Get a Quote

Liberty Mutual Insurance > Business Insurance > Insights > 3 ways ransomware attacks can amplify liability risk for healthcare systems

In 2020, more than a third of healthcare organizations in America experienced a ransomware attack. These events often fly under the radar, but that doesn’t make them any less devastating than incidents that make headlines, like the recent attack on the Colonial Pipeline. According to a study by Sophos, the average ransomware attack on a healthcare organization costs more than $1 million — but ransomware attacks have more than just a financial impact.

“Hospitals, medical facilities, and their physicians have sensitive patient information on their systems,” says Monica DiCesare, chief underwriting officer at IronHealth^®, a division of Ironshore. “That information is critical to protect, because it’s critical to ensure patient safety.” A cyberattack could put patient lives at risk and open the hospital to even more costly medical malpractice and liability claims. Here are three interconnected risks that healthcare organizations might face in the wake of a ransomware attack — and how they can help mitigate their exposure.

1. Encrypted data and medical malpractice suits

Doctors and nurses rely on technology to do their jobs — so when those systems go down, hospitals are at an increased risk of medical malpractice suits. “We’ve become so reliant on technology. When we don’t have that technology and data, we become inhibited. The physician can’t practice medicine to its fullest, which can later be construed as negligence, because they weren’t able to provide adequate or appropriate care,” says Dennis Cook, president of IronHealth.

Lack of access to patient data is a major problem for healthcare providers. When bad actors encrypt critical patient data, like drug allergies or prescription information, healthcare workers are more likely to make a mistake that may harm a patient. Delayed lab reports and other critical information may cause hold-ups in treatment, which can have dangerous consequences. On top of that, ransomware attacks can also lock intake systems. That means that ambulances carrying patients in critical condition may be rerouted to facilities miles away — costing precious time that many patients can’t spare.

“We’ve become so reliant on technology. When we don’t have that technology and data, we become inhibited. The physician can’t practice medicine to its fullest, which can later be construed as negligence, because they weren’t able to provide adequate or appropriate care.” – Dennis Cook, president of IronHealth

In fact, the first medical malpractice suit for a ransomware-related death is already on its way to the courts. In July 2019, ransomware paralyzed the systems at the Springfield Medical Center in Mobile, Alabama. Computers across the hospital failed, including data from fetal heartbeat monitors in 12 delivery rooms. The suit alleges this outage led to the death of a newborn baby. The outcome of the case won’t be known for some time, but the human cost of ransomware is undeniable.