The size, scope, and vast amounts of data within the insurance industry makes it a key target for cybercrime. From our health to our cars, property, and several points in between, the average individual has several types of insurance coverage.

Data is both the foundation of and the driving force behind insurance products, policies, and pricing. Much of this data is considered personally identifiable information (PII), which means it could be used to identify an individual. Dates of birth, Social Security numbers, financial account information, and biometrics such as fingerprints are just a few examples of PII that could be found within an insurance company’s database.

Once a cybercriminal has acquired compromised PII data points, they can use this information for fraudulent activities. For example, stolen PII can be fed into an insurance company’s automated quote tool (such as with car insurance) to obtain even more PII. The more information a hacker has, the more equipped they are to commit identify theft and insurance fraud.

In this article, we will look at what makes cybersecurity challenging within the insurance industry, as well as solutions to enhance the security of personally and financially sensitive data.

Why is cybersecurity particularly challenging for insurance companies?

The insurance industry collects, processes, and analyzes massive amounts of structured and unstructured data. Structured data is organized and formatted in a way that makes it easily searchable in databases.

Examples of structured data in the insurance industry include:

• Names
• Addresses
• Medical history
• Claim history
• Vehicle information

Unstructured data, however, does not have a predefined organizational structure or format. Unlike structured data, this type of information does not easily fit within a traditional, column/row spreadsheet or database. However, unstructured data contains critical information that insurers use to customize coverage options and detect fraud.

Examples of unstructured data sources include:

• Emails
• PDFs
• Video files
• Written reports
• Data analytics
• Photographs
• Social media

The insurance industry faces unique challenges when it comes to cybersecurity. The large volume of PII data held by insurance companies is subject to compliance standards and regulations and is also a lucrative target for malicious actors.

Read on to learn more about why cybersecurity is challenging for insurance companies in particular.

Cybersecurity risks unique to the insurance industry

Data breaches and ransomware attacks are increasing in frequency and complexity. Since 2020, financial institutions have increased their use of digital and remote solutions for daily operations. After the health sector, the financial sector (including insurers and brokers) was the hardest hit by COVID-19-related cyber events.

In addition to the insurance policies themselves, some of the most sensitive data held by insurance companies is personal identifying information such as dates of birth, Social Security numbers, passports, and drivers’ licenses. These PII data points are highly valuable to cyber criminals in identity theft operations.

While the insurance industry as a whole is targeted by cybercriminals, companies that provide cyber insurance coverage are even more high-value targets. This is an insurance policy that protects businesses and their customers in the event of data loss, such as a breach or ransomware attack.

Should a hacker successfully compromise their networks, malicious actors will have access to policy details and security standards for cyber insurance coverage, as well as the maximum amount the policy will pay in a ransomware event. This information gives ransomware operations an easy way to determine a ransom amount that the victim will agree to.

The size and scope of the insurance industry, as well as the highly valuable data these companies hold, make these companies a lucrative target for malicious actors. With personal, health, identity, and financial information on file, a single gig of insurance data could be worth as much as $10,000.

In fact, the 2022 Cyber Insurance Risk report indicates that 82% of insurance companies are the focus of cybercrime such as ransomware attacks. Recent cybersecurity events include:

• CNA Financial Corporation, one of the largest insurance companies in the United States, paid $40 million in ransom after a 2021 ransomware attack locked officials out of the CNA network. While the FBI and the Treasury Department discourage companies from paying ransom amounts, companies like CNA do so to recover their stolen data. However, only 42% of organizations successfully recover their data after paying the ransom.

• In 2020, insurance and benefits broker Arthur J. Gallagher & Co. suffered a ransomware attack in which hackers obtained PII of thousands of Gallagher customers and employees. The affected individuals filed a class-action lawsuit against Gallagher for failing to protect their information and for failing to notify or assist the people whose data was compromised.

• Cybersecurity insurance provider, Chubb,became a victim of a data breach in 2020. The security incident is attributed to the Maze ransomware group, which is known for encrypting networks and devices, exfiltrating data, and holding it for ransom. While the attack didn’t impact the operation of Chubb’s networks, the ransomware group posted a list of the data stolen from Chubb, including the names and contact information of senior company executives.

The importance of cybersecurity in the insurance industry

The insurance industry is subject to some of the most comprehensive data protection and privacy regulations:

• Gramm-Leach-Bliley Act (GLBA). GLBA regulations protect consumers’ financial information and PII. Insurance companies must develop a comprehensive information security program that contains controls such as encryption, risk assessments, access controls, and multifactor authentication (MFA), among others.

