UK: Ransomware In Health Care: An Insurance-Based Analysis

The medical field recognizes a standard pre-procedure verification process called a "time-out" that occurs prior to any invasive procedure requiring patient consent. This is an element of the Universal Protocol and includes a deliberate pause in activity among all members of the treatment team and a checklist review of patient demographic information, medical history, and medical procedure details. The Universal Protocol has been a mandated practice in all hospitals accredited by the Joint Commission since 2004.1 It is formally endorsed as an industry best practice, with National Time-Out Day recognized annually at the behest of the Association of Perioperative Registered Nurses2 with support from the World Health Organization.3 The standard procedure is mandated as a way to prevent egregious medical errors, including wrong person or wrong procedure surgery.

Compliance with the time-out procedure is dependent on the health team's access to patient medical records. Increasingly, patient medical records are created, stored, and accessed by medical professionals in electronic form. In fact, in 2015, 87 percent of all U.S.-based physicians reported use of electronic medical records (EMRs).4 An EMR is a digital version of a patient medical chart containing a patient's medical history, including information on patient allergies, current medications, lab results, and diagnosis, as well as basic demographic information, including home address, personal phone number, and personal point of contact information.5 A patient EMR might also include details such as medical diagnoses, date of birth, and Social Security number.

Exploiting Extreme Duress: The Explosion of Ransomware in the Health Care Field

Imagine, then, you are a physician administering care or a surgeon preparing to operate when suddenly your health care facility's computer systems become inaccessible. This scenario, which is becoming increasingly common, was the case in recent global ransomware attacks, Petya and WannaCry, in which attackers were able to specifically exploit a vulnerability in Microsoft Windows software.6 Ransomware is frequently installed when a user clicks a URL link or opens an attachment sent via email from a malicious threat actor. The ransomware then encrypts device files on both computer devices and entire networked servers, making them inaccessible to users, including health care professionals who require access to provide patient care.

The WannaCry attack struck more than 30 facilities in England's vaunted National Health Service.7 The immediate result was chaos. Physicians and staff had to put together and store makeshift files with paper and pen, and some hospitals told patients not to come to emergency centers unless their conditions were urgent.8 In Jakarta's Dharmais Hospital, Indonesia's biggest cancer center, hundreds of people packed waiting areas, unable to receive treatment as a result of the WannaCry ransomware incident.9 In India, EMRs in the state-run Berhampur City Hospital were encrypted by WannaCry, seriously disrupting e-medicine services.10 In the United States, the Petya virus affected health care, hitting Heritage Valley Health Systems, a Pennsylvania health care provider, and its hospitals in Beaver and Sewickley, Pennsylvania, and forced operations to be canceled.11 Also in the United States, for the first time on record, there were even several reports, acknowledged by device manufacturers, that the WannaCry malware had infiltrated connected, Internet of Things (IoT) hospital medical devices and rendered them inoperable.12

Business email loss accompanying ransomware. Successful ransomware attacks often include a human element. As a result, ransomware has become embedded in an accompanying phishing-threat landscape.13 Ransomware phishing emails contain a malicious link or file that attackers must induce recipients to click or open in order to unleash the accompanying ransomware.14 Increasingly, these attacks rely on soft targeting by functional area. In contrast to broadly disbursed email scams, soft targeting focuses on a category of individuals based on their role within an organization.15 Furthermore, these can even include attacks specifically tailored to and directed toward specific employees.16

One plausible ransomware scenario also includes additional business email loss arising from a fraudulent wire instruction request. For example, an email might arrive from an individual pretending to be a vendor of the hospital, requesting that future payments be transferred to a new account number. In a soft-targeted phishing attack, a threat actor would create an email resembling an email from the accounting manager of the vendor and send a request to the hospital accounting department coordinator, requesting that the wire transfer information be updated administratively, perhaps explaining that the vendor was consolidating accounts, and including an attachment with the new account information. The authenticity of these fraudulent wire request emails can appear deceptively convincing due to spoofed email domains, replicated signature lines and letterheads, and other personal details gathered in online research. Accordingly, an unsuspecting hospital staff person may open the attachment and change the payment destination so the next time a payment from the hospital is transferred, be it a few hundred or several million dollars, it falls into the hands of cyber thieves.

