Academia.eduAcademia.edu
ACADEMIA Letters What do cyber-attacks and pandemics have in common? Some lessons from the German medical practices behaviour Claudia Pitterle Key Learnings 1. 46% of 1030 German companies were attacked by cybercrime in 2021. 2. Doctors in private practice do not recognize the danger of an attack on their own practice. 3. Judgement heuristics are partly responsible for behaviour to not feel effected. 4. Damages from the pandemic as well as from cyber incidents are high and can be mitigated and/or prevented with insurances. Abstract This article deals with the cyber threat in German medical practices and why insurance policies based on cyber insurance are not contracted. The increase of cyber attacks https://www.gdv.de/de/themen/positionen-magazin/kolumne– die-schwachen-zuerst-68232 comparable to the increase of Covid 19 sufferers. Both risks grow enormously fast, are very difficult to stop and cause very large damages. A medical practice is shut down for days and causes financial damage. This is followed by a loss of reputation of the doctor. The doctor can protect himself against these consequences Academia Letters, January 2022 ©2022 by the author — Open Access — Distributed under CC BY 4.0 Corresponding Author: Claudia Pitterle, pitterle.c@gmail.com Citation: Pitterle, C. (2022). What do cyber-attacks and pandemics have in common? Some lessons from the German medical practices behaviour. Academia Letters, Article 4727. https://doi.org/10.20935/AL4727. 1 with appropriate insurances. But cyber-insurances are not contracted or hardly contracted at all, despite the realization of the threat. Own in-depth interviews with doctors in private practice in the fall of 2020 showed that there is no need to take out cyber insurance, even though the threat is known. Possible explanations why these insurances are not contracted are provided by behavioral economics and are presented in this article. In particular, judgment heuristics also called “classical” heuristics, such as representativity, availability, and anchoring/adjustment, can lead to cognitive biases. The current research is a reporting of an ongoing dissertation, which among other things deals with the topic of cyber attacks and the possibility of protecting a cyber insurance. The research question emerged from the researcher’s prior understanding and practical experience of over 21 years of client counseling. Keywords: Cyber Attacks, Cyber Insurance, Doctor’s practice, sales losses, judgment heuristics, behavioral economics Introduction Initial situation-a doctor1 who runs his own surgery should act responsibly for himself and his employees and protect himself against economic damage. In the event of a loss of business, wages, rents, etc. must continue to be paid. Similarly, regulations must be made when a doctor, for example becomes ill, who then continues his surgery. In addition, there are constantly increasing numbers of cyber-attacks in Germany on patient data. Economic damage can be insured in Germany with existing insurances. In recent years, cybercrime has also increased in Germany. Medical surgeries have become victims of blackmailers (GDV, 2019). Patient data has been stolen or blocked due to poorly secured servers. Doctors are blackmailed into paying ransoms. Medical surgeries stand still for days and the doctors have to bear not only the loss of reputation but also the loss of business. This risk is completely underestimated in German medical surgeries. A survey by the German Insurance Association found, 44% of doctors see the risk of a cyber-attack on a doctor’s office as very high. However, only 17% see themselves as the victim of an attack (GDV, 2019). In the case of a cyber-attack described above, 37.000EUR 2 can be quickly accumulated. 1 The generic masculine is used for easer reading https://www.gdv.de/resource/blob/48328/ae262d6702e2d9f5446c780a22450d23/download-branchenreportcyber-aerzte-und-apotheker-data.pdf 2 Academia Letters, January 2022 ©2022 by the author — Open Access — Distributed under CC BY 4.0 Corresponding Author: Claudia Pitterle, pitterle.c@gmail.com Citation: Pitterle, C. (2022). What do cyber-attacks and pandemics have in common? Some lessons from the German medical practices behaviour. Academia Letters, Article 4727. https://doi.org/10.20935/AL4727. 2 In group surgeries, the damage is multiplied by the number of doctors. In addition, there is a loss of reputation for the surgery, which is very difficult to quantify. Using the example of a cyber-attack, the following illustrates what costs a doctor faces and what insurance covers. This example can be found in the industry report: Cyber risks of doctors and pharmacies (GDV, 2019). A cyber-attack often begins with the theft of patient data. The hackers demand a ransom by means of a blackmail letter. This is intended to prevent the publication of the data. The following costs are incurred: Information costs to patients of 4.000EUR Involvement of a lawyer 2.000EUR, security assistance 5.000EUR, two days of business interruption 5.000EUR, claims for damages from patients due to published data according to Art. 82 DSGVO (liability and right to compensation) (DSVGO, 2018) 20.000EUR, crisis communication 1.000EUR. These costs of 37.000EUR can be covered by insurance. Further costs are incurred that have not yet been taken into account, the doctor must report the attack to the State Data Protection Commissioner within 72 hours. The state data protection commissioner will then decide whether and how to inform the potentially affected patients, i.e. depending on the federal state, a registered letter with return receipt is required for this. Postage costs per letter are 5,50 euros. With only 4.000 patients’ data, the costs amount to another 22.000EUR. These can also be covered by insurance. The cost of the damage to the practice increases depending on the number of patients. It is very easy to take out cyber insurance in Germany, which protects against an attack and helps in the event of damage, so that the practice can be reopened more quickly and insures the damage incurred. A large market of insurance companies has emerged offering these policies. It is even possible to take out an insurance policy online. However, these policies are hardly available in the insurance portfolio of doctors. Reasons for refusal, that the practice is too insignificant and too small, are manifold. These will be explained in the next section after a presentation of the data situation and an explanatory approach from