A view from the Center

Deloitte's Life Sciences & Health Care Blog

Cyberattack readiness: The impacts of an attack may be larger than you think

In an era when connectivity is paramount, organizations have long focused on keeping personal data secure. Companies and stakeholders are beginning to acknowledge that cyberattacks are not only likely, but perhaps inevitable – and unfortunately, life sciences and health care organizations are at higher risk than other industries. A personal health record can sell for up to $50 on the black market, or about 50 times the amount of a credit card number, making health care organizations especially appealing targets.

Well aware of the direct costs of a data breach, organizations have expected their IT departments to keep customer and employee information safe. But cyber criminals – from “hacktivists,” to aggressive nation-states, to financially-motivated attackers – seem to always be one step ahead. The recent spate of ransomware threats directed against hospital systems underscore that cyber incidents are no longer just about theft and abuse of personal data or risk to credit card info. Organizations face a broader array of risks — theft of intellectual property, for example, or serious disruption to an organization’s core services — which can take a severe and rippling toll on business performance, and in the case of a hospital, put lives in jeopardy. So how should businesses prepare?

First, organizations need to have a better understanding of how a cyberattack might affect them. Even what might appear to be a typical breach of health records or patient data that we’d read about in the news can have extensive repercussions that aren’t visible to the public eye. Deloitte’s recent report, Beneath the surface of a cyberattack A deeper look at business impacts, quantifies how 14 impact factors — including many that are not immediately visible — can affect an organization in the days, months, and years following a cyberattack.

There are broad potential costs of a cyberattack:

...
To show the importance of using a wide lens to assess cyber risk, let’s consider a health plan company under cyberattack. For the sake of this example, let’s say the plan had 51,000 employees, 80 million customers, many through employer contracts, and that it’s seeking to raise $1 billion dollars to acquire a health system.

When a computer is stolen, hackers get their hands on millions of patient data records. But they also gain access to the company’s integrated health care application and reverse-engineer the software, creating a large number of false user IDs. The insurance company’s technical team notices that there is an increase in account registrations and suspicious amounts of patient records being downloaded, which prompts them to temporarily shut down the application. To replace the automated functions of the application, the company incurs costs to expand its call center to perform insurance validation and other functions manually.

The financial implications of identity theft suits and reputation damage are just some of the reverberating impacts that last for years. If this company had considered only the costs commonly associated with theft of sensitive patient records, it would likely have been dramatically underprepared for the actual business impact.

By looking realistically at the potential costs and impacts, business leaders can better size their investments, build targeted approaches to manage the biggest risk areas, and be more prepared if the worst case scenario occurs. As long as connectivity is paramount, breaches will occur. The key is to involve the right team – both technical and business leaders, focus on top business risk areas and assets, and continually evolve to address the evolving cyber landscape.

Author bio

Mark Ford is the Life Sciences & Health Care Cyber Risk Services leader for Deloitte & Touche LLP. He has consulted with hundreds of health care, life sciences, and health plan organizations, incorporating cyber security and privacy programs into their daily operations. He helps clients tackle the challenging problems they face in the ever-evolving cyber world. Mark advises his clients on how to manage changing regulatory challenges such as compliance with HIPAA and HITECH rules.