Considerations

These ransomware examples are situations where the insured is being threatened with a breach of their security that will result in a denial of access to systems and data, damage or deletion of data, theft of data, or the interruption or suspension of their computer systems.
So, what can a business do to help mitigate the threat? This “cyber extortion” can be addressed by both security/privacy (cyber) insurance and kidnap and ransom policies.

Security/Privacy (Cyber) Insurance

A cyber insurance policy contains several insuring agreements; the core insuring agreements address computer network security (information security) liability, privacy liability, regulatory defense costs and associated penalties, media liability and the first-party costs of responding to a breach (costs of forensic and legal advice, notification expenses, credit monitoring). Other insuring clauses may address first-party (the insured’s) business interruption loss, the costs of restoring lost data and, typically, cyber extortion costs.

If the healthcare entity’s cyber policy includes coverage for cyber extortion, the policy will respond to threats to damage, alter, destroy or render unusable data, or to insert malicious code into the computer system. However, without the specific insuring agreement, most policies will not typically cover threats to physically harm (or kidnap) any person nor to bodily injury resulting from the impact of ransomware/malware. The cyber extortion coverage is specifically designed to cover payments to terminate the threat (and the fees of security consultants), as opposed to compensation for bodily injury or financial loss.

Kidnap and Ransom Insurance

The healthcare entity’s kidnap and ransom policy may include extortion as an insured event, to cover a threat to the entity or an insured person (by someone who demands a ransom not to carry out the threat), to kill or injure an insured person, and also the threat to damage, alter, destroy or render unusable your data or to insert malicious code into the computer system.

This differs from the cyber extortion coverage in a cyber policy, which as discussed above, does not typically cover bodily injury, because the kidnap and ransom policy covers the ransom payment, legal liability of the organization arising out of the extortion (including bodily injury), and specific payments for death, dismemberment or disability of the insured person.

Existence of Coverage Must be Kept Confidential

Kidnap and ransom policies and the cyber extortion coverage in a cyber policy typically require that the insured not publicize the existence of the coverage.

Demands that Require Payment in Bitcoins

Many ransomware attackers are demanding payment in bitcoins, a crypto-currency that is not governed by a central authority, and is anonymous and difficult to track — which is what makes it attractive to criminals. Cyber and kidnap and ransom policies typically refer to
making ransom payment in terms of money, cash, marketable goods, property or securities, but the base policy forms have not yet been updated to specifically refer to bitcoins or crypto-currencies.

Are Cyber or Kidnap and Ransom Policies the Correct Form to Insure this Risk?

Coverage solutions can be found in both cyber and kidnap and ransom policies to address the cyber extortion threat presented by a ransomware demand.

Consider the following when making a decision as to which coverages to obtain insurance for this exposure:

1. Which policy is better suited to meet the insured’s needs, particularly in terms of any exposure to bodily injury?

2. Which policy will provide a limit that is adequate for your risk?

3. What is covered under other insurance clauses, if more than once policy offers cyber extortion coverage?

4. Will the policy cover ransom paid in bitcoins?

The kidnap & ransom policy can have a couple of distinct advantages over a cyber policy in that the retention is typically $nil and there is immediate access to crisis management consultants through the policy’s 24 hour hotline.

About The Author

Trevor Weyland is an Area Senior Vice President in the Western Region specializing in executive and management liability issues with cyber expertise for Arthur J. Gallagher & Co.’s Healthcare Practice. This practice focuses on providing insurance and risk management solutions to meet the unique needs of healthcare providers and facilities across the continuum
of care.