EC JAN 2017 Cyber Healthcare Snapshot VOLUME 1, JANUARY 2017 CA Lic. #0414108 With all the ID Theft coverage offerings these days, if you mention healthcare and cyber liability in the same breath, quite often the reaction will be “another story about Identity Theft”. This inaugural edition of the Worldwide Facilities Cyber Healthcare Snapshot will offer some interesting risks—well beyond the realm of ID Theft—for brokers, agents and risk managers to consider when Cyber Liability and Healthcare E&O intersect in space and time for their clients. Protection through properly negotiated insurance wording is critical for the very real potential for Bodily Injury and Property Damage claims arising out of the incidents and new product offerings discussed in this issue. One such notorious intersection of Healthcare E&O and Cyber Liability occurred in February 2016. Most observers of trends and news in both the Cyber and Healthcare worlds are familiar with the “ransomware” event at the Hollywood Presbyterian Medical Center in Los Angeles. Systems and administrative functions were held hostage for two weeks until a deal was made between the hospital and the cybercriminals who perpetrated the malware attack. After a reported initial demand for $3.4MM, the hospital agreed to a $17,000 bitcoin ransom payment to obtain the decryption key and thereby regain access to its data and restore normal operations. Ransomware will continue to be a cyber-threat for all industry sectors; however, clearly an event at a hospital or other medical facility – in patient or ambulatory – presents a more threatening risk with stakes potentially much higher than economic loss to the business. With systems being held hostage, the liability exposure during that two-week period included: • Hospital workers being unable to gain access to important documents, patient data, and emails, as full access to patient records was cut off; and, • Procedures such as CT scans and other diagnostic tests were unable to be carried out. • Both of these scenarios potentially give rise to claims for undiagnosed conditions or misdiagnosis. • In some of the more critical cases, patients were ferried to nearby medical facilities for treatment. This exposes patients to additional bodily injury during the course of their transportation, loading and unloading into and out of ambulances. Or consider a hypothetical dialysis center being infected with ransomware where again, all systems are down. Patients still need to have their blood cleansed of impurities that the non-functioning kidney(s) are not able to accomplish. The alternative is for staff to use back-up hand pump options without any mechanical controls. The result of too fast a rate of blood filtration includes bilateral deafness, seizures and potentially even death. [See first news report below] Our goal is that this Cyber Healthcare Snapshot will be thought-provoking and useful as you explore providing the best coverage for your clients. HACKERS HIJACKING MEDICAL DEVICES TO CREATE BACKDOORS IN HOSPITAL NETWORKS EDITOR’S INTRODUCTION After the Office of Personnel Management breach in June 2015, medical data was labeled as the “holy grail” for cybercriminals intent on espionage. “Medical information can be worth 10 times as much as a credit card number,” reported Reuters. And now to steal such information, hospital networks are being accessed by malware-infected medical devices. TrapX, a deception-based cybersecurity firm has coined the term “MEDJACK”. Attackers are infecting medical devices with malware and then moving laterally through hospital networks to steal confidential data, according to TrapX’s MEDJACK report. In three separate hospitals, TrapX found “extensive compromise of a variety of medical devices which included X-ray equipment, picture archive and communications systems (PACS) and blood gas analyzers (BGA).” Blood gas analyzers are often used in critical care situations or during surgery. Clearly, there are many other devices that present targets for MEDJACK. This includes diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart - lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) to name a few. Sources: Reuters; Computerworld