Post on 14-Mar-2018
Aon Risk Solutions | Global Sales & Marketing SupportProprietary & Confidential
Cyber Risk for Healthcare Industry
Date: 22nd Dec 2015
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential2
Table of contents
Cyber risk in healthcare industry
Data breach statistics
Claims by business sectors
Major penalties & fines
HIPAA violations & fines
Cyber risk for M & A deals
Cyber risk and D & O
Cyber liability: purchase & retention
Cyber liability: adequacy & effectiveness
Cyber liability: limits
3
4 - 5
6 - 8
9
10 - 11
12
13
14
15
16
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential3
Healthcare industry seems to be highly prone to cyber risk
Healthcare industry primarily comprises of hospitals, clinics, university aided hospitals, Government aided hospitals, 3rd
party service providers, healthcare homes etc.
According to ‘Breach Level Index’ database, healthcare industry accounted for about 34% of data breaches reported around the world across multiple industries during the year 2015.
Ponemon Institute, a security research & consulting firm conducted a study and found that around 90% of healthcare providers in the US had data breaches in years: 2013 & 14 and half of these attacks were of suspicious nature.
Average data breach would cost a hospital in the US a whooping $ 2.1 million according to a research conducted by ‘Ponemon Institute’.
According to a study by ‘Accenture’ the failure of making cyber risk a strategic priority may cost healthcare providers about $ 305 billion worth lifetime revenue over the next 5 years.
Healthcare34%
Government22%
Technology16%
Others15%
Retail8%
Education5%
Top global data breaches reported by industry, 2015
According to ‘U.S. Department of Health and Human Services Office for Civil Rights’, almost 1.6 million people in the US had
their medical information stolen/compromised from healthcare providers during the year 2014
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential4
Healthcare providers in USA & Canada have witnessed massive data breaches in 2015
Major healthcare data breaches in the world during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
Jan-15Anthem Insurance Companies (Anthem Blue
Cross)USA 78,800,000 Identity Theft State Sponsored
Jul-15 Korea Pharmaceutical Information Center Korea 43,000,000 Identity Theft Malicious Insider
Jul-15 UCLA Health System USA 4,500,000 Identity Theft Malicious Outsider
May-15 Medical Informatics Engineering & others USA 3,900,000 Identity Theft Malicious Outsider
Mar-15 Virginia Dept. of Medical Assistance USA 697, 586 Identity Theft Malicious Outsider
Major healthcare data breaches in USA during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
Jan-15Anthem Insurance Companies (Anthem Blue
Cross)USA 78,800,000 Identity Theft State Sponsored
Jul-15 UCLA Health System USA 4,500,000 Identity Theft Malicious Outsider
May-15 Medical Informatics Engineering & others USA 3,900,000 Identity Theft Malicious Outsider
Mar-15 Virginia Dept. of Medical Assistance USA 697, 586 Identity Theft Malicious Outsider
Mar-15 Career Education Corp USA 151,626 Identity Theft Malicious Outsider
Major healthcare data breaches in Canada during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
Oct-15 Rouge Valley Hospital Canada 12,595 Identity Theft Malicious Insider
Jun-15 Eastern Health Canada 9,000 Identity Theft Accidental Loss
Jul-15 Saskatchewan Cancer Agency Canada 900 Identity Theft Malicious Insider
Feb-15 Ontario Welfare & Disability Recipients Canada 720 Identity Theft Accidental Loss
Jun-15 Horizon Health Canada 158 Identity Theft Malicious Insider
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential5
Healthcare providers in UK & Australia have witnessed multiple data breaches in 2015
Major healthcare data breaches in United Kingdom during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
Oct-15 Pharmacy2U UK 100,000 Nuisance Malicious Insider
Oct-15 MS Society UK 25,000 Nuisance Malicious Outsider
Jul-15 Aberdeen Royal Infirmary UK 8,100 Identity Theft Accidental Loss
May-15 East Sussex NHS Trust/Conquest Hospital UK 3,634 Identity Theft Accidental Loss
Jan-15 The 56 Dean Street Clinic UK 780 Identity Theft Accidental Loss
Major healthcare data breaches in Australia during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
Jul-15 Medvet Laboratories Australia 800 Identity Theft Accidental Loss
Mar-15 Holyoake Australia 27 Identity Theft Malicious Outsider
Mar-15 Lyell McEwin Hospital Australia 3 Identity Theft Accidental Loss
Jan-15 Harrington Park Medical Center & others Australia NA Identity Theft Malicious Outsider
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential6
Respondents from the healthcare industry witnessed highest number of claims
NetDeligence conducts study of cyber liability claims every year to ascertain the impact of cyber liability by industry, company size etc.