From an insurance coverage perspective, this type of phishing loss is complex and unsettled, frequently leaving room for coverage gaps under many policies. While these losses often resemble traditional theft of property, crime and bond insurers have contested coverage for the payment amounts because they result from the "authorized" acts of unsuspecting employees.17 Computer-fraud coverage has similarly been contested. Most recently, the U.S. District Court for the Northern District of Georgia held in a decision related to computer fraud coverage, InComm Holdings, Inc. v. Great American Insurance Co., released on March 16, 2017, "That a computer was somehow involved in a loss does not establish that the wrongdoer 'used' a computer to cause the loss. To hold so would unreasonably expand the scope of the Computer Fraud Provision, which limits coverage to "computer fraud." The court, which accepted Great American's declination of coverage in a loss scenario that included an exploitable coding error in the insured's computer systems, further explained that "[l]awyerly arguments for expanding coverage to include losses involving a computer engaged at any point in the causal chain—between the perpetrators' conduct and the loss—unreasonably strain the ordinary understanding of 'computer fraud' and 'use of a[ ] computer.'"18 The InComm Holdings court cited another recent decision from the U.S. Court of Appeals for the Fifth

Circuit, Apache Corp. v. Great American Insurance Co., which also found that the mere use of computers in the business email loss fraud was insufficient for computer fraud coverage. The court reasoned that computer fraud coverage, which required that the covered loss result "directly from the use of any computer to fraudulently cause a transfer," did not apply because a computer was but one step in a process leading to the authorized payment to fraudulent accounts.19 Business email loss coverage falls short in other areas as well, including forgery coverage. In a loss scenario where an accounting firm employee received a phishing email requesting a $94,280 wire transfer of client funds to a Malaysian bank, the Ninth Circuit upheld a denial of forgery coverage under a "forefront portfolio policy," finding that "[u]nder a natural reading of the policy, forgery coverage only extends over the forgery of a financial instrument."20 The court reasoned in its March 9, 2017, decision in Taylor & Lieberman v. Federal Insurance Co., "Here, the emails inducting [the insured] to wire money were not financial instruments like checks, drafts and the like."21

However, specific coverage for this type of business email loss is becoming available from some carriers as an endorsement to cyber insurance policies.22 This coverage may be found under certain types of cyber crime endorsements to cyber policies, and it can include coverage provisions for financial fraud or phishing attacks. These policies provide for loss, including public relations expenses, arising from the insured's receipt of misleading or deceptive communication from a third party purporting to be an employee, client, or vendor of the insured, directing or requesting a transfer of funds.

Rise of cyber policies. Since 2000, the U.S. cyber insurance market, developed in response to Internet- and privacy-based loss, has grown from about 10 insurers providing stand-alone cyber insurance policies to at least 50.23 These stand-alone cyber insurance policies provide specialized first-party and third-party coverage for loss arising from coverage events such as computer security failure, data breaches, and other cyber incidents. Sales of these policies are projected to grow exponentially, with annual gross written premiums expected to increase from $2.5 billion to $7.5 billion in the next three years.24 The quick development and relative immaturity of the cyber insurance marketplace has resulted in a lack of uniformity among policies and a wide range of available coverage.25 Compounding these variables is the swift and relentless evolution of cyber loss, resulting in uncertainty about future exposure in stand-alone policies and a climate ripe for potentially contentious coverage disputes.26

Ransomware and Cyber Coverage

Despite the unsettled coverage arising from business email loss, many cyber policies contemplate the specific losses arising from ransomware and the ensuing fallout. Once the unsuspecting hospital employee clicks the malicious attachment sent by the hypothetical vendor, a catalyst for ransomware infection has been initiated, unrolling a multitude of complex and potentially contentious issues within the context of cyber insurance coverage. The use of ransomware enables cyber pirates to extort ransom fees from organizations by holding data "hostage" in exchange for payment. There is evidence that hospitals are increasingly becoming the target of ransomware attacks.27 Indeed, the health care industry was the second-most targeted sector for ransomware attacks, comprising 15 percent of total reported incidents in 2016.28

