Join us as we talk to subject matter experts to discuss the latest trends and best practices in risk management and insurance for the health and social care sector. Whether you're a seasoned professional or new to the field, the anatomy of risk is your go to resource for staying informed and prepared in an ever-evolving landscape. Together, let's build resilience in a sector where trust, care and preparedness make all the difference. So grab a drink, get comfy, and let's dive into today's episode of The Anatomy of Risk.
I'm Rachel Phillips, WTW's Health and Social care practice leader here in GB. Today's podcast covers the implications for the health and social care sector of the UK government's proposals regarding ransom payments. I'm joined by Ian Cairns and Matthew Ellis from WTW cyber team to discuss the implications, along with their views on how a cyber insurance market may respond, plus some practical tips on how the sector can enhance resilience to cyber attack.
Ian is a cyber risk consultant in our cyber risk solutions team. With a distinguished 22-year career in the Royal Air Force, Ian's expertise encompasses risk assessment and mitigation, occurrence investigation, and root cause analysis and driving organisational change. Ian has a proven track record in business continuity, incident response and recovery, and facilitating human factors across diverse industries, including healthcare. Ian holds a Bachelor of Arts Honors Degree in organisational Capability Development.
Matthew heads up our client service and industry for cyber technology and media team. Matthew has a background in professional indemnity and medical malpractice. Before, in 2012, deciding to focus on cyber and technology errors and omissions. Matthew has a degree in criminology, a master's in multimedia, and is certified in risk and information systems control. Matt works with Ian and our wider cyber team to provide access for clients to specialist support, data and analytics, enabling them to make informed decisions on risk transfer. Welcome. It's great to have you with me today to discuss the cyber threat landscape for Health and Social Care providers following the recent UK government consultation announcement on ransom payments and how the cyber insurance market may respond and some practical tips on how the sector can enhance their resilience to cyber attack.
Cyber remains a continued threat, of course, for Health and Social Care providers, with many high profile incidents over the last few years demonstrating the significant impact on the sector. And we know the digital transformation of the sector will continue, which will only further increase the threat landscape. WTW's annual global claims data shows that the sector accounts for by far the largest number of notifications by some margin each year, with malicious data breach and ransomware equating to half.
And in 2024 alone, the sector accounted for almost 20% of all claims and/or 10% of all claims payments by insurers. Equally, in our 2024 global directors and officers risk survey in conjunction with Clydd & Co, cyber attack was ranked number two by the sector, demonstrating their ongoing concern. So Ian, with that context in mind, last month, the UK government announced a consultation on proposals to increase both incident reporting and reduce payments to criminals following ransomware deployment. Can you help us understand the three elements of the proposal that form the consultation?
IAN: Yeah. Certainly, Rachel. So the consultation, it broke into three elements-- the banning of ransomware payments for public sector bodies and critical national infrastructure, an incident reporting regime and a ransomware payment prevention. So if we break them down, the banning of payments-- the UK government for a long time has had the policy that they won't pay ransoms. And what they're looking to do with this proposal of banning the payments, they're looking to expand it into public sector bodies and critical national infrastructure. To put it into a health care perspective or context, parts of the NHS are actually classed as public sector bodies, not actually part of government.
And so that would bring them in line with the rest of the main NHS, where they couldn't make a payment. And critical enough-- and health is deemed part-- or health is deemed part of the critical national infrastructure. So that would then bring the likes of private health providers, dentists, that kind of thing. They would then become in the purview of they're not allowed to pay a ransom. And there is some options put forward in the proposal of what sanctions would be taken. This could be from fines to banning of being directors-- that kind of thing.
That's laid out in the proposal of what they would sanction individuals if this was passed into law. When we move on to the incident reporting regime, the proposal there, they're looking to get a better overview of organisations, who are subject to ransomware payments that are not covered in that first group. And this proposal, they would ideally be looking to limit payment to organisations that have been sanctioned or that might be subject to terrorism finance legislation to disrupt-- not only disrupt their organisation because they lack the funding but also it allows greater oversight from the cybersecurity community in the UK to understand how these groups are operating and what kind of things they're doing.
How the proposals laid out is if you are subject to make a ransom payment, you'd be requested to contact a government agency in the first instance and report your intent, whether or not you intend to pay. If you are intending to pay, they will then look into the organisation. It says that victims may be offered support by the government cyber agencies as part of this, and they'll also be informed if they're not allowed to pay the ransom because the group has been sanctioned or individuals in the group have been sanctioned, or they actually are part of that-- terrorism finance legislation has been applied.
