SelfIdentification

WE'RE FILTERING INFORMATION BASED ON YOUR BUSINESS

· ·

CHANGE  

GO!
Web Content Viewer (JSR 286)
Web Content Viewer (JSR 286)

PRODUCTS & SERVICES

Subscribe Now

To subscribe to all of CNA's helpful publications, visit the CNA Subscription Center today.

Go to the CNA Subscription Center

Download Electronic Medical Records Minimizing Litigation Risks in the ER

This report examines three major EMR-related issues and suggests countermeasures to protect patients and minimize liability exposures.

Download Your Free Copy Now

SORCE for Healthcare

CNA is proud to offer our School of Risk Control Excellence (SORCE®), world-class training to help healthcare institutions control their risk and manage their exposures.

Learn more

Share
Published Thursday, December 19, 2019

Most professionals understand the basics of how ransomware works: your files and data are encrypted by malicious software, then a ransom payment is demanded to restore access. However, you may not fully recognize the devastating effect these attacks can have on a business – and that your chances of being targeted are higher than ever.  


While ransomware attacks once primarily targeted individuals and requested payments of a few hundred dollars, attackers have realized the real money lies in attacking companies. Healthcare organizations are especially attractive to these cybercriminals, thanks to the higher perceived likelihood of payment, the importance of the data stored on their networks, and the impression they are less prepared for ransomware demands.


As with most things in life, an ounce of prevention is worth a pound of cure. Healthcare organizations should recognize their ransomware risk and take action to protect employees, networks and data in the case of an attack. Here are some ways your company can defend against this growing threat:


Protect your employees 

  • Conduct regular security awareness training and phishing campaigns. 
  • Make sure employees always operate with least privilege.


Protect your network

  • Apply security patches within 30 days of release.
  • Use email filtering to block spam and phishing messages, and Web filtering to block access to malicious websites. 
  • Segment your network based on the classification level of information stored on
  • its systems.
  • Monitor critical systems, avoid all unsupported operating systems or platforms, and have a process to decommission unused systems.


Protect your data

  • Back up business data regularly.
  • Test backups for restorability, and ensure they are stored offline and offsite. 
  • Have a formal Incident Response Plan (designed to quickly contain an incident) as well as Disaster Recovery and Business Continuity plans, and test them all annually. 

Healthcare organizations also need to be aware that trusted third-party vendors could become infected with ransomware. This might result in information becoming unavailable or, even worse, attackers using a vendor’s network access to spread an infection and impact your corporate systems. Some ways to be more resilient against these outcomes include:

  • Have a formal vendor management program that classifies each vendor’s type of data and level of access. 
  • Make sure every vendor operates with least privilege and requires multi-factor authentication. 
  • Require all vendors to protect information with safeguards at least as good as your own, and perform due diligence and annual audits to ensure they meet your standards.
  • Require vendors to defend and indemnify you if they contribute to a cyber event or HIPAA breach, and to either have sufficient liquid assets and appropriate insurance coverage (which depending on the vendor’s business may include cyber, professional liability, and E&O) to cover their foreseeable liability.
  • Make sure each contract clarifies how data will be returned or destroyed at the end of an engagement.

Beyond taking steps to prevent ransomware attacks, your organization should prepare to respond quickly if an attack is successful. First, you’ll need to identify the threat and invoke the Incident Response Plan, taking time to contact law enforcement and your insurer. It may be necessary to power down systems as you work to contain the infection, so healthcare organizations should develop a process for providing patient care during EHR downtimes. After the malware is contained, it’s important to review the incident for lessons learned (preferably though a root cause analysis) and take all steps necessary to ensure a similar incident doesn’t happen again.


Unfortunately, a single ransomware attack can be devastating – and healthcare organizations may be especially vulnerable. By recognizing your risk and developing plans to prevent and respond to ransomware attacks, you’ll help protect your company – and its data –from this growing threat.

Insurance for Physicians

With more than 50 years of experience in the healthcare industry, CNA is a trusted leader and top underwriter of healthcare insurance products and services for a wide spectrum of organizations.