Healthcare industry witnessed the highest number of claims vis - a -vis other industries and accounted for 21% of total in the year 2015. Financial services accounted for 17% of the total number of claims for the year 2015.
Healthcare industry witnessed the highest number of claims vis - a -vis other industries and accounted for 23% of total in the year 2014. Financial services accounted for 22% of the total number of claims for the year 2014
Healthcare21%
Financial Services
17%
Retail13%
Technology9%
Professional Services
8%
Non - Profit4%
Others Industries
28%
NetDiligence study - percentage claims by business sectors, 2015
Healthcare23%Financial
Services22%
Professional Services
10%
Retail10%
Non-Profit9%
Others Industries
26%
NetDiligence study - percentage claims by
business sectors, 2014
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential7
Insiders caused about 1/3rd of claims and healthcare was the most affected industry
According to the study by NetDiligence, about 30% of the total respondents (total sample size: 160) attributed claim events to insiders i.e. employees of companies/organizations.
More than 67% of the total claims attributable to insiders were unintentional. The rest 33% of the claims were caused by employees who purposefully caused claim events.
Healthcare industry witnessed the highest number of claims caused by unintentional insiders followed by financial services and technology industries.
Healthcare & financial services industries witnessed the highest number of claims caused by malicious insiders
Healthcare38%
Financial Services
18%
Technology15%
Others Industries
29%
NetDiligence study - unintentional involvement of insiders in claims by business sectors, 2015
Healthcare29%
Financial Services
29%
Hospitality12%
Professional Services
12%
Restaurant12%
Others Industries
6%
NetDiligence study - malicious insider involvement in claims by business sectors, 2015
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential8
Healthcare and financial services industries reported maximum data breaches from third – party vendors
According to the study by NetDiligence, about 25% of the total respondents (total sample size: 160) attributed claim events to 3rd parties for the year 2015.
Financial services industry was the most affected sector (which accounted for 30% of total claim incidents) and healthcare industry accounted for 13% of total claim incidents for the year 2015.
According to the study by NetDiligence, about 20% of the total respondents (total sample size: 111) attributed claim events to 3rd parties for the year 2014.
Financial services industry was the most affected sector (which accounted for 32% of total claim incidents) and healthcare industry accounted for 18% of total claim incidents for the year 2014
Financial Services
30%
Retail18%
Technology18%
Healthcare13%
Energy10%
Others Industries
11%
NetDiligence study - third party breaches induced claims by business sectors, 2015
Financial Services
32%
Healthcare18% Professional
Services14%
Education9%
Technology9%
Other Industries
18%
NetDiligence study - third party breaches induced claims by business sectors, 2014
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential9
Many healthcare companies in the US have paid massive fines & penalties for violations of cyber security regulations & guidelines
Recent Major Regulation Breaches & Fines in North America
Entity Fined Fine Violation
CIGNET $4,300,000 Online database application error.
Triple-S Management Corporation $3,500,000 Unsecured protected health information (PHI)
New York and Presbyterian Hospital$3,300,000
Failing to secure thousands of patients’ electronic protected health information
(ePHI) held on their network
Alaska Department of Health and Human Services$1,700,000
Unencrypted USB hard drive stolen, poor policies and risk analysis.
WellPoint
$1,700,000 Failure to install technical safeguards in place to verify the person/entity seeking
access to PHI in the database. Failed to conduct a tech eval in response to software
upgrade.
Columbia University$1,500,000
Failing to secure thousands of patients’ electronic protected health information
(ePHI) held on their network
Blue Cross Blue Shield of Tennessee $1,500,000 57 unencrypted hard drives stolen.
Massachusetts Eye and Ear Infirmary and
Massachusetts Eye and Ear Associates$1,500,000
Unencrypted laptop stolen, poor risk analysis, policies.
Affinity Health Plan $1,215,780 Returned photocopiers without erasing the hard drives.
Parkview Health System, Inc. $800,000 Medical records dumping case
Cancer Care Group, P.C. $750,000
Breach of unsecured electronic protected health information (ePHI) after a laptop
bag was stolen from an employee’s car
South Shore Hospital $750,000 Backup tapes went missing on the way to contractor.
Idaho State University $400,000 Breach of unsecured ePHI.
Shasta Regional Medical Center$275,000
Inadequate safeguarding of PHI from impermissible uses and disclosures.
Phoenix Cardiac Surgery $100,000 Internet calendar, poor policies, training.
The Hospice of Northern Idaho$50,000
Breach of unsecured ePHI. Unencrypted laptop stolen, no risk analysis.