Extortion demand coverage and limitations. In the immediate wake of a ransomware attack, a health care facility must first grapple with whether or not to pay the extortion demand. Factors many entities must consider include the amount of the demand, the type of ransomware involved, and the accompanying reasonable or demonstrated likelihood that the threat actors involved will provide the encryption key if paid. Also included is the type of information rendered inaccessible and the relative importance of the information to critical health care functions. The ransom, typically demanded in Bitcoin, a form of decentralized digital cryptocurrency, is usually a relatively small amount. For example, the 2017 WannaCry ransomware demand remained below $600,29 while the demand paid in 2016 by the Hollywood Presbyterian Medical Hospital reached $17,000.30

Currently, cyber extortion payment coverage is an available option under many insurers' cyber policies. This coverage includes payment of the ransom demand amount and, in some cases, also provides assistance in procuring the Bitcoin necessary to complete the ransomware transaction. Service-oriented cyber insurance policies have immediate response programs integrated into coverage, mobilizing computer consultants skilled at negotiating with cyber extortionists and experienced with converting large quantities of capital into Bitcoin necessary to effectuate extortion payments. Acquiring large amounts of Bitcoin, unlike traditional currency, is often difficult given the distribution and mining constraints on the cryptocurrency. Accordingly, some companies are beginning to keep reserves on hand in case of future ransomware attacks.31 Still, the decision to pay a demand can be a complex one and is frequently constrained by many elements of the policy.

Many cyber policies contain provisions excluding loss, such as a cyber extortion payment, arising from acts of terrorism or foreign enemies. Attribution of cyber attacks is generally very time-intensive and costly but not impossible. Attribution scenarios might also include attacks voluntarily claimed by terrorist groups or hacktivists. Other cyber extortion coverage constraints include sub-limits of coverage, extortion demand-to-damage ratio of loss thresholds, and specialized reporting provisions. As the Internet continues to become the forum for friction across geopolitical lines, it is conceivable that cyber coverage disputes over terrorism exclusions may arise.

If a hospital decides not to pay the extortion demand, it will likely incur extensive data recovery costs to regain access to information, including patient EMRs. Many cyber policies also include coverage for a hospital's costs to restore or re-create information contained on encrypted files as a result of a ransomware attack. The cost to restore such data is dependent on hospital information backup procedures; however, oftentimes these costs are exponentially higher than the ransom demand and take valuable time.

Covered breach response costs. Whether or not a hospital elects to pay the ransom amount, it will ultimately have to handle the issue of data breach response and attending legal obligations. Due to the large amounts of sensitive information usually handled by the health care industry, these costs can quickly add up, totaling $6.2 billion in the United States annually.32 Fortunately, many cyber policies contain standard breach response coverage provisions.

Typically, immediate computer forensic investigation is necessary to determine the details of the incident and the scope of information affected. This involves conducting a thorough analysis to piece together what computer events transpired, who was involved, and the relative timeline of events to make a breach determination.33

Also critical to the breach response phase is the help of privacy legal counsel to determine the extent of reporting obligations facing a health care institution. At the federal level, the U.S. Department of Health and Human Services has given guidance to entities covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA),34 including hospitals and health care facilities, stating that ransomware incidents should be treated as a security incident for response and reporting purposes.35 Depending on the residency of affected patients, a health care facility may also be required to comply with the disparate and evolving body of state-level breach laws now implemented in 48 states, with the most recent addition of New Mexico's state breach laws on the books in May 2017.36 State laws have widely differing notice obligations and requirements. Most states offer a safe harbor that does not require reporting of encrypted data. However, effective July 1, 2016, Tennessee's breach notice definition was amended to include the loss of not only unencrypted data but also certain types of encrypted data, subject to complex technical encryption protocol thresholds.37 Understandably, the costs to evaluate and respond to breach notice requirements for a health care facility, especially a regional or specialized treatment facility with patients from different states, can quickly add up. These types of computer forensic and privacy legal breach investigation fees are typically eligible as covered costs under available stand-alone cyber policies.

In the likely event a health care institution is under a breach notification obligation, which involves informing all individuals (including patients, employees, patient emergency contacts, and anyone else whose personal health or sensitive information had been compromised, depending on the jurisdiction) and the amount and type of information involved, stand-alone cyber policies first-party coverages will also typically include coverage for notification costs. Notification costs, which averaged $560,000 per health care breach incident in 2016, often include fees for printing and mailing notice letters to individuals—many applicable health care breach statutes mandate breach notice by mail, as well as setting up temporary call centers to respond to or answer questions from notified individuals about the incident.38 Coverage for costs to enroll affected individuals into credit or identity theft monitoring programs, as is sometimes mandated by law, is also not uncommon among typical coverage portions of cyber policies. While this coverage is generally helpful in responding, further repairs and fallout can prove costly as well.

