By Matthew C. Bertke, CPA, MBA, Product Development Manager

Healthcare providers are under attack. Cybercriminals want their data, and they’re using multiple methods to steal it. Although cyberattacks may seem like old news, now is not the time for complacency. Healthcare organizations must take steps to protect themselves and their data.

Common Types of Attack

Cybercriminals use several, sometimes overlapping, methods of attack.


Ransomware is a type of malware. It infects a computer or computer system and encrypts the files contained within. Then the ransomware delivers a message: pay a fee to retrieve the files or lose them forever. Some organizations agree to pay the ransom. However, there are no guarantees that this strategy will work. The cybercriminal may demand more money, launch another attack, or not release the files despite payment. 

Wolverine Solutions Group, which performs services for healthcare organizations in Michigan, experienced a ransomware attack in 2018. According to Becker’s Hospital Review, the attack compromised the personal data, including Social Security numbers, of up to 15,000 patients.  

When a healthcare organization loses its data, the outcome can be devastating. According to InCyberDefense, Brookside ENT & Hearing Services had to shut down permanently after ransomware destroyed all of its patient records.


Other Malware

Ransomware is an especially common and malicious type of malware, but there are others. Due to the personal data they possess, healthcare organizations are a prime target for malware attacks. Some of these programs are designed to steal data in a stealth manner and businesses may not even realize their computers are infected. Trojan malware is disguised as an innocuous program, tricking people into downloading it. Emotet and Trickbot, two malware programs, have been infecting computers recently.



Cybercriminals use phishing attacks to trick people into clicking on malicious links or sharing sensitive information. In spear-phishing attacks, the effort is personalized to the individual being targeted, increasing the likelihood that the recipient will click.

Anthem agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights, after suffering a data breach that violated the Health Insurance Portability and Accountability Act (HIPAA). Anthem discovered that a successful spear-phishing attack of a subsidiary led to the data breach.



Data breaches are a major threat for the healthcare industry. While some of these breaches stem from malware and phishing attacks, others are caused by employee mistakes. Employees may email information to the wrong person, for example, or lose equipment containing sensitive files.

When a healthcare organization experiences a breach, it may run afoul of HIPAA regulations. According to the U.S. Department of Health and Human Services, Fresenius Medical Care North America experienced five separate data breaches and, in accordance, was required to pay $3.5 million in settlement costs.


Securing Your Castle

One way to think about protecting data is to visualize your healthcare organization as a castle. Protecting this castle, and the patients, employees, and data inside, requires a multifaceted defense system including:  

1. A strong wall – This is your firewall.
2. A watch tower – This is your antivirus protection.
3. A moat – This is your encryption.
4. A dragon – This is the latest security patches and updates.
5. Guards – These are your employees, who have been trained on how to avoid malware and phishing scams and keep data safe.

These defense strategies can be used to fortify your castle, but your business will always have vulnerabilities. Even the safest of castles were occasionally vulnerable when its drawbridge was lowered to address commerce and other day to day activities. Similarly, your business data will be less secure, at times, to address the everyday aspects of sharing data with business partners, patients, employees, etc. These business needs create the weaknesses points that hackers are eager to exploit. 


Plan of Action

Do not dismiss cybersecurity as an IT issue. Everyone plays a role in keeping a healthcare organization’s data secure and everyone takes responsibility when things go wrong. This includes board members.

While prevention is a smart strategy, it is not 100% effective, so it is equally important to be properly insured. Just as you have a written plan for responding to potential natural disasters, you should have a written plan for responding to potential data breaches. The question isn’t IF you’ll be hacked, it is WHEN.

In the event of a breach, both your organization and your board could face lawsuits. There may be some overlap between D&O, general liability, and cyber policies, but do not assume that one policy type will provide all coverage needed. Check your D&O and general liability policy to see whether it covers cyber events. Check your cyber policy to see whether it covers board members within the Definition of Insured.

If you have professional medical liability insurance with Coverys, we provide you with the most prominent “cyber” coverages as well as data breach risk management information. Learn more here.