cover story one

Ransomware in the Age of COVID-19

Addressing cybersecurity issues

By Matthew C. Bertke, CPA, MBA

2020 was a year that saw many changes and one that particularly affected the healthcare community. But while U.S. healthcare workers remained on the front lines heroically battling the COVID-19 pandemic, another hidden menace has been steadily increasing in prevalence underneath the radar. 

As reported by the nonprofit news organization the Vermont Digger, on October 28, 2020, University of Vermont (UVM) Health Network fell victim to a ransomware cyberattack that affected over 5,000 computers and laptops. The extensive attack destroyed UVM Health Network’s computer infrastructure on which encrypted data resided and put both patients and staff at risk. 

The effect of the attack spread like pestilence throughout the organization. According to the Vermont Digger, UVM furloughed or reassigned about 300 employees who could no longer perform their jobs, services were postponed or cancelled due to the systems being offline, and the health system experienced a loss of approximately $1.5 million per day due to disrupted revenue and the resulting expenses of repairing the organization’s infrastructure.



Due to severity of the attack, HealthITSecurity reported that the state’s governor eventually deployed the Army National Guard’s Cyber Response Team to UVM to assist with recovery efforts.

The effect of the attack spread like pestilence throughout the organization.

As more workers become remote and health organizations continue to make the shift to be more connected technologically due to the COVID-19 pandemic, the risk of ransomware attacks, as well as other forms of cyberattacks, has grown. This can be corroborated by examining the ransomware claims experience of Coverys insureds. When isolating data from the most recent fully developed underwriting year (2018), Coverys’ ransomware claims increased over 66% relative to the average of the previous four underwriting years, which is a notable jump. 

In an April 2020 advisory released by the New Jersey Cybersecurity & Communications Integration Cell, a rising concern of COVID-19-related cyberattacks and phishing scams have been specifically targeting the healthcare sector, which is more open to attack due to both the preoccupation with treating COVID-19 cases and following stringent protocol, as well as the ever-expanding use of technology to keep healthcare organizations connected in the new age of telehealth.

Devastating effects

In addition to data being locked or needing to pay a ransom, business owners could also experience a data breach due to ransomware. Ransomware is a significant reason for the number of data breaches trending upward in recent years.

According to HIPAA Journal, businesses have experienced more data breaches in 2020 than any other year before.

As the 2020 attack on UVM demonstrates, when a healthcare organization loses its data, the outcome can be devastating. And although all industries and organizations experience a punch from a ransomware attack, such attacks can cause life-threatening injury in a healthcare setting. 

For example, HealthITSecurity reported that another 2020 ransomware attack on a large U.S. healthcare system resulted in rerouted ambulances, delayed radiation and treatment for cancer patients, medical records that were inaccessible and even permanently lost, and hundreds of furloughed staff.  

But how can you fight an unseen, growing monster? Like the vaccine developed for COVID-19, the answer lies in developing a plan and taking action to prevent an attack before it has the chance to spread – and in having a safety net ready in the event of infection. 

Preventing the spread?

To protect a healthcare organization’s employees, patients, and data, a multifaceted defense system is required. 

The typical initial infection is carried through a phishing email containing a link or attachment. Other infection opportunities include users inadvertently installing malware from the internet or from USB drives, and exploiting remote access using stolen or hacked credentials.

To defend against the initial phishing infection, there are a few steps an organization can take: 

• Provide security awareness training to educate users not to click on links or open attachments from suspicious senders and without carefully inspecting emails for signs of phishing. 
• Provide for phishing and spam filtering at the mail gateway. 
• Don’t install/run programs unless they’re from a reputable source. 
• Restrict the ability of end-users to install software themselves or only allow installation from whitelisted sources. 
• Only allow the use of trusted USB drives and don’t allow execution from USB drives. 
• Implement endpoint detection and response products to stop malicious code from executing. 
• Require strong, unique passwords and multifactor authentication.

As more workers become remote...ransomware attacks, as well as other forms of cyberattacks, has grown.

If you have been attacked

Once infected, oftentimes the initial malware will reach out to a command and control (C2) server in order to download additional malware or to open a backdoor allowing the attacker access to the system. To defend your systems against this infiltration, consider: 

• Domain Name System filtering/protection. 
• Next-generation firewalls used to block unauthorized egress traffic. 

Once past initial defenses, malware will use application vulnerabilities to execute code. The code will run under the context of the logged-in user, or the attacker will try to elevate privileges. Therefore, consider the following defense strategies: 

• Reducing access privileges so users have the minimum access that they need in order to do their job. 
• Regular patching of operating systems and applications, including web browsers. 
• Hardening of endpoint systems and the use of endpoint detection and response products to stop malicious code from executing and privilege execution. 

If the malware is able to execute and encrypt data, organizations must identify what data was affected, whether it was exfiltrated from the network and whether it can be recovered. The following tactics can be used as a data defense: 

• Encryption. 
• Audit logs. 
• Regular backups and testing of those backups.

Be Prepared

These defense strategies can be used to fortify an organization, but even the safest of healthcare organizations are at risk of a stealthy attack during day-to-day activities.

Data will be less secure at times to address the everyday aspects of sharing data with business partners, patients, employees, and others. These standard business needs create the weak points that hackers are eager to exploit.

While prevention is the smartest strategy, it is not 100% effective. 

When isolating data from the most recent fully developed underwriting year (2018), Coverys’ Cyber Liability and Protection Plus incurred losses increased over 110% relative to the previous four-year average – a number which demonstrates the need for a solid contingency strategy in the event of a cyberattack. 

Therefore, it is equally important to be properly insured. Just as healthcare organizations have a written plan for responding to potential natural disasters, they should also have a written plan for responding to potential data breaches. Because in the age of technology and remote work, the question isn’t if, but when an attack will occur. 

In the event of a breach, both your organization and your board could face lawsuits. There may be some overlap between Directors & Officers (D&O) insurance, general liability, and cyber policies, but one should not assume that one policy type will provide all the coverage needed if an attack occurs. Check D&O and general liability policies to see whether they cover cyber events, as well as cyber policies to see whether they cover board members within the Definition of Insured. Consult with your organization’s insurance broker to assess whether your insurance coverages meet your organization’s needs.

Matthew C. Bertke, CPA, MBA is the Product Development Manager for Coverys a nationally recognized professional liability insurer and leader in addressing the challenges of health care delivery.