Clinics don’t often have cybersecurity insurance, but some experts say that is a mistake
by Norm Tollinsky
The Information and Privacy Commissioner of Ontario's (IPC) office reported 27 ransomware attacks under the province's Personal Health Information Protection Act over a period of three years ending December 2023. Among them was an unnamed diagnostic imaging clinic that lost access to as many as 550,000 patient records and 1.6 million case files.
The ransomware group, "encrypted and exfiltrated files from the electronic medical records and file sharing servers, deleted the backups and demanded ransom payment," according to the IPC incident report. The clinic had to pay the ransom to get its data back. PHIPA Decision 249 on the IPC website goes into detail on how the threat actor, a known hacking group, penetrated the clinic's system and recommends measures to prevent such attacks. The report doesn't divulge the amount of the ransom paid, nor does it say if the clinic was covered by cybersecurity insurance.
More recently, on March 6, 2024, the Barrie Community Family Health Team in Ontario experienced "a cybersecurity incident" resulting in the theft of personal health information. The incident was reported to the IPC as required, but there was no public admission of a ransom being paid.
Given the increasing risk of data loss and the costs associated with it, do doctors and medical clinics have cybersecurity insurance? "I don't believe most do," said Ariane Siegel, General Counsel and Chief Privacy Officer of OntarioMD. "I think it's a very important coverage to consider because regular commercial insurance will not generally pay for a privacy breach or the expenses that accrue with it. So depending on the scale of your practice and how bad the damage is, you'll be responsible for footing the bill." Cybersecurity insurance is widely available. OMA Insurance, a subsidiary of the OMA, offers it as, "a side-rider," but doctors and medical clinics have been slow to take advantage of it. Why? Siegel isn't sure. In some cases, it's not available because insurance companies insist on, "a certain maturity in your systems, practices and procedures in order to qualify for it," she said.
Big fish and small
Doctors may also downplay the risk, thinking cybercriminals are more interested in "bigger fish," but that isn't necessarily true, according to Roger Beggs, CEO of DigitalDefence, a cybersecurity consulting company with a Canada-wide clientele. There are ransomware attacks that target specific institutions—hospitals, for example— because of their ability to pay lucrative ransoms, but also untargeted attacks by actors, "who send out thousands of emails trying to get someone to click on a link. If that individual happens to be a doctor or a clerk in a doctor's office, they'll get hit," said Beggs.
The cybercriminal may start out demanding $150,000 but settle for $8,000 once they realize they're negotiating with a sole practitioner or a small medical clinic that doesn't have deep pockets. However, having paid the $8,000 in Bitcoin, there is no guarantee they'll get their data back, cautioned Beggs.
Sole practitioners and small clinics are also vulnerable because they don't generally have the IT support and protections in place to thwart an attack.
The cost of cyberinsurance could also dissuade doctors from taking advantage of it. Beggs estimates the cost of a policy at between $5,000 and $20,000. Brandon Bowie of Toronto-based Zensurance Brokers acknowledges that the cost could go that high but says, "We have quoted tons of medical professionals for cyber lia- bility policies that are under $1,000 a year."
The cost depends on the size of the practice, how a clinic stores its data, how its system is secured and how diligent it is about cybertraining.
Protection begins with using a certified EMR with built-in security and privacy safeguards, said Siegel. In Ontario, 95% of doctors use an OntarioMD certified EMR and 80% of EMRs store data in the cloud, which is safer than local storage. If data isn't stored in the cloud, doctors should back up their data locally every night and store it offline. Also recommended are multi-factor authentication, prompt installation of software and hardware patches, strong passwords, regular cybersecurity training, and managed virus protection software as an alternative to the free stuff.
However, even with all this, there are no guaranties. Every doctor and medical clinic has to weigh the risks to their practice and make their own decision about purchasing cybersecurity insurance.