Healthcare organizations are increasingly caught in a game of whack-a-mole when it comes to stomping out the endless iterations of costly cybercrime: No sooner do they improve controls to manage one scheme, another pops up in its place to plague them.
It’s a problem. Maintaining vigilance against intrusions is a never-ending challenge, given the bottomless ingenuity of bad actors.
One such crime currently wreaking havoc is invoice manipulation fraud. Criminals get into a network through a phishing expedition that gets them access to legitimate credentials, passwords, and authentic email accounts. Then they lurk in the system as they scope out transactions, manipulating invoices to change the amount owed and make the pay-to account one they control.
The victim doesn’t realize for 30 days or longer that the invoice was changed and the payment misdirected. Average cost per incident: $25,000 to $100,000. That can add up fast before it’s detected.
Cyber crime against the healthcare industry continues to be a worrisome issue that has everyone calling for more and better controls. The industry is one of the worst affected: Security Intelligence says data breach costs have escalated 53.3% over the last three years; the average cost across all industries was $4.45 million. Healthcare though, was the highest at $10.93 million.
Better controls, of course, are a huge part of the solution. For invoice manipulation, putting callback procedures in place is vital, but three-way matching in tracking and updating invoices is key to the verification process. So is matching/double-checking account information.
But, the industry must get on top of more than just controls – and stay there. A better understanding of the always-changing nature of cyber risks will enable more effective responses. And they must become educated on the nuances of cyber insurance to avoid getting caught short.
Here are some starting points.
The abundance of cyber fraud ploys
A good starting point is social engineering, which is a broad category for intrusions like phishing, that trick people into sharing information, downloading software or visiting websites that end up compromising their personal security or the security of their company. In fact, phishing is the most commonly reported cyber crime, affecting nearly 300,500 individuals in 2022.
In addition to invoice manipulation, ploys increasingly used against the healthcare industry include funds transfer fraud, and ransomware and extortion.
Funds transfer fraud occurs when criminals successfully phish to assume the identity of an executive and then direct an employee key to an organization’s finances to transfer money to what is actually a ghost account. It’s a long game; stolen funds are not usually recovered. The FBI believes some $2 billion is lost annually to this type of fraud.
With ransomware attacks, a provider network is breached and locked, and it must pay up or permanently lose access to its stolen data. These attacks slowed in 2022, thanks to better defensive measures and law enforcement efforts. But they now are now escalating again. With extortion, criminals threaten to publicly release the data they have collected.
Both large and small organizations are likely targets; all house a trove of sensitive data like health related and payment cards. Large organizations should be concerned, given their big centralized pools of information. But smaller operations may think they are too small for cyber criminals to worry about. Not so. One study found that almost 60% of ransomware attacks were against small- and medium-sized businesses.
Some insurance considerations
Cyber insurance has gotten more expensive and complicated as cyber attacks, losses and claims have escalated. Even so, that’s nothing compared to the cost after a ransomware attack. According to some reports, 94% of U.S. hospitals have been through at least one cyberattack, yet fewer than half carry cyber insurance.
Here are some nuances to be aware of:
1. Invoice manipulation isn’t necessarily covered by the standard cyber policy, so always check. Either way, it’s essential to follow policy requirements, particularly for callback controls that verify bank account details.
2. Some organizations may carry dual coverage against data breaches, through both the cyber policy and crime policy. It’s rare to see the full coverage limit for cyber breaches on a crime policy; cyber is unique in providing both first- and third-party coverage.
3. The U.S. maintains a sanctions list against parties or individuals known to be behind malicious cyber activities. Should a provider’s network be attacked by parties on the list, insurance will not cover the ransom payment.
4. There is some crossover between cyber, and kidnap and ransom (K&R) policies. Should a health system get hit with a ransomware attack, for example, the K&R policy might provide additional coverage. Bigger organizations are more likely to have this.
Pete Reilly
Pete Reilly is the practice leader and Chief Sales Officer of global insurance brokerage Hub International’s North American healthcare practice.
In this role, he directs and coordinates HUB’s healthcare planning, growth and strategic initiatives. He also works with other leaders and experts within HUB to develop and introduce proprietary products that will help healthcare organizations and providers across the care delivery spectrum.
Pete has been a featured speaker at numerous professional conferences, including ASHRM, the Bermuda Captive Conference as well as having been a guest lecturer on topics of insurance and risk management at The Wharton School, a Metzger-Conway Fellow at his alma mater, Dickinson College and he has been twice recognized as Med Pro Group’s Buffett Award winner. Additionally, Pete has served on numerous insurance carrier Agency Advisory Councils and various ASHRM National Advisory Committees.
