Skip to main content
main content, press tab to continue
Article

Enhancing cyber resilience for health and social care providers

By Rachel Phillips | April 23, 2024

Find smarter ways to manage cyber risk and build cyber resilience in the health and social care sector.
|Financial, Executive and Professional Risks (FINEX)|Risk Management Consulting
N/A

The latest WTW claims data, insights from WTW Directors’ & Officers’ research, along with our specialist perspective, show the continuing importance of health and social care organisations enhancing cyber resilience.

Digital technologies including artificial intelligence (AI) technologies can improve efficiencies and outcomes for health and social care providers and users. However, they also pose increased cyber risks. Attackers are quick to evolve their techniques to exploit potential vulnerabilities as technology and risk profiles develop.

To help you stay ahead of the changing cyber risk landscape, we are sharing insights from WTW claims and research below. These perspectives highlight the increased pressure that healthcare providers are currently facing. Additionally, we examine recent cyber incidents within health and social care to support your understanding of the sector’s specific vulnerabilities, while also offering practical guidance to strengthen your cyber resilience. Lastly, we share the latest takeaways from the 2024 WTW directors’ and officers’ research, emphasising the vital role of senior leaders in protecting organisations from cyberattacks.

Cyber claims landscape for health and social care

Our recent proprietary cyber claims data across all industries between 2012 and 2024 shows that healthcare remains the number one sector for the volume of cyber notifications. Additionally, the average claims cost is notable at £1.269m, with the largest claim reaching over £53 million. Without full insurance indemnification, providers would have to self-fund the significant financial impact of these cyber losses, potentially affecting their ability to fund and deliver frontline services.

Cyber notification by industry

chart-1
Bar chart shows cyber notifications by industry

Source: WTW proprietary cyber claims data from 2012 to 2024 - based on 3,750 claims globally of which healthcare comprises 700 notifications

A recent report by security specialists KnowBe4, titled "Rising Threat Of Malware Attacks In Ireland And United Kingdom Healthcare Sectors," states that U.K. healthcare organisations experienced a 74% increase in cyberattacks in 2022 compared with 2021.

WTW data shows that the primary drivers of claim costs are disruptions to care delivery and ransomware attacks. In these attacks, cybercriminals either block access to systems or encrypt data, demanding a ransom for release, decryption, or halting data publication. Ransomware attacks are closely followed by credit monitoring/ID protection as the second-highest driver of claims cost, resulting from data/privacy breaches.

Healthcare cost types incurred claims:

chart-2
Bar chart shows the healthcare cost types incurred claims

Source: WTW proprietary cyber claims data from 2012 to 2024 - based on 3,750 claims globally of which healthcare comprises 700 notifications

Case studies: health and social care cyberattacks notified between 2011 and 2024

WTW's proprietary claims data reveals numerous noteworthy cyberattacks affecting health and social care organisations, each resulting in significant financial losses.

  • Ransomware attack with a total event cost of £15.4 million
    An organisation experienced issues with access to the internet and applications due to a ransomware attack, leading to a period of downtime. The organisation paid a negotiated ransom to obtain the decryptor key. They then began restoring their systems and enlisted third-party vendors to help with various tasks, including business interruption calculation, forensics, restoration and notifications to millions of affected individuals and regulators. Multiple privacy class actions were filed against the organisation after the data breach. These actions allege the organisation's failure to effectively secure and safeguard sensitive personally identifiable information, including health information stored on its systems.
  • Business disruption/system failure with a total event cost of £15 million
    A vendor-led upgrade to this organisation’s electronic health record application for hospitals and other services resulted in the merging of medical records of thousands of unassociated patients. The vendor and organisation worked to resolve the issue but had to track activities on paper, resulting in a backlog of care activity. This activity then needed to be inputted into medical records that drove coding and billing processes, but many performed processes were subsequently not captured, resulting in lost income.
  • Malicious data breach with a total event cost of £200,000
    An organisation’s email accounts were compromised following a phishing incident. The organisation hired forensic investigators to determine the extent of the breach and subsequently provided notice and credit monitoring to all affected individuals. Following this exercise, the organisation received a class action on behalf of the affected individuals.

The above examples show how health and social care providers are vulnerable to outside threats, leading to disruption and expense. They emphasise the need for risk prevention measures like avoiding data breaches, securing effective insurance, and having strong plans for responding to incidents, all to improve cyber resilience.

Understanding and managing ransomware and other cyberattacks

Ransomware, now with double extortion (where attackers demand money to prevent them from leaking stolen data, as well as the ransom to decrypt files), is still a major worry. This was highlighted by the 2022 LockBit 3.0 malware ransomware attack, which crippled NHS 111 services, with the system infection arriving via a third-party vendor.

According to the U.K. Government’s 2022 Cyber Security Breaches Survey, the most common type of breach and attack is phishing – staff receiving fraudulent emails or being directed to fraudulent websites. This is followed, to a much lesser extent, by impersonation-where others impersonate organisations in emails or online-and then viruses or other malware.

This reminds us of how crucial it is for staff to stay vigilant. Most cyber attackers rely on social engineering techniques to breach an organisation's network, which could result in ransomware or double-extortion attacks.