And then the final piece of the proposal is that all organisations are to report ransomware attacks, regardless of outcome. Because at the moment, some organisations, because they have recovery plans and backups in place, actually, if they're subject to a ransomware, they don't pay the ransom. They just rebuild their own systems and business carries on as normal. But these attacks don't get reported. And so it becomes very difficult to build a fuller picture of what's actually going on out there and what tactics, techniques, and procedures are being used by cyber criminals to impose how they're getting into systems-- how they're making the attacks work.
And so, actually, by making people report, it gives that better picture of what's going on. And actually, it allows things like the National Cyber Security Center to actually put measures in place to maybe help mitigate some of the impact and help offer advice on a more generic scale to businesses to help them protect themselves. And certainly, when we look at the health sector, that wouldn't be a bad thing-- to help them have a better understanding of what's going on.
RACHEL PHILIPS: Thank you. Yeah, and it's a greater transparency. I think is critical. And I'm assuming social care organisations and charities, for example, would also be in scope from what you've said.
IAN: I think that would be the difficult thing. Because the definition of national critical infrastructure is pretty broad and pretty loose, it's broken down into 13 categories. I think it would be in the detail if the proposal was to then move ahead to become legislation and act of law. I think there would be a further-- I would like to hope there's a further consultation period. Because there also needs to be proportionality in this. For the likes of a charity, it could become very expensive to implement these measures, and actually that then would detract from the work they're doing. So that fine balance of proportionality would be really key.
RACHEL PHILIPS: OK. Thank you, Ian. And given the propensity for such attacks against providers, what are the key cybersecurity considerations to prevent being infected by ransomware in the first place?
IAN: I think in the first instance, you need to understand your own threat model. And as you've already said, health appears often in list of organisations that are subject to cyber attacks. Certainly, if we look beyond the UK as well, the US, has been lots of issues in the last 12, 18 months of healthcare providers suffering issues. And so understanding your threat model, and I would say most healthcare providers are certainly in a high-threat model, and they need to be conscious of that.
The data they hold is very sensitive data, whether it be personal information or personal health information. So it makes them an attractive target for cyber criminals looking to either ransomware or exfiltrate data for other uses. And there's also been-- examples that come to mind was back in 2020 in Finland. There was a mental health care provider that was subject to a data breach and ransomware. And when the health provider wouldn't make the payment, the cyber criminals then tried to extort the patients individually for payment to say, if you don't pay us the money, we will release your health records publicly.
So it's a multifaceted model, where if you band the payment from the-- if you say the health and social care provider can't make the payment, does that then stop them trying to extort an individual patient? I think that's a different-- it's something that needs to be considered. And that's why actually having good cyber defense and a good cyber posture is really key. But then when we look at the challenges, health and social care has got a really large surface area for attacks and the multi-systems being used.
And some of these systems are end of life or they're poorly maintained, and that's for various reasons. It could be budgetary constraints, it could be the design of the system. You spend multi-million pounds on a piece of equipment, and all of a sudden the operating system is out of date. You don't want to just throw that piece of equipment away. And so that scanner-- whatever-- blood testing machine, whatever it may be-- still continue to be used. And that makes it a challenge to secure these environments sometimes because there is ways in that we wouldn't have thought of.
And also as we move towards a more connected world, internet of things, you know, blood monitoring, health monitoring devices, wearables, that kind of thing, they all start to be connected to the internet. That then increases not only the healthcare/social care providers surface area, also increases the patient surface area because we're then responsible for securing our own data as well. That increases to a challenge. And I think the move to interoperability will push in the health and social care sector. NHS and private sector is potentially also going to produce. It's going to broaden that threat landscape. So infiltration in one area produces potential threats across, so that's something also to bear in mind.
Yeah, absolutely. Yeah, absolutely. And that's where things like end-to-end encryption come. People can be very good at encrypting data at rest when it's not being used on a server, or a hard drive-- somewhere it's encrypted when it's in transit. We look at things like HTTPS, the internet standard protocol for transferring information securely, but also data in use. So when we're actually using our data to make sure that it is encrypted, and that helps because it limits that ability for someone to put themselves in the middle of that chain and take information while it's being moved around, while it's being stored, while it's being used.