Business interruption loss—A complicated analysis in a health care scenario. According to the 2016 Cost of a Data Breach Study by IBM and the Ponemon Institute, a health care facility suffers an average of $113 million in lost revenue per reported data breach.39International law firm DLA Piper, which experienced at least 10 days of information technology disruption as a result of WannaCry in June and July of 2017, is already estimated to have suffered millions in business interruption.40 Stand-alone cyber policies also typically provide coverage for business interruption loss. Business interruption coverage generally compensates a breached entity for lost income and extra expenses incurred as a result of a computer or technology interruption, as might accompany a ransomware incident.

This coverage varies greatly between different insurers' cyber policies. Some models include a waiting period that typically requires substantial disruption for a requisite number of hours—waiting periods in the range of 8–12 hours are common. Under this approach, coverage is available only for business interruption events that extend beyond the waiting period. Accordingly, if a hospital has a 12-hour waiting period and its computer systems were affected by an attack for only 10 hours, then the business interruption coverage would not be triggered. Other models use a monetary scheme that requires a quantifiable loss in excess of some fixed amount before coverage kicks in. Still other models use both a waiting period and a monetary retention.

In a hospital ransomware scenario, business interruption coverage is difficult to calculate. The loss that is easiest to establish arises from the hospital's own commercial activity. For instance, the lost revenue of hospital operation sub components, such as the hospital cafeteria or gift store, may be easy to demonstrate.

More difficult calculations might include loss resulting from temperature-controlled medication spoilage as a result of electronic-temperature monitoring disruption arising from a computer security incident. Other loss arising from a hospital's inability to take in new patients during a ransomware scenario or loss affecting a nonprofit hospital is similarly difficult to account for.

Costly fallout. Further fallout includes class action costs to respond to third-party privacy claims and resulting settlements. The largest data breach settlement in history has recently been agreed to for $115 million dollars. This was in response to a cyber attack of health insurer Anthem Inc., resulting in the theft of the personal information belonging to 78 million health plan members.41 In addition, some policies can include special provisions for costs associated with regulatory investigations or penalties.

Looking Forward—Connected Health Care Devices and the Shifting Scope of Exposure

There is an increasing number of Internet-connected end points being introduced into the hospital environment as part of the Internet of Things (IoT) expansion, potentially further complicating cyber coverage analysis as it pertains to hospital ransomware scenarios. These medical devices include things like Internet-connected bandages capable of detecting blood clots, talking thermometers, and automated infusion pumps that deliver medication or nutrients.42 Many believe malicious actors responsible for health care cyber attacks will increasingly look to exploit the vulnerabilities associated with these connected devices.43 WannaCry ransomware resulted in encryption of medical devices, rendering Bayer Medrad radiology equipment inaccessible to health care professionals. A Bayer spokesperson confirmed that it had received at least two reports from customers in the United States of Windows-based device-level ransomware, noting that operations at both sites were restored within 24 hours.44 The success of medical device encryption may be a watershed moment for the health care threat landscape and the attending cyber insurance policies involved.

The first potential area of contention related to IoT medical device loss includes the scope of defined terms; namely, whether networked devices are part of a health care facility's computer systems for purposes of cyber coverage. The definition and scope of computer systems, if construed to include connected devices, could open coverage up to medical device interruption. If the devices are not found to be part of a hospital's computer systems, they may be challenged as part of the hospital's network for purposes of recovering in the event of a cyber disruption.

