AXIS Industry Spotlight: Healthcare
Healthcare is a sector where life-or-death decisions are routine, and the stakes are high. But behind the scenes, the digital infrastructure supporting these decisions in recent years has proven to be outdated, underfunded, and vulnerable. With vast amounts of sensitive data and critical operations at risk, healthcare has become a prime target for cyber criminals who are not sympathetic to the devastating impact of their actions on this sector. A global pandemic provided a platform for increased attacks and today they continue to conduct ambitious and widespread campaigns.
This Industry Spotlight from AXIS Global Cyber & Technology focuses on cyber exposures impacting healthcare organizations, reflecting on how lessons should have been learned from real-world incidents over the last decade and offering practical steps to build resilience.
Cyber Incidents Impacting the Healthcare Sector
Ransomware Attacks
Hospitals and healthcare providers face ransomware attacks that can shut down facilities, delay patient care, and demand large payments.
Examples
- A sophisticated ransomware attack against a health system caused operational impacts for several weeks, forcing the provider to divert patients in need of emergency services and reschedule elective procedures
- Numerous diagnostic laboratories have been hit with ransomware causing service outages, data breaches, ransom payments, and ensuing litigation
Threat Methods
- Phishing emails with malicious attachments
- Malware delivered via infected links
- Exploited vulnerabilities in remote access systems
- Lack of segmentation between IT and clinical systems
Data Breaches
Healthcare providers are frequently impacted by data breaches exposing personally identifiable information and protected health information, often resulting in regulatory fines and lawsuits.
Examples
- A phishing email led to the exposure of millions of patient records, with malware remaining undetected for nine months
- An advanced persistent threat actor compromised the data of millions of individuals, resulting in significant fines and a class action lawsuit
- A healthcare company exposed millions of records due to a misconfigured database, although the data was non-identifiable
Threat Methods
- Phishing and spear phishing
- APT actors targeting healthcare infrastructure
- Misconfigured databases and cloud services
- Credential theft and poor access controls
Legacy Data Exposure
Failure to properly manage and purge legacy data can result in unexpected legal and reputational consequences.
Example
- A dental practice was sued after compromised emails exposed old patient records from a previously acquired business
Threat Methods
- Poor data hygiene
- Inadequate access controls
- Lack of integration and security review during acquisition
Supply Chain and Infrastructure Attacks
Attacks on healthcare infrastructure and third-party providers can have widespread consequences across the sector.
Examples
- A breach at a healthcare service provider disrupted insurance claims processing nationwide, potentially affecting a third of the population
- A cyber-attack against a hospital’s service provider exposed personal information of millions of individuals resulting in lawsuits
Threat Methods
- Compromised third-party vendors
- Exploitation of interconnected systems
- Lack of vendor risk management
Tracking-Pixel Litigation
The healthcare industry has increasingly faced class action lawsuits over the use of tracking technologies on their websites, which transmit user data to platforms like Google, Meta, and other advertising services.
Example
- Healthcare providers have settled significant class action lawsuits for millions of dollars arising from the misuse of the technologies
Threat Methods
- Deployment of tracking technologies by marketing teams, developers, or other stakeholders to monitor user behavior without proper privacy considerations
Cyber Exposure Characteristics in Healthcare
- Data: Healthcare is a prime target for good reasons. Data includes patient’s personal details, medical histories, social security numbers, and financial details, making them more valuable than credit card data on the dark web.
- Legacy Systems: Many healthcare providers still run outdated software due to budget constraints. Understandably, expenditure on front line medical equipment has maintained priority status, but this systemic technical debt puts healthcare organizations in jeopardy.
- Training Gaps: With the primary focus on patient care, cybersecurity training often takes a backseat to clinical certifications, leaving staff ill-prepared to spot phishing or respond to threats.
- Regulatory and Litigation Risk: Health Insurance Portability and Accountability (HIPAA) violations can lead to huge fines and reputational damage but a significant additional threat for healthcare is the high instance of class-action lawsuits. Law firms have been more proactive and aggressive, particularly with respect to allegations of website tracking solutions (pixels, web beacons, cookies, etc.) that improperly share user data with third parties. Furthermore, the number of affected individuals directly influences legal exposure, bringing into focus the importance of good cyber hygiene to cleanse redundant customer records.
