Tales from the Cyber War Trenches
CSI: Mayberry Hospital
Cybercrime and Benefits Plans

Tales from the Cyber War Trenches

Evolving attacks do more than digital damage

By Brant Couch, CIC, CPA

“If we ever have to pay a ransom, I will cut my throat.” – IT Director: who is still alive after hospital paid $750,000 ransom Imagine how you would feel when, after going above and beyond to protect your hospital, your EHR system fails. Just imagine… it’s stopped dead, with no backup, and cyber criminals are demanding $1.6 million in exchange for an encryption key… a key that may, or may not, work.
Since I began writing about cyber security nearly a decade ago, the nature of cyber warfare has evolved. Then, the primary concern was data-breach prevention; stopping criminals from stealing patient records was job #1. Now, as cyber criminals continue to innovate, hospitals are increasingly concerned about cybercrimes that threaten their ability to conduct normal operations.
Malicious threats like zero-day malware, ransomware, spyware and scareware are on the rise. Older threats like phishing, unintended disclosure, and human error have not abated. Increasingly, when these threats become real, hospitals suffer from loss of critical operational data, business interruption, and ever-larger amounts of financial harm.
“They stole our holidays!”
That the executive team at Coryell Health in Gatesville Texas had to work through the 2019 Christmas holidays added insult to a very costly cyber war injury.
Speaking as a member of an online panel discussion I moderated during the TORCH Fall 2020 Conference, CEO David Byrom said, “It was a horrible event, it shut everything down: clinical documents, financial data, in patient, outpatient… we couldn’t send out bills.” He was describing a cyber-attack during which criminals found a flaw in their system and shut it down with malware.
“Our systems started failing on December 16th but it took three days to realize we were being attacked. It shut down access to our outside servers but, thankfully, our vendor managed to get EHR working again after one week.”
What would it be like for your hospital not to have EHR access for one week?
It gets worse. With the attack infecting 150 workstations, the only course of action was to shut everything down, and rebuild from the system’s backup. But, despite rigorous procedures and systems, Coryell’s backup was unavailable. The criminals asked for $1.6 million but David and his consulting team were able to negotiate that down to $750,000. “We had to pay the ransom, their encryption key was all we had to work with,” Byrom said.
“I was a little arrogant, because of what I thought we had in place to prevent this.”
Take a look at the integrity of your hospital’s cybersecurity. Are you protected on all fronts? Are your preventative measures, including policies, procedures, technology, training, and education the best you can afford? Do you have a breach response strategy that includes some form of legal, forensics, notification, credit/identity monitoring and crisis management?
What about insurance? Do you have first party coverage for business interruption loss and dependent business loss incurred as a result of security breach/system failure? What about cyber extortion loss, data recovery costs, data and network liability, regulatory defense and penalties, payment card liabilities and costs, and media liability?
Exhausting, right?
You bet it’s exhausting… but, that’s the nature of being in what is now a never-ending war.
“We had three ransomware attacks in the past that we recovered quickly from by deleting the virus and rebooting the server,” Byrom said. “But, this time, we had several failure points that brought us to our knees. The crux was we thought the backup was occurring but the backup was incomplete… our system showed it was there… but it wasn’t.”
David Byrom and his team have been staying ahead of the cyber security game through exceptional diligence and focus. You may think it was simply a stroke of bad luck that forced them to pay $750,000 for the encryption key to unlock their data. And, perhaps you are right. But, here’s another thought you may wish to consider: As cyber criminals continue to devise increasingly insidious ways to break into and wreak havoc in your business systems, are you content with the work you’ve done… or, perhaps you see that the work never ends?
People, people, people! As cyber crooks continue to contrive ever-craftier deceptions, it is increasingly essential for every single person who has access to your hospital’s data, network, and literally any digital device, to be constantly on the lookout.
The need for cyber safety training, awareness, and rigorous diligence, is highlighted by a cyber battle waged against Hill Country Memorial Hospital in Fredericksburg, TX. Panelist and CEO Jayne Pope told the TORCH audience, “Our front door wasn’t wide open. Our first line of defense is our team and we had just done some intensive team education. Despite this, we fell into a trap.”
In response to a phishing email, a Hill country clinical director entered info into what she thought was a legitimate portal. It wasn’t. By logging in she was giving up her credentials including her password.
“We believe the criminals wanted patient records. We saw after review, that they were creating fake invoices,” Pope said. “We had bought insurance that year and this was the first test… the insurance was the only positive aspect of the incident.”
To cover any potential liability, and even though no patient records were stolen, Hill Country decided to follow a breach response protocol by providing full disclosure of the incident to patients.
>Wash, rinse, repeat
That incident occurred in 2017. In 2019, the cyber crooks came after Hill Country again. This time they gained access to the CFO’s email account and sent a bogus invoice to the hospital’s accounts payable clerk. Even though the invoice was fake, it was readily apparent, and, when the clerk looked up the legal firm, it was legitimate. The invoice was paid.
Emboldened, the crooks tried the scheme a second time, but this time the fake invoice was flagged.
“The lesson we learned is to always be one step ahead. We now conduct frequent cyber audits… one is currently ongoing,” Pope said. “We continue to dig deeper and deeper. We have pages and pages about what we are doing as a result”
Never go it alone when fighting back
These cyber war veterans, and other hospital CEOs like them, are not merely surviving. They are protecting and making real, the promise that technology can do its part to empower high-quality, sustainable healthcare in rural communities.
For its part, HealthSure has launched a new initiative we affectionately call CSI – short for Cyber Security Insurance.
It is a 360° approach, giving hospitals access to a comprehensive set of solutions created to protect them from the dangerous world of cyber risks.
CSI provides breach response services for up to five million persons along with coverage for payment card industry costs, regulatory defense and penalties, and first-party and crime coverage. All CSI policyholders have access to pre-breach and risk management services.
As you can tell from the cybercrimes described above, preparing for and preventing breaches have become inseparable from insuring a cyber loss. That’s why CSI gives hospitals access to dedicated services that focus exclusively on managing cyber incidents successfully. We know a cyber breach isn’t always a disaster. Mishandling it is.