Second, the use of connected medical devices will likely further complicate business interruption analysis. For example, some connected devices may derive primary value from their ability to generate medical data. These devices enable wireless transfer, storage, and display of clinical data, which may have value to a hospital in a variety of ways, including for grant purposes, research use, or even direct sale.45

Finally, third-party claims will presumably become more complex as a result of enhanced hospital connectivity. Namely, claims related to the negligent provision of patient medical care as a result of technology business interruption could conceivably arise. It is important to note that many cyber insurance policies include provisions excluding loss arising from bodily injury. However, as medical devices and care become more interconnected, it is easy to imagine a paradigm in which the responsibility to provide adequate patient care extends beyond physicians to include, to some degree, hospital information technology staff. For example, hospitals can be held liable for medical equipment failure under various theories. Hospitals can be liable for negligence or medical malpractice if they fail to maintain medical equipment properly. Likewise, hospitals can be liable for failure to properly train their personnel in using the equipment. If the failure to properly train personnel in using medical equipment leads to the negligent operation of the equipment, the hospital may be liable. Moreover, in the future, if the network that the connected devices operate on is not properly maintained, perhaps negligence and even malpractice within the scope of network security will arise, separate and apart from failure to maintain the medical equipment itself.

This type of loss might ultimately challenge the relevant exposure under the network security coverage provided by cyber policies. One example might include a cause of action for medical negligence or malpractice against hospital information technology staff. For example, in 2015, the U.S. Food and Drug Administration issued a safety communication, warning of cyber security vulnerabilities present in certain IoT- connected drug infusion pumps, resulting in the discontinuation and market recall of the device.46 The pumps were directly related to patient care and could have put a patient at physical risk if tampered with. On the other hand, if the vulnerabilities had not been present in the drug pump, but were instead in the hospital's internal network, it is plausible that the facility could have faced allegations that the physician and the information technology staff are, to some degree, both responsible for providing care. More imminently plausible, however, are cases involving poor patient care resulting from an inability to access necessary patient medical records.

Conclusion and Recommendations Proposed preventive measures.

Although the insurance market has quickly grown up around stabilizing the toppling effects of current cyber threats, including the robust coverage for contemplated ransomware loss, hospital ransomware scenarios are too serious and too egregious not to warrant specific preventive concern. As the recent string of ransomware attacks affecting hospitals worldwide has proved, ransomware affecting health care facilities effectively renders health care facilities unable to provide adequate patient care, targets vulnerable populations, induces chaos, and exploits a medical facility for payment, capitalizing on extreme duress. Solutions to stop this from happening must be advanced on a variety of fronts.

Internally, hospitals must take precautionary measures. One measure might involve warning vulnerable employees of soft-targeting threats and ensuring that checks are in place to prevent business email loss, investing in robust information security programs and implementing emergency backup plans. Future responsibility to safeguard patient data may ultimately fall on health care providers as well. The Universal Protocol may require an amendment to require a "click-through step" related to ensuring patient electronic information safety.

Innovative approaches may also be necessary, including solutions from the technology sector such as physician keychains that store critical health information for patients currently being treated on backed-up devices that would be secure in the event of a ransomware attack.

Support from legislators and policy makers must also be enlisted to bolster cybersecurity. Collaboration between private and public sector stakeholders on threat-information sharing initiatives is a critical step. Developing information- sharing ecosystems, like nonprofit Information Sharing and Analysis Centers (ISACs), enables computer network owners to protect their facilities from cybersecurity threats.47 In addition, encouraging secure software construction through liability or penalties may be worth exploring. Today, the costs of insecure software, like the Microsoft Windows software exploited by WannaCry and Petya, are not borne by the vendors that produce it. Instead, these manufacturers are incentivized for quickly putting new features and operating systems into the market place every year.48 Allocating incentives, assessments, or some relative degree of liability to software manufacturers, who are best situated to address software security issues up front, could result in more secure software rollouts or the development of more robust software update processes.

Still, these measures are only best to prepare for and respond to egregious health care distress. Action to deter these extortion scenarios is also necessary. Consider the human impact, such as the experience of a 61-year-old man, due to undergo major heart surgery after months of waiting, left distraught when the WannaCry attack suspended medical treatment at his operating facility.49 A 50-year-old man, whose cancer treatment surgery was also canceled due to WannaCry said of the cyber pirates, "They should be hung, drawn, and quartered."50

Relevant deterrent penal measures to counteract hospital ransomware might include legislation based on either strict liability or criminal intent. Legislation could mandate strict liability penalties based on the type of information encrypted, such as EMRs or other specific types of personal health information, in an effort to deter hospital ransomware. Additionally or alternatively, threat actors knowingly or purposefully soft-targeting hospitals with phishing and ransomware could be subject to criminal enhancement statutes. This type of legislation might be similar to gang enhancement legislation adopted in an effort to condemn especially reckless or dangerous behavior.51 As difficult as identification, prosecution, and enforcement of cyber crime may be, the existence of strict penalties may serve to deter the rise in health care targeting and send a strong signal that health care targeting, which impacts people, communities, and public health, is not acceptable.