But also I think because phishing comes up so often in why-- as the way into a lot of these systems, I think regular staff training helps. It helps people spot when something doesn't look right. Also running regular phishing simulations to give people the opportunity to see a phishing email. Maybe have that spider sense moment to go, this doesn't look right. You have to make it really easy for people to report because if it's difficult for report, that's a hurdle to put in someone else's way. They won't make the report. They won't own up. Or not own up-- that's probably not the right word. They won't acknowledge they've received a phishing email, whether it be a simulation or a genuine one.
And also I think it comes into the phrase just culture. People are going to make mistakes. We can spend all the money we want on really fancy technology to send people trying to get into our network or be in our network, but ultimately, it's normally the human being that lets us down, and someone clicks on a link they shouldn't do. They open an attachment they shouldn't. And it's that just culture and being proportionate because if we make an example of people and go too far, people then are fearful to report.
RACHEL PHILIPS: I agree.
IAN: Also we need to have some kind of accountability so people do report the incidents. Because once we've reported an incident-- the quicker we report, the quicker we can do something about it. And you prefer someone reporting a false incident, and it actually isn't an incident versus someone not reporting anything.
RACHEL PHILIPS: I absolutely agree. I think that cultural point can be underestimated and giving people the environment to be open and honest about mistakes and to acknowledge them because we'll all make them. And also to your point-- I like that point about almost helping them become more savvy about what to look for.
IAN: I suppose when we start looking at challenges, generative AI is making this so much more difficult.
RACHEL PHILIPS: Yes.
IAN: There was a report published recently that was saying phishing attacks in the second half of 2024 were up 202% on the first half of 2024. And that's generative AI. 60% of phishing attacks are now estimated to use generative AI because they can create highly convincing content. They can use social engineering to collect massive amounts of information, whether that be from things like Facebook, X, LinkedIn-- whatever social media platform people are using. People can overshare information. It makes it easier for that-- what we call intelligence gathering phase. So we can work out who our victim is and how we're going to approach them.
And that means we can make things very personal and more convincing, and AI will do that for them. The other thing as well is that generative AI can be used to modify existing malware to then change the code subtly. So therefore, the systems we have in place to identify the malware, they can actually use gen AI to adjust the code to make it more difficult to spot by the system. And that's where generative AI is most-- people would argue at the moment it's not a point it's going to write you a malware from start to finish, but it's certainly in a position where you can ask it to modify code or suggest modifications for code, which then can be used to help bypass some of the censors that companies deploy or businesses deploy to keep them safe.
The other thing with it-- the problem, I suppose, with the phishing side of things is generative AI makes emails look more convincing, but also in 2024, it's estimated 44% of phishing emails came from compromised accounts. And so what that means is someone, for example, would get access to your WTW account and send out a phishing link from it, where we use authentication protocols to stop spam emails, because it's a legitimate account with legitimate purpose and use, these controls don't step in.
So therefore, the email can then make it into your inbox. It's not flagged as spam or suspicious to you because it's actually come from a legitimate account and tools that we're using for like, example, DMARC, that kind of thing. Would then sidestep because people's accounts have been compromised.
RACHEL PHILIPS: So that's interesting. I'm just looking at the whole area of AI, which is going to be so transformative for the health and social care sector in the same way for many sectors. As we know, it doesn't come without its challenges. And you've just highlighted a major one in the context particularly of cyber threats. Thank you, Ian. What can providers do therefore to prepare themselves should the inevitable, I guess, or the worst happen?
IAN: Yeah. So I think if we're looking at this as-- the phrase is the assumed breach. And therefore, having business continuity plans, incident response plans, disaster recovery plans in place certainly help us move forward when it happened. And it's things like incident response plans, actually, have a scenario focused on a ransomware to actually spend some time to think about what would it look like if we had a ransomware. Make sure our business continuity plan addresses our critical systems and workarounds that we could have in place.
Think about this before we're under pressure to how we could continue business as usual, if we lost one or more critical systems. And for disaster recovery plans, work out how long it would take you to bring these systems back online. What would that process look like, you know, to take a system down and rebuild it and start again because you did experience an issue? Regularly test these plans because the old phrase in the military is no plan survives contact, and that is very much true.