- Systemic risk: Small practices, like dental offices, may seem low risk individually, but shared software platforms create systemic vulnerabilities enabling a breach in one to infect potentially thousands.
Steps to Build Resilience and Manage Risk
To strengthen cyber resilience, healthcare organizations should focus on:
- Cyber Hygiene: Remove outdated data and old records that are a liability. Regularly clean up archives to reduce exposure.
- Upgrading Legacy Systems: Prioritize critical infrastructure updates, even under budget constraints.
- Training: Make cybersecurity awareness mandatory.
- Network Segmentation: Isolate sensitive systems to limit lateral movement during attacks.
- Access Controls: Stronger controls are essential including the use of multi-factor authentication and monitoring privileged access
- Incident Response Planning: Preparation is key. Plans should be developed and tested regularly for both disaster recovery and business continuity.
- Privacy Collaboration: Establish processes to review privacy considerations for any use cases including new technologies and user data.
Broker Considerations for Healthcare Cyber Risk Submissions
Cyber risk in healthcare is uniquely complex. Brokers play a vital role in helping customers navigate this landscape and present strong submissions that reflect both compliance and resilience. With sensitive patient data, legacy systems, and increasing regulatory scrutiny, underwriters are looking for more than just basic controls, they want to see a culture of cybersecurity.
Key areas brokers should emphasize in submissions:
- Digital Infrastructure and Access Controls Underwriters assess how well clinical and administrative systems are segmented, and whether multi-factor authentication is in place. Highlight any robust access controls and secure network architecture.
- Staff Training and Incident Readiness Frequent, role-specific cybersecurity training is essential. Make sure customers can demonstrate they have incident response and disaster recovery plans, and that these are tested regularly.
- Legacy Systems and Software Hygiene Outdated or unpatched systems are a major red flag. Help customers articulate their upgrade plans, patching cadence, and how they manage backups for critical functions.
- Third-Party and Vendor Risk Management Healthcare providers often rely on cloud services, payment processors, and shared platforms. Underwriters will expect clear vendor vetting processes and contractual safeguards.
- Privacy Governance and Legal Exposure HIPAA violations and class-action lawsuits are costly. Submissions should include information on privacy policies, data lifecycle management (especially for legacy records), and how privacy teams integrate with broader business functions.
- Board-Level Oversight and Culture Underwriters look for board engagement and cross-functional collaboration. If your customer has a cybersecurity committee or reports regularly to leadership, make sure that’s included.
Final Tip for Brokers
Encourage healthcare customers to position cybersecurity as a patient safety issue, not just an IT concern. This mindset shift helps build trust with underwriters and demonstrates a proactive, enterprise-wide approach to managing cyber risk.
Conclusions
Healthcare holds some of the most sensitive and complete personal data sets, yet often lacks the protection needed to defend them. As cyber threats grow in scale and sophistication, the sector must evolve its defenses. Cyber insurance and risk management strategies must reflect the unique exposures of healthcare where the cost of failure is measured not just in dollars, but in lives.
Disclaimer
This material is provided for informational purposes only and is not an offer to sell, or a solicitation to buy, any particular insurance product or service for a particular insured. It is intended for licensed insurance professionals. Cyber incident examples may be based on actual cases, composites of actual cases or hypothetical claim scenarios and are provided for illustrative purposes only. Facts may have been changed to protect the confidentiality of the parties. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law.
The practices, services or service provider(s) discussed herein are suggested as risk mitigation or incident response resources only. Use of any practice, service or service provider does not guarantee the performance or quality of the services provided, including the avoidance of loss, the fulfilment of any obligations under any contract, or compliance with any law, rule, or regulation. AXIS is not responsible for the effectiveness of a cyber risk management program and encourages each policyholder, together with advice from their professional insurance advisor, to perform its own independent evaluation of any practice, service or service provider as part of its overall risk management strategy.
For information about our products and underwriting companies, please see https://www.axiscapital.com/product-information