• Health Insurance Portability and Accountability Act (HIPAA). Health insurance companies are considered health plans that must comply with HIPAA provisions for data security and privacy. This includes (but is not limited to) best practices such as data encryption, audit logs, access controls, and risk assessments.

• Bank Secrecy Act/Anti-Money Laundering (BSA/AML). The BSA is a collection of laws and regulations aimed at reducing the risk of money laundering in the United States. The insurance company is responsible for the effectiveness of its compliance program, which includes the activities of its agents and brokers. BSA/AML regulations apply only to high-risk insurance products such as annuities and permanent life insurance policies, both of which can be used to facilitate money laundering activities.

Regulations for insurance companies are increasing, with more states requiring companies to better protect consumer data. As of May 2022, Kentucky became the latest state to develop a cybersecurity statute based on the National Association of Insurance Commissioners (NIAC) Insurance Data Security Model Law. Currently, 21 states have adopted models to enhance cybersecurity in the insurance industry.

How WinZip Enterprise enhances cybersecurity in the insurance industry

The best way to mitigate risk is to protect data before adverse events occur. An insurance company’s files and databases contain a wealth of information that would negatively affect financial performance and public perception if it were compromised.

Following a data breach, 83% of customers will no longer use the products and services of the affected organization. A comprehensive data protection strategy should include best practices such as the following:

• Customized access controls. Access controls restrict access to resources and data based on what’s necessary for a user’s job functions. This is known as the principle of least privilege (POLP), which helps prevent unauthorized access to sensitive information.

• File-level encryption. File encryption gives insurance companies increased control and visibility over their sensitive PII. Encryption renders the information contained within a file unreadable to anyone without the appropriate decryption key, rendering the file useless to cybercriminals.

• File tracking. To prevent and eliminate data loss, insurance companies should regularly review system activity. File tracking makes a record of every time a file is edited, moved, or deleted. This makes it easier to detect and control system vulnerabilities such as human error (e.g., accidental deletion of a critical file).

WinZip® Enterprise protects sensitive data with a customizable set of enterprise-grade tools for secure backup, file transfer, encryption, and more. Insurance industry IT administrators have granular control over the operating environment, making it easy to implement and enforce policies that uphold cybersecurity.

Using the Advanced Encryption Standard (AES) format, WinZip Enterprise encrypts data at the file level so that it is safeguarded while at rest and in transit. This type of encryption is ideal for insurance companies that must comply with various data security regulations.

Cybersecurity is a critical concern for healthcare organizations. Protected health information (PHI) is more valuable than other types of personal data, making it a key target for cyber criminals. This is because healthcare records contain a variety of personal information, such as an individual’s name, social security number, financial details, and more.

Health data is around 20 times more valuable than financial data on the Dark Web. The remediation costs following a healthcare data breach are also higher. This includes expensive processes such as investigation, incident response, breach containment, and more. The cost to remediate a health data breach is around $408 per record compared to $148 per non-health record. Despite the risks, the healthcare industry falls short in terms of cybersecurity.

Fortunately, there are tools and best practices that can help prevent cyberattacks in the healthcare industry. In this article, we will detail current cybersecurity challenges in healthcare environments as well as solutions that increase the security of your organization’s healthcare data.

Healthcare cybersecurity challenges

Data breaches and other security threats have increased sharply over the past few years, fueled in large part by the rapid and necessary shift to remote working conditions in 2020 as the pandemic reshaped how people work.

In addition to the challenges posed by an expanded remote workforce, healthcare organizations were also faced with an increased patient load. Resource limitations impacted every level of patient care, including healthcare data security.

For example, elective procedures were canceled to control the spread of the virus, but this also created revenue shortages. On average, elective procedures make up 60% of total revenue for healthcare organizations. These cancellations led to a revenue loss of around $22.3 billion nationally.

With limited space, staff, supplies, and revenue, many healthcare organizations were unable to prioritize cybersecurity measures. Cyberattacks spiked as a result, with more than 1 in 3 healthcare entities experiencing a ransomware event in 2020 alone.

While the pandemic has waned, cybersecurity threats have only increased. In the first five months of 2022, the number of data security breaches in the healthcare industry almost doubled compared to the same period in 2021.

The healthcare sector’s cybersecurity challenges include the following:

• Mobile access. Medical devices that run on an internet connection often lack adequate privacy and security measures. Devices such as insulin pumps, pacemakers, and wearable trackers rely on constant connectivity to work.
  
  Without ample network and file security, this data could be compromised in a cyberattack. For example, over 61 million records related to wearable devices (e.g., Fitbit) were compromised in a database breach in 2021.
  