Cybercrime and Benefits Plans
According to recent estimates from the University of Maryland, there is a cyberattack every 39 seconds. Data breaches and cyberattacks are daily headlines—and employee benefits plans are no exception to that threat. In fact, employee benefits plans are even more vulnerable as the coronavirus pandemic continues. Organizations and benefits providers are relying heavily on electronic access, ultimately creating new vulnerabilities. The Risks Virtually any type of employee benefits plan is vulnerable to hackers. The plans can be exposed to risks relating to privacy, security and fraud. Retirement, savings and health plans are attractive targets for cybercriminals seeking access to plan assets and the personal information of participants and beneficiaries. Sensitive information is valuable information when it comes to cyberattacks. Benefits plans are at risk as a result of the following factors
  • Personally identifiable information such as Social Security numbers, birthdates and email addresses have significant value to hackers. That information can be misused over a long period of time since it is permanently associated with an individual.
  • Financial information, including enrollment data, account balances, direct deposit information and compensation are highly attractive. Hackers could target those online accounts to request loans, distributions and withdrawals.
  • Lastly, there are multiple attack points for hackers since benefit plans are connected to several outside service providers, such as those that offer retirement plans, health insurance, vision insurance, dental insurance, short-term or long-term disability insurance, and flexible spending accounts.
Some examples of cyberthreats include phishing, malware and ransomware attacks. Lost or stolen mobile devices, laptops and flash drives that hold personal information are additional tangible threats to benefits plans. The Consequences Cyberattacks on benefits plans can have substantial consequences for all parties involved. Consider the following: Significant costs may be incurred in detecting the extent of the breach, investigating and managing the incident response, recovering compromised data and restoring overall system integrity.
  • The theft of personally identifiable information and other plan assets may result in monetary losses to participants, beneficiaries, the plan, the plan sponsor and service providers.
  • Organizations may experience operational disruption and reputation damage as a result of a security breach. Additional costs will be incurred to respond to and resolve either of those issues.
  • Breaches of health plans may result in potential violations of the federal law that restricts release of medical information, exposing the plan sponsor and service providers to fines.

Small but important print This communication is designed to provide a summary of significant developments to our clients. Information presented is based on known provisions. Additional facts and information or future developments may affect the subjects addressed. It is intended to be informational and does not constitute legal advice regarding any specific situation. Plan sponsors should consult and rely on their attorneys for legal advice. ©2020 HealthSure. All Rights Reserved. ©2020 Zywave. All Rights Reserved.