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential10
HIPAA obligates healthcare providers to comply with the guidelines prescribed
Health Insurance Portability and Accountability Act (HIPAA) obligates all healthcare providers to ensure that all mandated physical, network and process security procedures are being observed.
Examples of HIPAA violations include:
1. Violations of unwilling negligence including:
Improper patient verification.
Failure to dispose of patient records securely.
Failure to discuss patient information in a private setting.
Unintentionally faxing or emailing patient data to an incorrect destination.
Inadequately storing and securing patient records.
Accessing patient records outside of the approved network.
Unintentionally exposing sensitive data to individuals not privy to the information.
2. Violations of willing negligence including:
Accessing patient records without proper authorization.
Improper use of passwords and user names.
Revealing patient information to unauthorized persons.
Using unauthorized computers or other equipment within the network.
Willingly leave sensitive patient information unsecured.
Using patient records for personal benefit.
Selling medical information.
Purposefully altering or damaging data stored in medical records
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential11
Healthcare providers would be forced to pay large sums as penalties & fines on violation of HIPAA regulation
Healthcare companies/organizations violating HIPAA regulations/guidelines will be subject to penalties & fines as given below:
1. Penalties assessed to healthcare organizations unaware that they violated HIPAA requirement:
$100 to $50,000 per violation.
$1,500,000 aggregate for an identical provision.
2. Penalties assessed to healthcare organizations with a violation of reasonable cause but not willful neglect:
$1,000 to $50,000 per violation.
$1,500,000 aggregate for an identical provision.
Revealing patient information to unauthorized persons.
3. Penalties assessed to healthcare organizations with a violation deemed as willful neglect but rectified within a reasonable time:
$10,000 to $50,000 per violation
$1,500,000 aggregate for an identical provision
4. Penalties assessed to healthcare organizations with a violation deemed as willful neglect and left unresolved:
$50,0000 per violation
$1,500,000 aggregate for an identical provision.
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential12
Mergers & acquisitions require complex integration of IT systems which may become susceptible to data breaches and cyber exposures
Healthcare industry has witnessed high demand levels in M & A deals in 2014 & 2015. According to ‘Thompson Reuters’ study, the healthcare M & A value was $460.2 billion as in November 2015 up from $392.4 billion in the year 2014.
In 2015, Pfizer Inc offered to buy Allergan for a consideration of $ 160 billion which is considered one of the largest deals in healthcare. This acquisition which could create world’s largest drug maker has come under serious scrutiny on the political and economical front.
The outbreak of this news triggered the panic amongst investors and as a result the shares of ‘Allergan’ and ‘Pfizer’ fell by 3.4% & 2.6% respectively. Pfizer expects the deal to provide enhanced access to its tens of billions of dollars parked overseas and allow for more share buybacks, dividend payments and business development.
This deal would involve a complex process of integrating the information systems of both companies which may consume considerable time and efforts.
One of the biggest threats could be unauthorized access of critical and proprietary information by malicious insiders &/ outsiders. Data breaches could be another problem since the both companies would operate large volumes of data and information which must be integrated.
Most of the time, cyber security is ignored in a merger or acquisition due to which the companies involved may become susceptible to data breaches and other cyber risks in future.
International law firm Freshfields Bruckhaus Deringer found in a survey shared with Infosecurity that 90% of respondents believe cyber-breaches would result in a reduction in deal value; and 83% of dealmakers believe a deal could be abandoned if cybersecurity breaches are identified during deal due diligence or mid-transaction.
Dealmakers’ top concerns include targets suffering cyber-attacks during deal discussions, the target being a proven victim of data or intellectual property (IP) theft by cyber-attack, and evidence of a target not handling a past breach effectively (leading to fines, damage to reputation etc.). Interestingly, acquirers (30%) are most concerned about cybersecurity issues derailing transactions,whereas 81% of sellers are unconcerned or only slightly concerned about the risk of derailment.
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential13
Data breaches have led to lawsuits against board of directors.
It would be an interesting to ascertain if cyber exposures or data breaches can possibly lead to lawsuits against Directors and officers. According to ‘The D & O Dairy’ the Board of Directors of ‘Target Corp’. and ‘Wyndham Worldwide’ were sued soon after these companies witnessed high – profile data breaches.
Although the example mentioned above is from different industries such as retail and hospitality, it’s interesting to ascertain the possibility of cyber liability leading to D & O liability. D & O policies are witnessing changes in terms of scope & coverage since the possibilities of data breaches leading to lawsuits against directors & management are opening up.
