Healthcare companies must prioritise cybersecurity

The Healthcare industry's cybersecurity investments are expected to increase as cyberattacks increase.

 Cybersecurity attacks are particularly dangerous for healthcare

 Weak cybersecurity measures put organizations at serious risk. Affected companies suffer operationally when systems become unusable; reputation as customers lose trust; and legal, as increasingly stringent regulators seek to punish. The healthcare industry is particularly vulnerable as it uses extremely sensitive data. Pharmaceutical companies own intellectual property and proprietary scientific data, medical device manufacturers develop connected devices, and healthcare companies collect and use patient data. 

 Additionally, operational roles are often a matter of life and death, literally. Healthcare and drug violations cost more than almost any other industry.

Merck & Co: the most significant healthcare cybersecurity attack and a precedent for insurance cases

 In 2017, a Russian malware attack paralyzed 30,000 Merck & Co computers and disrupted operations for two weeks. Merck estimated the damage at $1.4 billion. NotPetya, the malware used in the attack, penetrated Microsoft systems that did not have a security patch installed. 

Damages included a loss of approximately $260 million in global drug sales in 2017 due to Merck's inability to fulfill product orders in certain markets. Expenditure related to manufacturing and rehabilitation efforts totaled $285 million in 2017. In addition, drug sales in 2018 were negatively impacted by approximately $200 million of a remaining drug backlog. In addition, Merck was unable to meet the demand for Gardasil 9, a human papillomavirus vaccine, due to the temporary suspension of production of and borrowed Gardasil 9 from the Centers for Disease Control and Prevention's pediatric vaccine supply. Merck replaced some borrowed cans in 2017, costing the company $125 million. Merck's cyber insurer Ace American refused to cover the vulnerability because the attack was part of an "act of war" (the malware was developed by the Russian military to attack Ukraine in 2017). Merck sued Ace American and the New Jersey Superior Court ruled in Merck's favor in December 2021. The company was paid $1.4 billion. Therefore, many health insurance companies have updated their clauses on cyber attacks and acts of war.

Post Covid-19, cyber risk is higher than ever

The rush from in-person care to virtual care and digital monitoring, and from office work to remote work amid the Covid-19 pandemic has significantly increased cyber risk. The increasing use of technology, especially the cloud, increased the potential attack surface and the high transition speed required meant that many IT security teams did not have enough time to install the appropriate security measures. Healthcare companies, particularly hospitals and pharmaceutical companies, reported
spikes in attempted cyberattacks, with government agencies like the Federal Bureau of Investigation warning of the heightened threat.

Cybersecurity investments in healthcare are accelerating

Between 2020 and 2025, cybersecurity spending by healthcare providers and payers is expected to grow at a compound annual growth rate (CAGR) of 8.1% from $4.$59 to $6.77 billion. Over the same period, pharmaceutical industry spending on cybersecurity will grow at a slightly slower rate of 7.4%, from $2.1 billion to $3 billion. Medical device spending will grow at a rate of 7.3% from $869 million to $1.2 billion.