So by us testing these plans and actually using them and regularly reviewing them, A, we become comfortable as individuals with what steps we're going to take when, which then when the pressure happens, that muscle memory, that training will kick in. But also it allows us to identify areas that we thought something would work a certain way, and it doesn't quite work that way, and we can then not under pressure understand what we did. And then the final bit of that I would say is once you've tested them and you find things that work that don't work-- maybe have an incident, unfortunately, and that's how you test it.
Review what happened, why it happened. Make a change but keep a record of why you've made the change. Because, for example, three, four years down the line, someone's trying to understand why do we do something a certain way. And actually, if we record why we made the change, it helps paint that picture, and there might be a personnel limitation at the time. There might be a technological limitation at the time, regulatory-- something. It's why we do something a certain way. And maybe that barrier has been removed, or maybe we've managed to employ some more people, so actually, we are not relying on one person to do five jobs now. We've spread them jobs out. But by recording why we made that change, we can then help ourselves improve going forward and understand where we got there.
RACHEL PHILIPS: Yeah. Really useful tip because actually-- just think about it in day to day life. We don't always do that, and you're right. It saves that second guessing. We walk in trodden ground and all those sort of things.
IAN: Probably a couple of other things we'd throw in there-- maintaining log files. The longer the better. A lot of these cyber attacks, now, people have been in systems for months before the attack actually happens. And so to help how-- to work out how they got in, the longer, the better you can maintain the log files. Make sure we have good backups. We test them. We have multiple copies of the backups in various locations.
And communications-- controlling the narrative. When something goes wrong, we don't want to create fear and doubt with people. So actually having pre-prepared statements we can release that have gone through legal teams, marketing, PR, them kind of people, and we can just adjust them for whatever the actual scenario is. That helps because people have got their head on fire because of an incident, and we can actually control the narrative. We 're doing something, we 're working well. We 're trying to resolve this as quickly as we can.
I use the HCIG example again because actually on Friday, their statement was good. They're saying we can operate safely. We're going to continue to do this. However, we are aware there's been an incident, and we are working to resolve that. And then the final one is the external incident response is getting some external support from specialist teams in things like forensic recovery-- sorry, containment. Forensic investigation recovery. That helps. And having this in place beforehand really will be a benefit, rather than trying to find someone on the hoof once you've had an issue.
RACHEL PHILIPS: That's useful as well. We'll perhaps come on to that when we talk about the insurance side because we know a lot of those services are included within insurance policies. I think the narrative and controlling that is really an interesting point. Because what you don't want is misinformation to fill the void. So it's really important and also to communicate with your stakeholders. Thank you, Ian.
Matt, if I can bring you in. We know many in the sector still don't buy cyber insurance. I mean, possibly because they may not fully understand the breadth of coverage provided in the event of an incident, possibly due to perceived cost. Do you feel the government's proposals will impact the value of cyber insurance for Health and Social Care providers and perhaps worsen that situation?
MATTHEW: It's a great question, Rachel, and thanks for bringing me in. I've been sitting here nodding along to Ian and what Ian's been saying for the last few minutes. And it's certainly true that there is, there is a lot of value in insurance around the cyber attack element of cyber insurance. But it's also worth considering the other side of the coin and the non-malicious cover that you can obtain from a cyber insurance policy.
And I suppose to just take a step back, cyber insurance is often only associated with cyber attacks, but the failures of your internal or supplier systems under the system failure element of it is also very, very important. And the cyber attack element generally covers the payment of ransom but only where it is insurable by law at the moment. And the other elements that sit outside of that in relation to ransom and ransomware events is, as Ian was mentioning a little bit earlier on, the public relations support, all of those service provider elements that can help you navigate through an incident.
And I mean, Ian made a great point about how that's communicated internally and also externally and making sure that you have a consistent message. That's extremely important in a times of crisis. And also takes into consideration the potential of there being a malicious insider, making sure that the messaging is consistent and there aren't any problems with delivering one thing externally and then finding out later on that you've had a malicious insider, who then basically tells a different story a little bit later on.
So all of this public relations, the forensics piece, the legal support, all of that type of support and cover is available through a cyber insurance policy. Ian also mentioned the mitigations and the work around costs. Again, an extremely important area of a cyber insurance policy and the third- party liability piece as well.
RACHEL PHILIPS: Thank you. Thanks, Matt. And do you think the cost for cyber insurance will reduce for impacted organisations with the removal of cover for ransom payments, given this will remove a potentially significant cost for insurers?