The increasing use of AI and other digital technologies by health and social care providers will continue to create challenges for the sector to understand and manage. In its Cyber Strategy to 2030, the U.K. Government recognises "the importance of technology and data to effective care provision and cyber security as an essential enable of care assuring the safety of patients and service users." It also recognises the significance of health and social care providers being ready to handle, respond to, and bounce back swiftly from cyberattacks and security breaches to maintain uninterrupted care. The government suggests five pillars to cyber resilience:

  • Focus on the greatest risks and harms
  • Defend as one
  • People and culture
  • Build security for the future
  • Exemplary response and recovery.

The Government's strategy directs health and social care providers toward the National Cyber Security Centre's (NCSC) standard, the Cyber Assessment Framework (CAF), for critical national infrastructure. It suggests four key objectives:

  • Managing security risk – ensuring appropriate structures, policies and processes are in place to manage risks to systems supporting essential functions
  • Defending systems against cyberattack – ensuring proportionate measures are in place to protect systems supporting essential functions from cyber-attack
  • Detecting cyber security events – ensuring capabilities effectively defend and detect cyber security events with the potential to affect essential functions
  • Minimising the impact of cyber security incidents – ensuring capabilities exist to minimise the adverse impact of a cyber security incident on the operation of essential functions.

How can health and social care organisations strengthen cyber resilience?

To effectively manage cyber risk, it's crucial to shift away from siloed perspectives and instead broaden your view to integrate cyber risk into your organisation's overall risk management frameworks. This entails integrating cyber risk into your incident response, business continuity and disaster recovery plans.

To ensure your organisation's cyber resilience and to adopt a sufficiently comprehensive view of cyber risk, you need to be able to answer the following questions:

  • How susceptible is your organisation to cyberattacks? Where are your cyber security gaps?
  • What would be the financial, operational, reputational and regulatory impacts of a cyber incident on the business?
  • What steps or actions can your organisation take to enhance business protection and mitigate the impact of a cyber incident?

You can take a robust approach to managing residual risk by:

  • Adopting a structured approach to answering the cyber risk management questions mentioned above.
  • Understanding your cyber exposures and quantifying their materiality in financial and non-financial terms
  • Identifying where the business has insurance protection within your core programme and considering the value of stand alone cyber insurance
  • Widening your perspectives on cyber risk by challenging your thinking around scenarios. Broaden your understanding of the type, scope, and scale of potential cyberattacks, potentially by consulting with external experts.

Reviewing your cyberattack incident response

Having a clear, updated, and tested incident response plan is critical for effectively managing cyber risk. Collaborating with cross-functional stakeholders, you should develop an understanding of your critical business processes and the underlying systems and data they depend on. You'll then be able to align your incident response, including crisis management, business continuity, and disaster recovery policies under a single, effective strategy that moves beyond siloed approaches.

An effective incident response plan will include:

  • A concise, clear plan that's ready for immediate deployment
  • Individual awareness and knowledge of roles and responsibilities supported by training
  • A documented set of actions and processes for cyber incident response
  • A specified timeframe for regular testing to ensure your cyber crisis and response plans remain effective.

The role of health and social care leaders in boosting cyber resilience

Cyber extortion, data loss, and cyberattacks continue to be ranked as the top three risks facing directors and officers in WTW's Global Directors' and Officers' Liability Survey Report 2024.

Cyber risks are always changing. According to the latest report from the National Cyber Security Centre (NCSC), cyber attackers are starting to use artificial intelligence (AI) tools in their operations, especially in reconnaissance and social engineering. They argue that this integration will make attacks stronger and harder to spot, possibly making it easier for inexperienced criminals to get involved and adding to the global ransomware problem.

This concerning trend puts more pressure on health and social care providers. They must put in place strong cybersecurity measures and respond quickly and effectively to attacks. Cyber risk goes hand in hand with the number four concern of survey respondents – data loss – a big issue for health and social care providers. Since the GDPR has been active for some time, providers have seen hefty fines issued by data protection authorities after breaches. The law is still evolving regarding claims from data subjects. Moreover, the costs directly associated with breaches can be substantial and there's a risk to reputation.

The WTW Global Directors' and Officers' Liability Survey Report highlights the value of effective cyber risk management leadership tactics, such as:

  • An improved focus on cyber risk governance, increased senior-level engagement and regular reporting on the oversight and management of cyber risk issues
  • Investing in cyber and data security on ongoing basis to keep pace with the dynamic risk environment and encompassing people, processes and technology
  • Prioritising cyber incident preparedness and testing exemplified by a comprehensive and tested response plan is critical for minimizing the impact of a cyber-attack.

The report also highlights how cyber insurance remains a key part of organisations' cyber risk management plans, helping businesses mitigate the financial impact of cyberattacks and providing access to resources and expertise to help prevent and respond to cyber incidents.

For smarter ways to manage cyber risk and build cyber resilience tailored to the health and social care sector, get in touch.

Contact

WTW Health and Social Care Leader, GB
email Email

Co-authors

GB Head - National Cyber and TMT FINEX GB
email Email

Senior Associate, Cyber Risk Consultant – Global FINEX Cyber
email Email

Contact us