Its quite unclear if cyber/data liability/security claims be covered under traditional lines of insurance such as: property, general liability etc. However few Court rulings shed some light on decisions where in cyber liabilities were covered under traditional lines of businesses. Although the companies involved in lawsuits belong to industries other than healthcare it would be interesting tounderstand the treatment of liability.
In the lawsuit: “Retail Systems, Inc. v. CNA Insurance Co” the Court of Appeals of Minnesota compared a data storage tape to a motion picture and held that data on a missing computer tape was of permanent value and was integrated completely with the physical property of the tape.
Generally Commercial General Liability (CGL) policies offer broad liability insurance coverage under two insuring agreements: ‘Coverage A’ (bodily injury and property damage) and ‘Coverage B’ (personal and advertising injury). In the case: “Eyeblaster, Inc. v. Federal Insurance Co”, the U.S. Court of Appeals for the Eighth Circuit held that a cyber liability claim was covered under Coverage A notwithstanding that “any software, data or other information that is in electronic form” was expressly excluded from“tangible property”.
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential14
Healthcare industry respondents reported lower levels of increase in retention level
33%29% 27%
24% 23% 21% 20% 19% 18% 18%
Aon Global Risk Management Survey 2015, changes in retention levels According to Aon’s Global Risk Management Survey 2015
report, about 33% respondents from ‘Agribusiness’ industry reported increase in the retention levels across all lines of business (property, general liability etc).
About 18% of respondents from the ‘Healthcare’ industry reported increase in the retention levels.
According to Aon’s Global Risk Management Survey 2015 report, 57% of the respondents from the healthcare industry had already purchased cyber insurance.
However, 42% of respondents had neither purchased cyber insurance and nor had plans to purchase. A very minute portion of respondents (2%) had plans of buying cyber insurance
57% 50% 49% 42% 39% 35% 35% 32%
42%
24% 36%37% 46% 49% 55%
43%
2%
26%15% 21% 14% 15% 10%
26%
Aon Global Risk Management Survey 2015, Purchase of Cyber Insurance Coverage by Industry
Plan toPurchase
Notpurchased &No Plans toPurchase
InsuranceCurrentlyPurchased
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential15
Majority of the respondents from the healthcare industry felt existing cyber policy offered effective & adequate coverage
83% 85% 89%100%
73% 76%
57%
87%
Aon Global Risk Management Survey 2015, Effectiveness of Current Cyber Insurance by Industry
63%
48%
95%
71%64%
76%
57%67%
Aon Global Risk Management Survey 2015, Adequacy of Current Cyber Insurance by Industry
According to Aon’s Global Risk Management Survey 2015 report, about 83% respondents from ‘Healthcare’ industry were pleased with the effectiveness of existing cyber liability.
Only 57% of respondents from the ‘Hotels & Hospitality’ industry thought the current cyber liability policy was effective enough to offer protection from cyber liability.
According to Aon’s Global Risk Management Survey 2015 report, about 63% of respondents from ‘Healthcare’ industry felt that current cyber coverage provided adequate cover from cyber liability.
However, 48% of respondents from ‘Retail Trade’ industry felt that current cyber coverage wasn't adequate to provide cover from cyber liability
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential16
Estimation of the impact of cyber risk on healthcare industry
According to a study by ‘Grand View Research, Inc’, the global healthcare cyber security market is forecast to reach value of $10.84 billion by the year 2022. Increasing incidents of cyber attacks for misuse of electronic patient health records (E-PHR), social security records, IP theft etc are expected to drive the growth of this market.
Increased emphasis on the use of cloud based applications & services & bring your own device (BYOD) may encourage cyber criminals to mount more attacks which in turn would contribute towards the growth of the healthcare cyber security market.
Rapid adoption of internet in India & China s expected to create a huge user base vulnerable to cyber attacks. According to the estimation by internet and Mobile Association of India (IAMAI), India’s internet user base is forecast to reach nearly 402 million by December 2015.
According to a study by ‘Accenture’ and publication by ‘Healthcare Informatics’ the failure of making cyber risk a strategic priority may cost healthcare providers about $ 305 billion worth lifetime revenue over the next 5 years: 2016 – 20.
Sources used for the study:
Breach Level Index database.
NetDiligence Cyber Claims Study – 2014 & 2015
Prnewswire publication
Healthcare Informatics publication
Reuters publication
Aon Global Risk Management Survey 2015
For any queries regarding this report kindly contact:
Abhiram Holla,
Aon Specialist Services Pvt Ltd/ GSMS, t +918030912166 | m +919986186390, email: abhiram.holla@aon.com