In the wake of recent devastating ransomware attacks on the healthcare sector, it’s more important than ever that companies within the life insurance industry ensure their cyber security is robust and constantly updated.
Globally, cybercriminals now have healthcare firmly in their sights with their attacks disrupting services and compromising sensitive patient data.
In June 2024, Synnovius, a supplier of diagnostic and pathology services, was the target of a ransomware attack that compromised patient data and meant NHS England had to postpone more than 2,000 appointments and 1,100 operations.
In February 2024, the US saw a destructive cyberattack on Change Healthcare, one of the largest health payment processing companies in the world, which acts as a clearing house for 15 billion medical claims each year and accounts for nearly 40% of all claims.
The attack knocked Change Healthcare, a subsidiary of global health company UnitedHealth, offline, creating a backlog of unpaid claims that left doctors’ offices and hospitals with serious cashflow problems and threatened patients’ access to care.
Worryingly, millions of Americans may have had their sensitive health information leaked to the dark web, despite UnitedHealth paying a ransom to the cyber attackers.
As the Change Healthcare system demonstrates, not only do these attacks affect vital surgery and health services, but stolen patient data threatens privacy and can be used to leverage financial gain.
Security cannot be abdicated to third parties
Life insurers, like healthcare services, hold a great deal of sensitive data that could be used against customers in the event of a cyber breach.
One particular area of concern, recently demonstrated by the Synnovius attack by Russian hackers, who stole more than 300 million patient records including blood results for HIV and cancer, is the focus of cybercriminals on third-party suppliers of healthcare organisations.
The fact they are so frequently targeted suggests the security of some suppliers is not up to the required standards.
The Synnovius attack serves as a timely reminder the responsibility for data and cyber security cannot be abdicated to third parties.
Ultimate responsibility lies with the organisation that holds the relationship with the customer, or to put it in GDPR speak, the data controller.
The life insurance industry has a duty to carry out rigorous and continuous oversight of not only its own cyber security but also that of partners and suppliers.
Duty to be vigilant
It is imperative the sector upholds the highest standards and ratifies them against recognised frameworks such as the UK Government-backed Cyber Essentials, and ISO/IEC 27001.
We treat our customers’ data with the care and diligence we’d expect others to treat our own data.
We guard against threats with cyber essentials and are targeting to be ISO accredited by April 2025.
These information security management systems provide companies with guidance for setting up, maintaining and continually improving their cyber security.
Being certified by these schemes demonstrates to customers and partners that there are appropriate controls in place to protect the confidentiality, integrity and availability of their data.
It is unlikely that any one individual has accountability for all supplier relationships in an organisation, so it’s crucial that appropriate supplier management controls are in place and that cyber security is embedded throughout the organisation and not just in the IT department.
We have gone to great lengths to bring the whole business on the cyber security journey and make continuous security improvements.
Today, the life insurance industry has access to more sensitive and confidential information about customers than ever before – whether that is data it has collected or provided by third parties, and it is our duty to be vigilant and safeguard it from those who would misuse it for their own gain.