Ransomware In Health Care: An Insurance-Based Analysis

The medical field recognizes a standard pre-procedure verification process called a "time-out" that occurs prior to any invasive procedure requiring patient consent. This is an element of the Universal Protocol and includes a deliberate pause in activity among all members of the treatment team and a checklist review of patient demographic information, medical history, and medical procedure details. The Universal Protocol has been a mandated practice in all hospitals accredited by the Joint Commission since 2004.1 It is formally endorsed as an industry best practice, with National Time-Out Day recognized annually at the behest of the Association of Perioperative Registered Nurses2 with support from the World Health Organization.3 The standard procedure is mandated as a way to prevent egregious medical errors, including wrong person or wrong procedure surgery.

Compliance with the time-out procedure is dependent on the health team's access to patient medical records. Increasingly, patient medical records are created, stored, and accessed by medical professionals in electronic form. In fact, in 2015, 87 percent of all U.S.-based physicians reported use of electronic medical records (EMRs).4 An EMR is a digital version of a patient medical chart containing a patient's medical history, including information on patient allergies, current medications, lab results, and diagnosis, as well as basic demographic information, including home address, personal phone number, and personal point of contact information.5 A patient EMR might also include details such as medical diagnoses, date of birth, and Social Security number.

Exploiting Extreme Duress: The Explosion of Ransomware in the Health Care Field

Imagine, then, you are a physician administering care or a surgeon preparing to operate when suddenly your health care facility's computer systems become inaccessible. This scenario, which is becoming increasingly common, was the case in recent global ransomware attacks, Petya and WannaCry, in which attackers were able to specifically exploit a vulnerability in Microsoft Windows software.6 Ransomware is frequently installed when a user clicks a URL link or opens an attachment sent via email from a malicious threat actor. The ransomware then encrypts device files on both computer devices and entire networked servers, making them inaccessible to users, including health care professionals who require access to provide patient care.

The WannaCry attack struck more than 30 facilities in England's vaunted National Health Service.7 The immediate result was chaos. Physicians and staff had to put together and store makeshift files with paper and pen, and some hospitals told patients not to come to emergency centers unless their conditions were urgent.8 In Jakarta's Dharmais Hospital, Indonesia's biggest cancer center, hundreds of people packed waiting areas, unable to receive treatment as a result of the WannaCry ransomware incident.9 In India, EMRs in the state-run Berhampur City Hospital were encrypted by WannaCry, seriously disrupting e-medicine services.10 In the United States, the Petya virus affected health care, hitting Heritage Valley Health Systems, a Pennsylvania health care provider, and its hospitals in Beaver and Sewickley, Pennsylvania, and forced operations to be canceled.11 Also in the United States, for the first time on record, there were even several reports, acknowledged by device manufacturers, that the WannaCry malware had infiltrated connected, Internet of Things (IoT) hospital medical devices and rendered them inoperable.12

Business email loss accompanying ransomware. Successful ransomware attacks often include a human element. As a result, ransomware has become embedded in an accompanying phishing-threat landscape.13 Ransomware phishing emails contain a malicious link or file that attackers must induce recipients to click or open in order to unleash the accompanying ransomware.14 Increasingly, these attacks rely on soft targeting by functional area. In contrast to broadly disbursed email scams, soft targeting focuses on a category of individuals based on their role within an organization.15 Furthermore, these can even include attacks specifically tailored to and directed toward specific employees.16

One plausible ransomware scenario also includes additional business email loss arising from a fraudulent wire instruction request. For example, an email might arrive from an individual pretending to be a vendor of the hospital, requesting that future payments be transferred to a new account number. In a soft-targeted phishing attack, a threat actor would create an email resembling an email from the accounting manager of the vendor and send a request to the hospital accounting department coordinator, requesting that the wire transfer information be updated administratively, perhaps explaining that the vendor was consolidating accounts, and including an attachment with the new account information. The authenticity of these fraudulent wire request emails can appear deceptively convincing due to spoofed email domains, replicated signature lines and letterheads, and other personal details gathered in online research. Accordingly, an unsuspecting hospital staff person may open the attachment and change the payment destination so the next time a payment from the hospital is transferred, be it a few hundred or several million dollars, it falls into the hands of cyber thieves.

From an insurance coverage perspective, this type of phishing loss is complex and unsettled, frequently leaving room for coverage gaps under many policies. While these losses often resemble traditional theft of property, crime and bond insurers have contested coverage for the payment amounts because they result from the "authorized" acts of unsuspecting employees.17 Computer-fraud coverage has similarly been contested. Most recently, the U.S. District Court for the Northern District of Georgia held in a decision related to computer fraud coverage, InComm Holdings, Inc. v. Great American Insurance Co., released on March 16, 2017, "That a computer was somehow involved in a loss does not establish that the wrongdoer 'used' a computer to cause the loss. To hold so would unreasonably expand the scope of the Computer Fraud Provision, which limits coverage to "computer fraud." The court, which accepted Great American's declination of coverage in a loss scenario that included an exploitable coding error in the insured's computer systems, further explained that "[l]awyerly arguments for expanding coverage to include losses involving a computer engaged at any point in the causal chain—between the perpetrators' conduct and the loss—unreasonably strain the ordinary understanding of 'computer fraud' and 'use of a[ ] computer.'"18 The InComm Holdings court cited another recent decision from the U.S. Court of Appeals for the Fifth

Circuit, Apache Corp. v. Great American Insurance Co., which also found that the mere use of computers in the business email loss fraud was insufficient for computer fraud coverage. The court reasoned that computer fraud coverage, which required that the covered loss result "directly from the use of any computer to fraudulently cause a transfer," did not apply because a computer was but one step in a process leading to the authorized payment to fraudulent accounts.19 Business email loss coverage falls short in other areas as well, including forgery coverage. In a loss scenario where an accounting firm employee...