Cyber attacks are especially dangerous for healthcare
Weak cybersecurity measures expose companies to serious risks. Victim companies suffer operationally, as systems become unusable; reputation, as customers lose trust; and legal, as increasingly strict regulators seek to punish. The healthcare sector is particularly vulnerable because it uses highly sensitive data. Pharmaceutical companies own scientific data and intellectual property, medical device companies develop connected devices, and healthcare companies collect and use patient data.
In addition, operational functions are often literally matters of life and death. Healthcare and pharmaceutical breaches cost more than almost any other industry.
Merck & Co: The Biggest Cyber Attack in Healthcare and a Precedent for Insurance Business
In 2017, a Russian malware attack disabled 30,000 Merck & Co computers and halted operations for two weeks. Merck estimated the damage at $1.4 billion. NotPetya, the malware used in the attack, penetrated Microsoft systems that did not have a security patch installed.
The damage included a loss of approximately $260 million in worldwide drug sales in 2017, as Merck was unable to fulfill orders for products in certain markets. Costs related to manufacturing and remediation efforts were $285 million in 2017. In addition, drug sales in 2018 were negatively impacted by approximately $200 million due to a residual backlog of drug orders. In addition, Merck was unable to meet demand for Gardasil 9, a vaccine against the human papillomavirus, due to the temporary production stoppage, and borrowed Gardasil 9 from the U.S. Center for Disease Control and Prevention’s (CDC) pediatric vaccine stock. ). Merck topped up some of the loaned doses in 2017, costing the company $125 million. Merck’s cyber insurer, Ace American, declined to cover the breach on the grounds that the attack was part of an “act of war” (the malware was created in 2017 by the Russian military to target Ukraine). Merck sued Ace American and the New Jersey Superior Court ruled in Merck’s favor in December 2021. The company received a payout of $1.4 billion. Many health insurers have therefore updated their clauses regarding cyber attacks and acts of war.
After Covid-19, cyber risk is greater than ever
The rush from in-person care to virtual care and digital monitoring, and from office work to remote work, amid the Covid-19 pandemic, significantly increased cyber risk. The increased use of technology, especially the cloud, increases the potential attack surface, and the required high transition speed meant that many IT security teams did not have enough time to install adequate security protections. Healthcare companies, especially hospitals and pharmaceutical companies, reported an increase in attempted cyberattacks, and government agencies such as the Federal Bureau of Investigation warned of the increased threat.
Investments in healthcare cybersecurity are growing
Between 2020 and 2025, cybersecurity spending by healthcare providers and payers is expected to grow at a compound annual growth rate (CAGR) of 8.1% from $4.59 billion to $6.77 billion. Over the same period, pharma cybersecurity spending will grow slightly lower, at 7.4%, from $2.1 billion to $3 billion. Medical device spending will grow 7.3% from $869 million to $1.2 billion.