After more than a month without access to its medical files, the Vidymed group sees an end to the crisis. But financially, it’s a massive blow. At this stage, the cost of fighting the cyber attack is estimated between 150,000 and 200,000 francs, not including the loss of income. “We have the means of a large SME, and we depend on Tarmed which does not take into account cybersecurity expenses,” recalls Didier Mann, financial director of the group. However, these expenses currently represent 1.5% of the group’s budget.
And Vidymed had not taken out insurance in this area. “We made calls for tenders two years ago, but the funds are unwilling, or at prohibitive prices,” he continues.
Indeed, premiums have climbed in recent years, and refusals are legion, confirms Stéphanie Pierret, director of the BCDT insurance brokerage office in Geneva. “To be insured, you have to be insurable,” she confirms. It’s a little simpler for an SME, but overall the protocols required are quite thorough: you need to have good procedures in terms of back-up, updates, crisis plan…”
The problem for insurers is that the statistical rules they usually rely on don’t work here. “The number of attacks and their sophistication are increasing, because it is a more profitable and simpler sector for organized crime than human trafficking or drugs,” describes Jean-Pierre Hubaux, academic director of the Center for Digital Trust at EPFL. And if a hack affects many companies at once, the costs could be too high for insurance.” The latter therefore often offer a ceiling which makes the contract of little use.
-“Medical, like banks, are particularly exposed sectors because the consequences can be very serious, and the data very confidential,” analyzes Stéphanie Pierret. And when the risks are great and threaten to cause the bankruptcy of a company, it may be tempted to pay the ransom, especially since the amounts are calibrated to be affordable, adds Jean-Pierre Hubaux. “But it’s problematic because it leads to a snowball effect.”
The two specialists therefore agree that investments in cybersecurity are essential. “It’s like paying for an army, and even then, the threat of a cyberattack is greater today than that of an invasion,” slips Jean-Pierre Hubaux. And if the idea of a pool of insurers has already been raised, nothing concrete has been put in place to date, concludes Stéphanie Pierret.
