U.S. health insurers’ customer data at risk of cyber theft
The U.S health insurance industry is facing increasing risks from cybercriminals jeopardising the security of their customer data. This is reportedly due to the sophisticated techniques used by hackers to gain access to private information, made easier by the expansion of remote healthcare delivery and digitisation of insurance transactions, billing, and clinical records.
Processing claims and uploading patient information to IT systems means that health insurers handle vast amounts of sensitive data on a daily basis that cybercriminals look to obtain. However, this type of data is protected in the U.S. by federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) 1996, while other acts of law the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Patient Protection and Affordable Care Act (PPACA) have contributed to the increase in digitisation of patient health records.
A target for phishing, ransomware, and “man-in-the-middle” attacks
Due to the data health insurers store, they have become an ideal target for phishing scams, man-in-the-middle, and ransomware attacks. Hackers can gain access to health insurers’ data by inserting malware into legitimate data following an interaction, such as an email, with a customer. As more people in the health insurance industry work from home, the risk of having customer data stolen and used against insurers is rising. Complicating the problem further is the fact that personal medical tracking devices often do not contain built-in security features, allowing for relatively easy external access to patient records.
However, the increase in the adoption of remote healthcare services brought on by the COVID-19 pandemic has meant improvements to patients’ healthcare access, which may reduce insurance costs long term. The downside to this is that the increased usage of technology has increased health insurers’ exposure to third-party vendors and software systems.
How are health insurers protecting their customer data from cyberattacks?
One way that health insurance companies are preventing cybercriminal activity is through investing in advanced cybersecurity products. From 2020-2025, the U.S. healthcare industry aims to spend more than US$125bn on cybersecurity services and products. Cybersecurity Ventures says that the key to reducing threats is to identify gaps in IT systems in which the risks to critical data are highest. This includes identifying areas in hardware and software on mobile devices, workstations, servers, and laptops.
Ransomware-related insurance claims have also seen a rise, which has caused providers to change their terms and conditions and increase premiums. According to Fitch, price rises for cyber coverage “have accelerated over the past two years”, with renewal pricing for cyber coverage going up by 18% in the first quarter of 2021.
As a result, the costs have put a significant administrative strain on health insurers, and have raised premium rates for their customers. To ensure the rates are reduced as much as possible, healthcare insurers can invest more in cybersecurity to prevent further attacks and disruption.
