As the third quarter of 2017 comes to a close, the major news outlets seem to have almost daily stories about the massive data breach that the credit data monitoring company, Equifax, discovered in late July. Given that almost half of the entire population of the United States might have had their personal and financial records exposed to cyberthieves in this breach, this news coverage is understandable. The news cycle focus on the Equifax breached obscured many of the other cyberattacks that have plagued businesses, healthcare providers, and government organizations in 2017. Five of the more egregious attacks are as follows:
- In early September 2017, the United States Security and Exchange Commission (SEC) disclosed that hackers had breached its “EDGAR” electronic filing system some time in 2016, and that they might have used stolen information to engage in illegal stock trading. This cyberattack raises a number of crucial questions regarding the cybersecurity of the government’s network systems, when and how long it might take to detect a cyberattack, and an organization’s obligation to disclose a cyberattack to parties that might be affected by it.
- Cyberattackers sent shockwaves through England’s and Scotland’s National Health Service in May 2017 by launching a “Wannacry” ransomware attack and demanding more than $500,000 to release frozen files, along with threats to delete those files if the Health Service failed to pay the ransom. Over a several-hours period, that attack spread to computers in more than 100 countries before technicians were able to stop it. This attack apparently did not compromise any patient data, but it did expose a significant weakness in the administration of the National Health Service’s information systems organization.
- Also in May 2017, Molina Healthcare, a U.S.-based Medicaid and Affordable Care Act insurer, disclosed that a security flaw in its network had potentially exposed confidential healthcare records of almost five million patients to hackers. According to at least one analysis, Molina could have easily remedied the flaw that exposed those records. Moreover, experts believe that similar flaws continue to exist and to expose patient information in the networks of many other healthcare organizations.
- In June 2017, a group of hackers in the Ukraine launched the “Petya” ransomware attack against multiple international companies, including shipping and infrastructure organizations across Europe. This attack raised the scepter of government-sponsored cyber attacks, as cybersecurity experts theorized that this attack was catalyzed by entities with political connections and motives.
- Earlier in 2017, the internet infrastructure entity, Cloudflare, revealed that a bug in its network had caused regular leaks of sensitive personal data from six million customers across the internet. This data leak was not catalyzed by a cyber attack, and Cloudflare fixed the bug quickly. The company’s experience, however, reveals the risks of exposure of personal data when networks and systems are interconnected, and how those risks are elevated when one node in a network contains a flaw or weakness.
These situations show that healthcare entities are not the only organizations that have been targeted by cyber attackers in 2017.Nonetheless, healthcare providers and medical service organizations will remain high on the cyber attack target list because hackers know that healthcare cybersecurity tends to be weak, and that healthcare data is very valuable on the secondary dark web market. Healthcare providers can erect multiple technical defenses against cyber attacks, but even the best defensive systems will not stop every data breach. When a data breach does occur, a healthcare organization will likely face substantial direct costs and third-party liabilities, as well as large fines and expenses levied by regulatory bodies. Healthcare cyber insurance is the last and final defensive measure that healthcare organizations can rely upon to stem the financial losses associated with a cyber attack. The pace of cyber attacks in 2017 shows no signs of slowing down. The sooner a healthcare organization procures cyber insurance, the sooner it will be protected from potentially ruinous financial losses.