• Legacy systems. Legacy systems are highly customized and designed to meet the specific goals and needs of the healthcare organization. Approximately 73% of healthcare providers use medical equipment that relies on a legacy operating system.
  
  This outdated equipment presents a host of cybersecurity risks due to a lack of security patches or updates. For example, vulnerabilities in unpatched medical devices fueled the 2017 WannaCry global ransomware attack.
  

• Staff shortages. Healthcare cybersecurity staff are increasingly overworked, understaffed, and undertrained. Around a third of health IT teams are not sufficiently staffed for cybersecurity, further straining existing team members.
  
  Skills gaps further hinder healthcare IT teams. Around 40% of IT staff lack cybersecurity expertise and an additional 39% of individuals are deficient in data protection skills.

• Broad attack surface. The average US hospital has 10 to 15 connected devices per hospital bed, which means large organizations could need to secure tens of thousands of medical devices.
  
  Because these networked devices typically run on outdated software and devices, they present a number of vulnerabilities that can be exploited by cybercriminals.

Common healthcare data threats

From hospitals to pharmaceutical companies and care facilities, every aspect of the healthcare industry is susceptible to cyberattacks. Teaching and research hospitals are especially vulnerable because they manage, store, and transfer a large volume of sensitive data.

From 2018 to 2021, healthcare data breaches increased by 84%. The number of victims affected by these breaches also increased from 14 million in 2018 to 44.9 million in 2021. As of July 2022, more than 22 million health records have been breached in the US, a 4.6% increase from the same period the previous year.

Let’s look at some of the greatest threats to healthcare data security:

Phishing

Phishing is a technique where malicious actors trick their victim into giving them system access. Common phishing attack vectors include emails, websites, social media, and text messages. For example, hackers accessed a Colorado-based eye care practice employee’s work email and used it to copy patient data. This phishing incident compromised more than 26,000 people’s sensitive information.

Cybercriminals often use a phishing attack to gain access to a critical network or system. Once they’re in, they can easily exfiltrate sensitive files, compromise accounts, and infect businesses with ransomware.

Because phishing seeks to obtain sensitive data, healthcare organizations account for around half of all phishing attack victims. The cost of recovering from such an attack averages around $14.8 million, which is three times greater than it was in 2015.

Third-party data breaches

A third-party data breach occurs when a malicious actor gains access to sensitive health data via third parties such as vendors, suppliers, or business partners. The healthcare industry is the most common victim of this attack vector. Attacks by third parties were responsible for 33% of healthcare cybersecurity incidents in 2021.

For example, in 2020, vulnerabilities in Accellion’s file transfer system gave cybercriminals access to the private data of millions of individuals. Numerous healthcare organizations that used the software to transfer large, sensitive files within the network were impacted by the third-party breach.

According to the settlement proposal, Accellion did not guarantee the security of the software and the clients were solely responsible for their data security practices. The last security update for the software in question was issued in February 2019, creating the vulnerabilities that gave the threat actors access to connected client networks.

Ransomware

Ransomware is the biggest threat to the security of healthcare data. Two-thirds of healthcare organizations were affected by ransomware in 2021, compared to 34% in 2020.

Because the healthcare industry is heavily dependent on access to data to maintain operations, they are under immense pressure to recover information quickly. As a result, they are frequently targeted by ransomware groups because healthcare organizations pay the ransom demand 61% of the time.

When ransomware is used to attack a healthcare entity, the attackers successfully encrypt and subsequently ransom sensitive health data 65% of the time. This is higher than the national average of 54%, due to factors such as a reliance on legacy systems, understaffing, and resource challenges.

Ransomware attacks are costly not just in terms of the ransom demand, but also because they cause major healthcare disruptions. Hospitals across the globe have blamed a ransomware attack for patient deaths, such as when hackers compromised systems that caused a newborn’s heart monitor to fail.

The role of file security in preventing cyberattacks

Today, cybercriminals can successfully breach 93% of company networks. With the growing risk of data breaches and ransomware, it’s more important than ever for organizations to protect their critical health data.

File encryption protects against cyberattacks and data loss by rendering the data useless to anyone without the correct password key. Encrypting at the file level adds an additional layer of security as data moves between devices, networks, and databases.

WinZip® Enterprise protects healthcare data through secure file sharing, compression, encryption, and management. With centralized IT control, WinZip Enterprise can be easily customized to meet the complex needs of health data security.

Discover how WinZip Enterprise can help healthcare organizations keep their data secure from ransomware and other cybersecurity threats.