1 Joint Comm'n, Universal Protocol for Preventing Wrong Site, Wrong Procedure, Wrong Person Surgery.

2 Press Release, Patient Safety Monitor, The Association of Perioperative Registered Nurses (AORN) Is Sponsoring National Time-Out Day June 23 to Highlight the Importance of Taking a Time Out Before Beginning a Surgical Procedure to Verify That the Procedure, Patient, and Site Are Correct(June 23, 2004).

3 World Alliance for Patient Safety, WHO Surgical Safety Checklist and Implementation Manual(World Health Org. 2008).

4 Practice Fusion, HER Adoption Rates: 20 Must-See Stats, Mar. 1, 2017.

5, What Is an Electronic Medical Record (EMR)? (Sept. 22, 2016).

6 "Hospitals Increasingly Targeted by Ransomware," Security, Dec. 15, 2016; Nicole Perlroth, Mark Scott & Sheera Frenkel, "Cyberattack Hits Ukraine Then Spreads Internationally," N.Y. Times, June 27, 2017.

7 Frank Langfitt, "British Hospitals Among Targets of Global Ransomware Attack," Nat'l Pub. Radio, May 12, 2017.

8 Frank Langfitt, "British Hospitals Among Targets of Global Ransomware Attack," Nat'l Pub. Radio, May 12, 2017.

9 Jeremy Wagstaff, Reuters, Channel NewsAsia, May 15, 2017.

10 "City Hospital System Down, Officials Fear 'WannaCry' Attack," Z News, May 17, 2017; Chanchal Chauhan, "WannaCry Ransomware Attacks Berhampur City Hospital in Odisha; Demands $300,", May 17, 2017.

11 Nicole Perlroth, Mark Scott & Sheera Frenkel, "Cyberattack Hits Ukraine Then Spreads Internationally," N.Y. Times, June 27, 2017.

12, Information Technology Advisory—WannaCry Ransomware (May 26, 2017).

13 PhishMe, Q1 2016 Malware Review (registration required).

14 Fed. Bureau of Investigation, Public Service Announcement, Ransomware Victims Urged to Report Infections to Federal Law Enforcement (Sept. 15, 2016).

15 PhishMe, Q1 2016 Malware Review (registration required).

16 Mark Camillo, "Cyber Risk and the Changing Role of Insurance," 2 J. Cyber Pol'y 53–63, Mar. 27, 2017 (published online).

17 Alice Kyureghian, Benjamin Fliegel, Christina M. Shea & J. Andrew Moss, Reed Smith Client Alerts, Phishing in the Insurance Coverage Gap (Feb. 15, 2017).

18 David S. Wilson, John Tomaine & Chris McKibbin, "InComm: U.S. District >Court Holds That Computer Fraud Coverage Does Not Respond in Prepaid Debit Card Scheme," Blaney's Fidelity Blog(Blaney McMurty LLP), Mar. 22, 2017.

19 David S. Wilson & Chris McKibbin, "Apache Corporation: Fifth Circuit Holds That Commercial Crime Policy's Computer Fraud Coverage Does Not Extend to Social Engineering Fraud Loss," Blaney's Fidelity Blog (Blaney McMurty LLP), Oct. 24, 2016.

20 Judy Greenwald, "Chubb Not Liable for Accounting Firm's Fake Email Loss," Bus. Ins., Mar. 10, 2017.

21 Judy Greenwald, "Chubb Not Liable for Accounting Firm's Fake Email Loss," Bus. Ins., Mar. 10, 2017.

22 Kevin LaCroix, "The Growing Risk of Payment Instruction Fraud and Related Insurance Coverage Problems," D&O Diary, Apr. 10, 2016.

23 Yoav Leitersdorf, Ofer Schreiber & Iren Reznikov, "Cyber Insurance Is Changing the Way We Look at Risk," Tech Crunch, June 13, 2016.

24 PricewaterhouseCoopers, Insurance 202 & Beyond: Reaping the Dividends of Cyber Resilience(2015).

25 Andrea Wells & Stephanie K. Jones, "Growth in Cyber Coverage Expected as Underwriting Evolves," Ins. J., Apr. 4, 2016.

