Our Annual Healthcare Conference will be held on Tuesday 25 March. The event brings together leading experts, industry innovators, and key stakeholders to explore the current trends and emerging risks shaping healthcare, and to collaborate on actionable solutions. Click here to register (opens a new window).
A digitised, connected healthcare sector is critical to providing effective care. But in order to protect patient data, ensure the availability of critical services, and build trust across communities, the healthcare sector must also be cyber resilient.
High dependence on business continuity, legacy systems, and large volumes of sensitive data makes the UK healthcare sector a particularly attractive target for cyber criminals. What’s more, these attacks are becoming more frequent, and causing ever-greater disruption. In June 2024, a cyber-attack on pathology provider Synnovis impacted thousands of procedures and appointments (opens a new window) across six NHS trusts, and led to blood shortages. Other incidents in recent years, including those against NHS Dumfries and Galloway (opens a new window) in February 2024, and the University of Manchester (opens a new window) in June 2023, have seen patient data compromised and published online.
With this in mind, this article looks at the key cyber threats facing the UK healthcare sector, and how comprehensive insurance can help organisations to strengthen their cyber resilience.
1. Most healthcare claims are due to a breach of personal data
Most healthcare claims involve a breach in personal data, typically belonging to patients, but also employees, according to Lockton UK claims data. This finding is not surprising, since privacy breaches also result from non-malicious incidents, such as the failure to use blind carbon copy (BCC) in emails. However, healthcare organisations are at greater risk of personal data breaches compared to other sectors by virtue of the type of data they hold. Our data reveals a steady volume of data breach claims.
Such incidents can lead to regulatory action and fines, as well as reputational damage.
2. Ransomware poses the most immediate cyber threat
Ransomware losses and claims have escalated in recent years, as cyber criminals have capitalised on immature cybersecurity controls. Attacks are not as frequent as a business email compromise (BEC). However, the consequences when they do hit are often substantial, disrupting operations and critical services, and leading to worse health outcomes and higher rates of mortality (opens a new window).
In 2022, one ransomware attack against Advanced Computer Software Group disrupted NHS trusts, social care bodies, and most notably NHS’s 111 service – and exposed approximately 80,000 patient records. Advance now faces a potential £6.09m fine (opens a new window) by the Information Commissioner’s Office (ICO) for alleged failure to implement appropriate measures to protect sensitive personal data.
Earlier this year, the Government announced plans to ban public organisations (opens a new window)and critical national infrastructure from making ransomware payments, including the NHS. The move would bring NHS into line with policy for government departments, and is likely to be a positive step in society’s battle against cybercrime. Currently, although NHS trusts (and their suppliers) are unlikely to pay a ransom, this does not deter hackers – resulting in a complex, protracted recovery period. Ransomware attacks have also been shown to cause psychological and/or physical harm (opens a new window) among those tasked with managing the crisis.
3. Supply chain incidents on the rise
Mirroring a national trend, our claims data shows an uptick in global claims resulting from supply chain breaches during 2024. This has led to disruption, and, on occasion, loss of personal and sensitive data shared with the third party.
The nature of modern supply chains means that an attack on one organisation can have a significant impact on a whole network. Policyholders are also often powerless to influence the recovery timeline for the third-party and therefore reliant on their own business continuity plans to minimise disruption. Most claims in this category, draw on the business interruption cover under the policy.
4. Business email compromises remain a consistent danger
A form of phishing attack, BECs remain a consistent and persistent threat. Incident responders tell us that criminals are adapting their techniques, and in some instances have been able to bypass multi-factor authentication (MFA).
National data tells us that most organisations, at some point, will be subject to a phishing attack. In the latest UK Cyber Security Breaches Survey, half of the organisations (opens a new window) reported having a cyber security breach or attack, of which 84% were phishing attacks. These campaigns do not specifically target healthcare organisations, but are often indiscriminate.
Smaller organisations are particularly susceptible to phishing attacks. We expect these claims to rise with attackers using artificial intelligence to scale phishing campaigns.
How insurance can strengthen cyber resilience
In the face of a growing cyber risk, healthcare organisations must have sufficient protection in place to avoid disruption, monetary loss, and potential harm.
Working alongside efforts to proactively mitigate risk, cyber insurance provides cover for the costs of investigating and responding to a cyber-attack, as well as liabilities, including financial damages owed, expenses, and regulatory penalties (where insurable by law).
But cyber insurance doesn’t just offer cover for the above. A market-leading cyber policy offers several benefits that can help to limit the impact of a cyber-attack:
Incident response vendors to bolster stretched teams and alleviate pressure on employees. Drawing on experience, these seasoned professionals can guide healthcare organisations through a cyber-attack, limiting its impact and reducing harm.
Data breach and regulatory expertise to help navigate organisations through potential regulatory investigations and fines. This can be invaluable for organisations in the highly regulated healthcare sector.
Cyber risk expertise to help prepare for, and mitigate potential attacks before they occur. Services include table-top exercises, surface monitoring for external attacks, cyber health checks, and discounts on cybersecurity tools.
Cover for third party claims including damages and claims expenses arising out of the privacy breach.
PR support to manage and minimise long-term reputational harm.
From an insurer perspective, the volume of aggregate losses in healthcare potentially outstrip those of other sectors. Unless threats to the sector abate, we anticipate that healthcare organisations may face higher levels of scrutiny when obtaining insurance.
For policyholders, this provides another incentive to bolster cybersecurity posture, and reduce individual exposure to cyber-attacks.
We’re here to help
Our experts are on hand to help you navigate a complex market for cyber insurance. Speak to your broker for more insight into the current market conditions, and how your organisation can make the most of the cover available.