MATTHEW: Again, a good question and putting me on the spot as well. Thank you, Rachel. Sort of question that's always quite difficult to answer. And unfortunately, in this situation, I feel it would be unlikely. But a lot of the WTW and Willis claims data shows that the actual ransom payment makes up less than 20% of the cost of a ransomware event on average, so it's not a huge amount of the total expenses following an event like this falls within in insurance.
So if you consider the other 80%, you've got your mitigation and forensics, the revenue loss that I've mentioned earlier on. And removing this ability to almost buy yourself out of trouble by paying that ransom could ultimately increase those additional costs. If you can't just pay that ransom and hope to recover because I'm sure Ian will agree that even if you pay the ransom, there's not-- it's not a certainty that you'll get all of your data back if any of it.
And taking that away, your mitigation costs could quite easily increase, again, another reason for having those great backup plans in place and making sure that they are tested your incident response plans, etcetera . So I think these additional costs would ultimately fill that space for the value of the actual ransom payment itself, Rachel.
RACHEL PHILIPS: Well, that's very interesting, Matt, and actually not something I'd really thought about. The fact that the other costs might increase direct proportion, really, to the fact that of an inability to pay a ransom payment. Matt, is there anything else that should be considered?
MATTHEW: Yeah. There's a number of other things that should be considered when we look at this. Just going back to the previous question, it's not just your systems that you need to be concerned about. It's also your service providers, people that provide you with support in your day-to-day activities and how they may be impacted for a ransom event or a ransomware event. I know that there are some considerations for that within this consultation, so it will be interesting to see whether there is consistency across both the direct healthcare organisation and also the service providers to the healthcare organisation.
The other things to consider slightly outside of the health and social space is that for other businesses, really, if the bad actors lose this avenue to potential easy money, if you like, they could go after other industries or potentially look at other geographies or geographical areas where there isn't this restriction on the payment of ransom. So, they decide they're not going to go after the UK health services. They could go after the European ones or Australia or somewhere else along those lines. So yeah, a number of considerations there that perhaps don't directly impact the health and social sector in the UK but are I expect part of the considerations of the consultation.
RACHEL PHILIPS: That's interesting, and that leads me to think, Matt, that, so let's just say it gets pushed out of the UK, but given the interconnectedness, globally, you can see situations where other sectors are impacted, which could then cascade down and impact health and social care through suppliers, for example, and customers, etcetera . You can see that potential effect, I'm assuming, as well. So there may still be impacted but not directly?
MATTHEW: Yeah, absolutely. And not everybody's service provider will sit-in the UK. So even if the consultation does consider the direct service providers to health and social care, if there are any of those service providers sit outside of the UK, I expect they would probably fall outside of this consultation.
RACHEL PHILIPS: Thank you both for your insight into what is currently a government proposal under consultation. We, of course, await to see how this proposal takes shape and its final scope. However, there remains no doubt that due to criticality of care provision and the richness of data held, the health and social care sector will remain a target for cyber attack.
However, there is much providers can do to improve preparedness for an attack and enhance their own organisational resilience. And I guess the final message is for organisations to continually consider cyber insurance as part of your risk management armory. To inform your decision making in this regard, seek first to fully understand the type of scenarios you're exposed to, the impact if an incident occurs, and its financial materiality to your organisation. The scope of protection provided by other insurances you have in place. Ian, Matt, it's been a pleasure chatting with you both today on WTW, the Anatomy of Risk.
The information in this podcast is believed to be accurate at the date of publication. This information may have subsequently changed or have been superseded, and should not be relied upon to be accurate or suitable after this date. This podcast offers a general overview of its subject matter. It does not necessarily address every aspect of its subject or every product available in the market. It is not intended to be and nor should it be used to replace specific advice relating to individual situations. And we do not offer, and they should not be seen as legal, accounting, or tax advice.
If you intend to take any action or make any decision on the basis of the content of this publication, you should first seek specific advice from an appropriate professional. Some of the information in this publication may be compiled from third party sources we consider to be reliable. However, we do not guarantee and are not responsible for the accuracy of such. The views expressed are not necessarily those of Willis Towers Watson. For further authorization and regulatory details about our Willis Towers Watson legal entities operating in your country, please refer to our Willis Towers Watson website. It is a regulatory requirement for us to consider our local licensing requirements.