26 Org. for Economic Co-operation & Development, Supporting an Effective Cyber Insurance Market: OECD Report for the G7 Presidency (May 2017).

27 Gillian Mohney, "Hospitals Remain Key Targets as Ransomware Attacks Expected to Increase," ABC News, May 15, 2017.

28 Jessica Davis, "Ransomware Accounted for 72% of Healthcare Malware Attacks in 2016," Healthcare IT News, Apr. 27, 2017.

29 Symantec, Ransom. Wannacry, May 24, 2017.

30 Richard Winston, "Hollywood Hospital Pays $17,000 in Bitcoin to Hackers; FBI Investigating," L.A. Times, Feb. 18, 2016.

31 Phil McCausland, "Companies Stockpiling Bitcoin in Anticipation of Ransomware Attacks," NBC News, May 18, 2017.

32 Erin Dietsche, "Healthcare Breaches Cost $6.2B Annually," Becker's Health IT & CIO Rev., Jan. 19, 2017.

33 Kristin M. Nimsger & Michele C.S. Lange, Electronic Evidence and Discovery: What Every Lawyer Should Know Now, ch. 5, Computer Forensics (ABA Book Publishing 2009).

34 HIPAA addresses data privacy and security provisions for safeguarding EMRs and patient medical information.

35 U.S. Dep't of Health & Human Servs., Fact Sheet: Ransomware and HIPPA.

36 Davis Wright Tremaine LLP, Summary of U.S. State Data Breach Notification Statutes (2017).

37 Stephen Embry, "State Data Breach Notification Laws Just Got Crazier," Your ABA, May 2016; "Tennessee Adds Technical Requirements to Its Data Breach Notification Laws," Nat'l L. Rev., Apr. 26, 2017; Thomas Ritter, "Tennessee Amends Its Breach Notification Law (AGAIN) and Reinserts the Encryption Safe Harbor,", Mar. 29, 2017.

38 Erin Dietsche, "Healthcare Breaches Cost $6.2B Annually," Becker's Health IT & CIO Rev., Jan. 19, 2017.

39 Protenus, Cost of a Breach (white paper) (2016).

40 James Booth, "DLA Piper's Hack Attack Could Cost 'Millions'," Am. Law., July 7, 2017.

41 "World's Largest Data Breach Settlement Agreed by Anthem," HIPPA J., June 26, 2017.

42 Nile Lars, "Connected Medical Devices, Apps: Are They Leading the IOT Revolution—Or Vice Versa?," Wired; Ian Scales, "Smart Bandages to Use Real-Time 5G Connectivity," TelecomTV, 2017; Kim Zetter, "Hacker Can Send Fatal Dose to Hospital Drug Pumps," Wired, June 8, 2015.

43 Andrea Wells & Stephanie K. Jones, "Growth in Cyber Coverage Expected as Underwriting Evolves," Ins. J., Apr. 4, 2016.

44 Thomas Fox-Brewster, "Medical Devices Hit by Ransomware for The First Time in US Hospitals," Forbes, May 17, 2017.

45 Nile Lars, "Connected Medical Devices, Apps: Are They Leading the IOT Revolution—Or Vice Versa?," Wired.

46 U.S. Food & Drug Admin., Cybersecurity Vulnerabilities of Hospira Symbiq Infusion System: FDA Safety Communication (July 31, 2015).

47 See National Council of ISACs.

48 Bruce Schneier, "Computer Security and Liability," Schneier on Security, Nov. 3, 2014.

49 Ellie Cambridge, Holly Christodoulou & Lizzie Parry, "NHS Cyber Attack 'Only Just Beginning' as Hackers Use 'Malware Atomic Bomb' to Turn Hijacked Machines into Infectious 'Zombies'.," Sun, May 14, 2017.

50 Ellie Cambridge, Holly Christodoulou & Lizzie Parry, "NHS Cyber Attack 'Only Just Beginning' as Hackers Use 'Malware Atomic Bomb' to Turn Hijacked Machines into Infectious 'Zombies'." Sun, May 14, 2017.

51 Nat'l Inst. of Justice, Office of Justice Programs, Gang Membership as a Prosecution Enhancement (Oct. 28, 2011).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions