Cyberattacks are especially dangerous to healthcare

Weak cybersecurity measures expose companies to serious risk. Victim companies suffer operationally, as systems are rendered unusable; reputationally, as customers lose trust; and legally, as ever-stricter regulators seek to punish. The healthcare industry is particularly vulnerable because it uses extremely sensitive data. Pharma companies have proprietary scientific data and intellectual property, medical devices companies develop connected devices, and healthcare companies collect and utilise patient data.

Additionally, operational functions are often literally matters of life and death. Breaches in healthcare and pharma cost more than those in almost any other industry.

Merck & Co: healthcare’s biggest cyberattack and a precedent for insurance cases

In 2017, a Russian malware attack disabled 30,000 Merck & Co computers and stopped its operations for two weeks. Merck estimated the damages at $1.4bn. NotPetya, the malware employed in the attack, penetrated Microsoft systems that had not installed a security patch.

The damages included a loss of approximately $260m in global drug sales in 2017, as Merck could not fulfil orders for products in certain markets. Expenses related to manufacturing and remediation efforts totalled $285m in 2017. In addition, 2018 drug sales were negatively impacted by approximately $200m due to a residual backlog of drug orders. Additionally, Merck was unable to meet the demand for Gardasil 9, a vaccine against the human papillomavirus, due to the temporary production shutdown and borrowed Gardasil 9 from the US Center for Disease Control and Prevention’s (CDC ’s) Pediatric Vaccine Stockpile. Merck replenished a portion of the borrowed doses in 2017, costing the company $125m. Merck’s cyberinsurer, Ace American, refused to cover the breach on the grounds that the attack was part of an ‘Act of War’ (the malware was created by the Russian Military in 2017 to target Ukraine). Merck sued Ace American, and the New Jersey Superior Court ruled in Merck’s favour in December 2021. The company received a $1.4bn payout. Many healthcare insurers have consequently updated their clauses around cyberattacks and acts of war.

After Covid-19, cyber risk is higher than ever

The rush from in-person care to virtual care and digital monitoring, and from office-based work to remote working, amid the Covid-19 pandemic significantly increased cyber risk. The increased use of technology, especially Cloud, increased the potential attack surface, and the high speed of transition required meant many information technology security teams had insufficient time to install adequate security defences. Healthcare companies, especially hospitals and pharma companies, reported increases in cyberattack attempts and government bodies like the Federal Bureau of Investigation issued warnings about the increased threat.

Healthcare cybersecurity investment is growing

Between 2020 and 2025, cybersecurity spending by healthcare providers and payors is forecast to grow at a compound annual growth rate (CAGR) of 8.1% from $4.59bn to $6.77bn. In the same period, cybersecurity spending by pharma will grow at a slightly lower rate, 7.4%, from $2.1bn to $3bn. Medical device spending will grow at a rate of 7.3% from $869m to $1.2bn.