As a physician working in a solo or small practice, your responsibilities extend beyond caring for your patients. Yet, you don't want to detract from your ability to provide quality medical care in a personalized setting. For your insurance needs, you need a carrier that understands your practice and offers solutions that permit you to focus on what you do best.

CNA's extensive industry knowledge, valuable insight and core coverages are tailored to meet the unique needs of physicians who pursue a traditional practice. This expertise also gives us the ability to write nontraditional and hard-to-place risks to qualified insureds. And because your insurance needs go beyond professional liability, our CNA Connect® product can provide you with your Commercial General Liability, Property, Cyber Liability and Commercial Auto coverages for the practice that you have worked so hard to build.

Our state-specific underwriting and claim capabilities ensure appropriate coverage levels to address your unique exposures. The Healthcare claim team deploys its talent and experience in working with internal colleagues dedicated to claims of high severity and complexity, as well as nationally recognized external attorneys experienced in high severity claims, including birth trauma, neurological injury other catastrophic injury and certain aging services matters. In addition, our highly experienced risk control consultants offer you programs and services that help you to address a range of exposures in your daily operations, such as maintaining electronic medical records or creating a safer work environment.

Products

Learn more about our broad portfolio of insurance solutions specialized to meet the needs of your business.

CNA offers a broad portfolio of insurance solutions — from general liability to property to professional and management liability and more — specialized to meet the needs of your business.

Services

Explore our services designed to help you manage your claims, understand your exposures, address potential losses and maintain business continuity.

CNA offers an array of services designed to help you manage your claims, understand your exposures, address potential losses and maintain business continuity.

Small Business Insurance Fundamentals

Learn more about how to identify the insurance and services you need to safeguard your small business.

For your small business, having the right kind of insurance is critical to success. Are you looking to learn more about the kinds of insurance coverage you need before you contact your local independent agent or broker? We've developed some helpful resources and tools to get you started.

What kind of insurance do I need?
Identifying the right coverages that address your risk exposures and your greatest challenges is important. To help determine your business insurance needs, use this checklist to help guide your discussion with your independent insurance agent.

Why use an independent agent?
Dedicated to offering the broadest selection of policies and coverage to best meet their customers' needs, independent agents represent multiple product lines from more than one carrier. CNA is proud to support the Independent Insurance Agents & Brokers of America and their Young Agents Committee. Find a local independent agent for you.

 

What is risk control?
For small businesses, preventing and controlling risk can be just as important as being properly covered. CNA Risk Control offers a wide range of services focusing on management accountability, cost drivers and business solutions to help you improve your bottom-line profit.

How can I prepare for an emergency?
Learn how to safeguard your small business, your employees and your family in the event of an emergency by visiting Resources to Manage & Reduce Risk for online tools and resources from CNA's own business continuity planners and government organizations.

How can I better prepare for my policy renewal?
Your independent insurance agent is your best resource to ensure your small business has the proper insurance coverage as it changes and grows year over year. Review this list of 10 items to prepare for your conversation about how your business and its insurance needs have changed since your policy was issued.

Facebook
Twitter
LinkedIn
Email

CNA Cyber Risk Solutions

Warranty

Small Business Owners Policy (BOP)

Commercial Auto

Directors & Officers (D&O)

Employment Practices Liability (EPL)

Equipment Breakdown

Medical & Scientific Equipment

Healthcare Professional Liability

Property

Workers’ Compensation

International

Litigation Counsel

California Medical Provider Network (MPN)

CNA Claim Services

Outcomes Based Network and CNA Selected Providers

Get Informed. Get Prepared. Get PrepWise.

CNA Risk Control Services

Special Investigations Unit (SIU)

Texas Healthcare Network (HCN)

Workers' Compensation Medical Provider Networks

SUBSCRIBE

We are committed to providing tools and information valuable to you and your clients.

Subscribe to have communications relevant to your business' success delivered to your inbox monthly.

SUBSCRIBE
hiddenheader