Healthcare organizations continue to find themselves at the forefront of cyber risk. Exposures such as IT supply chain dependencies, website tracking litigation, ransomware attacks, new security regulations, and data breach class actions put healthcare organizations of all sizes at high risk for cyber insurance claims. Understanding trends in cyberattacks as well as the evolving regulatory and litigation environment are critical to building resilience and maximizing insurance indemnification.
IT Supply Chain Dependencies
The February 2024 breach of a healthcare technology provider had a massive downstream effect on almost all touchpoints of the healthcare industry – hospitals, healthcare providers, pharmacies, drug companies, insurers, and patients. The attack demonstrated the risk of IT supply chain exposures in the healthcare industry segment, and the considerations that healthcare companies should have as they engage with IT vendors and consider dependencies in running their operations.
Website Tracking Litigation
Website tracking is the use of code, including pixels, cookies, or scripts, to capture data about how users interact with a website. Website tracking litigation is not a result of new regulations, but rather the plaintiffs’ bar use of existing laws that never considered today’s technology when they were enacted, such as 1967’s California Invasion of Privacy Act, 1968’s Federal Wiretap Act, and 1988’s Video Privacy Protection Act. These laws carry statutory penalties ranging from $250 to $10,000 per violation. Healthcare organizations tend to be a bigger target for website tracking litigation than other industries, likely due to the highly regulated data that they collect and hold.
Ransomware
Healthcare organizations remain a significant target for ransomware threat actors. According to Comparitech, there were 118 confirmed ransomware attacks and 147 unconfirmed ransomware attacks against the US healthcare sector in 2024, which resulted in an average of 18 days downtime. The healthcare industry tends to be targeted by ransomware threat actors given the large amounts of healthcare and financial data being processed, as well as the critical need for operational uptime to support patients. On average, US healthcare organizations lose $1.9 million per day due to downtime from ransomware attacks. While improved cybersecurity controls have resulted in fewer ransoms being paid, the disruption caused by ransomware attacks is significant.
New Security Regulations
In December 2024, HHS announced a proposed update to the HIPAA Security Rule that would require healthcare organizations to implement additional security controls, such as multifactor authentication (MFA), data encryption, vulnerability remediation, network segmentation, assets inventory, and proactive security testing. This proposed rule update has not yet been finalized and now falls under the purview of the new federal administration. Various states have required healthcare organizations to report breaches within a certain time period and improve cybersecurity controls.
