Asia’s Health Care Industry Reels from CyberattacksPrincipal in Oliver Wyman's Health & Life Science Practice Principal, Finance and Risk Practice for Oliver Wyman Healthcare and Life Sciences Industry Practice Leader in Asia for Marsh
Health care is one of the sectors most vulnerable to cyberattacks, with more than one in four (27 percent) health care organizations reporting that they have been a victim of a cyberattack in the past 12 months. This is more than financial institutions (20 percent) and nearly twice the incidence in the communications, media and technology sector (14 percent). Despite this, respondents from the health care industry underestimate the likelihood of a cyberattack.
As the potential impacts of cyberattacks are transboundary, no country is completely immune to this phenomenon. Ransomware attacks such as WannaCry and Petya had a global reach affecting care delivery businesses and insurers in the region. Compared to global counterparts, it takes almost five times longer to detect an intrusion for companies in Asia-Pacific.
Participants in the latest Marsh-Microsoft Global Cyber Risk Perception Survey were asked about their perception of cyber loss scenarios that would have the highest impact.
Exhibit 1: Top Cyber Loss Scenarios with the Largest Perceived Potential Impact
Business interruption was highlighted as the primary cyber risk concern in health care (69 percent), similar to other industries. In 2017, the WannaCry global attack succeeded in temporarily shutting down the IT systems of hospitals globally. In more life-threatening cases, cyberattackers could compromise medical devices, such as health-networked MRI machines, as entry points into unsecured Wi-Fi networks, causing critical medical devices to malfunction.
Breach of customer information is a more daunting scenario in health care (67 percent) than in other industries. A medical record holds powerful data on an individual, and when compromised, it cannot be reissued or suspended, such as in the case of a credit card. Cybercriminals can use, and even manipulate, such data to cause personal distress, damage users’ reputation or compromise corporate accounts, or to monetize stolen data.
Severe Financial Consequences
The health care industry is most concerned about financially motivated threat actors: 45 percent of health care respondents flagged organized crime or hacktivist groups as their biggest source of concern.
Moreover, cyberattacks are perceived to have more severe financial impacts within the health care industry. More than 70 percent of health care respondents expect that each cyber breach scenario in the industry could cost more than $1 million, as compared to a cross-industry average of 65 percent who feel the same way. In fact, the average total cost of data breaches in FY2017 was $3.6 million per company across sectors according to Ponemon Institute.
Holistic Approach Needed
An all-encompassing data and cyber risk strategy is founded upon a thorough assessment of risk, a defined risk appetite and quantification of risk exposure. Then, the risk management strategy drives the right governance, identifies threats and corrective actions, and quantifies the amount of investment necessary to close gaps and vulnerabilities. As part of expectations from management, shareholders, regulators and ratings agencies, industry-specific mechanisms should be designed to safeguard against incidents as well as implement an up-to-date, proven cyber incident playbook in case of breaches.
Exhibit 2: Five Key Functions of the Cybersecurity Framework and Recommended Actions
Prepare and Prevent
A strong internal risk diagnostic, as a start, is required to assess a company’s cyber risks vis-à-vis industry peers. Forty percent of health care organizations still haven’t conducted a cybersecurity gap assessment in the past two years, and there is room for improvement in understanding and managing their overall risk exposure. Health care organizations need to identify, define and map specific cyber threats and scenarios to their tangible and intangible assets. Such tailored practices need to become a standard operating procedure across the health care industry.
An educated workforce and a cyber-secure culture is imperative to combat increasingly complex and frequent cyberattacks. Many successful and attempted cyber incidents in health care organizations have been attributed to human error. The need to shift from an IT-driven cyber protection strategy to a mature risk-management discipline requires a bottom-up approach, such as creating a more cyber-savvy workforce and strengthening a workplace culture of cybersecurity.
Strengthening network security should be a priority given the proliferation of the Internet of Things and mobile devices with access to corporate networks. Health care organizations should emphasize proven cybersecurity hygiene practices—which are missing for half of the health care industry at present. Respondents to the survey admit to not having hardware encryption (47 percent) and multifactor authentication for corporate networks (50 percent). Only half of the health care respondents improved vulnerability and patch management in the past year.
Detect and Respond
IT departments are the primary owners and decision-makers for cyber risk management across the health care sector globally. Often, cyber risks appear as an add-on, not part of a holistic risk-management assessment. In taking a more proactive approach to enhance cybersecurity, organizations are encouraged to better understand the return on risk, through quantification, and to build in-house capabilities across multiple interconnected functional areas aligned with their cyber strategy. A management-led approach to set out cyber risk appetite is a first step to recognizing that cyber is a firmwide risk.
Underpinning advanced data resilience frameworks is a strong detection mechanism and holistic incident response plan. Almost two-thirds of health care organizations have not developed a cyber incident response plan. Most alarmingly, 37 percent of respondents are not sure of the reasons behind the lack of a cyber response plan, while only 22 percent are confident that their organization’s cybersecurity and firewalls are adequate.
Key risks that health care organizations face today include patient data exposure, shared system data exposure and employee exposure. Recognizing that cyber risks cannot be eliminated, health care organizations are beginning to look to insurance or cyber risk transfer programs as a way to shift the risks as a solution for balance sheet protection and for contractual evidence and compliance. Prompted by the wave of high-profile attacks and new data protection rules, annual gross written cyber insurance premiums have grown by 34 percent per annum over the past seven years. The European Union Agency for Network and Information Security has also found a positive correlation between cyber insurance takeup and the level of preparedness—and health care organizations are only beginning to recognize this.
While less than half of the health care respondents’ organizations (49 percent) have cyber insurance coverage, the number is comfortably more than the cross-industry average of 34 percent, but marginally behind financial institutions (52 percent).
Exhibit 3: Health Care Organizations’ Status of Cyber Insurance
The lack of internal agreement on the need for cyber insurance and insufficient budgets and resources are also major impediments (with 22 percent of respondents citing them as reasons) in cyber insurance penetration in the health care industry. These numbers further support the observation that budgeting in health care organizations is misaligned and technology modernization should be prioritized.
The Health Care Industry Needs To Do More
While businesses in key Asia-Pacific markets such as China, Singapore, Hong Kong, Australia, and South Korea are stepping up and improving their cyber insurance coverage in the health care industry, it must be recognized that cyber insurance is not a silver bullet and must be augmented with robust risk strategy and ongoing management.
The health care industry has been taking more actions on average than other industries in the past 12-24 months to prevent and prepare for cyberattacks. For example, 60 percent of health care respondents—as opposed to 51 percent of respondents across industries—indicated that they are assessing the cybersecurity gap to uncover what more needs to be done to protect themselves against future threats. Still, most health care organizations continue to focus more on prevention or preparedness and not sufficiently on detection and response.