behavioral economics as to how the rejection occurs. Method A look at Germany shows- see Hiscox Cyber Readiness Report 2021 (Hiscox, 2021) of 1030 companies surveyed in Germany in 2021, 46% said they had experienced a cyber-attack in the last 12 months. In 2020, this figure was still at 41%. Thus, almost every second company had an attack. The business sector of the healthcare industry works with highly sensitive patient health data and is a very popular target of cyber-attacks. Again, a survey of responsible staff at 200 medical practices was conducted by GDV in Germany in the summer of 2018 (GDV, 2019). The danger of the threat is known among doctors, but becoming the target of such an Academia Letters, January 2022 ©2022 by the author — Open Access — Distributed under CC BY 4.0 Corresponding Author: Claudia Pitterle, pitterle.c@gmail.com Citation: Pitterle, C. (2022). What do cyber-attacks and pandemics have in common? Some lessons from the German medical practices behaviour. Academia Letters, Article 4727. https://doi.org/10.20935/AL4727. 3 attack themselves, that is considered very low. Here, 56% of the doctors surveyed emphasized that your practice is too small to come into the focus of cybercriminals. Similarly, 80% of respondents feel that existing computer systems are adequately protected. During the conducted one-hour Depth Interviews, respondents were also asked about having cyber risk insurance coverage. None of the five doctors interviewed had such insurance, nor did they see the need for such coverage. Arguments against the doctors having such insurance included, “we have a software service provider that maintains the systems,” “my practice is too insignificant,” “the server only runs during the day,” “we are adequately protected.” Such non-rational decisions as deciding against insurance coverage are explained within the framework of behavioral economics. Approaches already researched are explained below and applied to my interviews. Richter, Ruß and Schelling (2018) describe considerations from the perspective of modern behavioral economics on how needs and decision processes of insurance customers can be better understood. Using a selection of behavioral patterns, judges illustrate how insurance is not contracted and risks are misperceived. Pfister, Jungermann and Fischer (2019 p.133 ff) refers to the “classical” heuristics, representativity, availability and anchoring/ adjustment. These are proposed by Tversky and Kahneman and are considered the most important heuristics. A heuristic is a simple rule - also called a rule of thumb - that simplifies the formation of judgements. Especially in complex problems, such as making decisions, a simple rule is used. “Heuristics often lead to correct or approximately correct judgments and decisions, but under certain conditions can systematically lead to misjudgments (bias)” Pfister et al.2019 p.133. “…. people rely on a limited number of heuristics principles which reduce the complex tasks of assessing probabilities and predicting values to simpler judgmental operations. In general, these heuristics are quite useful, but sometimes they lead to severe and systematic errors” (Tversky & Kahneman 1974, p. 1124). The multitude of daily decisions can be facilitated by judgement heuristics, according to Theil M. (2002 p. 55 ff). The application is mostly successful but can lead to systematic errors (Jungermann and Slovic p 188, see Bechmann, G.1993). “Two areas are of particular importance here: the assessment of low-probability events is particularly prone to error, and the search for causal relationships ends as soon as a satisfactory solution has been found” (Theil M. 2002 p. 56). For illustration purposes, the three heuristics are presented below and their relevance to insurance demand explained, see Theil M. 2002 p.55- 98 and Richter et al. 2018 p.8. Representativeness- this is about the extent to which an object, person, situation or condition is considered representative of a class. These characteristics influence frequencies and probability estimates. Thus, this heuristic is held responsible for biases in the estimation of Academia Letters, January 2022 ©2022 by the author — Open Access — Distributed under CC BY 4.0 Corresponding Author: Claudia Pitterle, pitterle.c@gmail.com Citation: Pitterle, C. (2022). What do cyber-attacks and pandemics have in common? Some lessons from the German medical practices behaviour. Academia Letters, Article 4727. https://doi.org/10.20935/AL4727. 4 probabilities and influences the assessment of the extent of damage. (Theil M. 2002 cited in Williams and Heinz 1971 p.66 f) “It won’t happen to me” a damage event can thus not be considered representative. (Jungermann and Slovic p.189, see Bechmann, G.1993). Availability- mental availability refers to the fact that some information is easier to imagine, remember and recall than others. This can lead to judgements about possibilities or probabilities being significantly influenced. (Slovic, Fischhoff and Lichtenstein (1977 p.4); Watson and Buede (1988 p.86); Eisenführ and Weber (2004 p.176, p.367). This availability heuristic is thus also seen as a suitable basis for assessing a risk, as certain events are easier to imagine (Slovic, Fischhoff and Lichtenstein (1982 p. 463-490). The insurable risks of an insurance policy often have low probabilities of occurrence, although the extent of the damage can be worshipful, and are therefore hardly or rarely recalled in the brain. Anchoring/Adjustment- Richter et al. 2018 - refers to a phenomenon that human assessments and decisions depend on initial values or starting values. These can be completely arbitrary and irrelevant to the decision. Thus, arbitrary numbers in the “back of the head” can be accessed, which influence the decision and play no role in the context. Influence on insurance decisions exists in that the current state is seen as the baseline for assessments of future deviations. These set anchors are then used to estimate variables relevant to the decision (Theil M. 2002 p. 90). In the depth interviews conducted by the researcher with doctors in the autumn of 2020, it has already been shown that doctors use these judgment heuristics. Representativeness and availability were shown in that the doctors did not recognize the threat to their own practice or did not consider it likely. Thus, they also have not contracted insurance to compensate for the damages of a cyber-attack. The current status is maintained as an anchor and insurance is not seen as necessary. Richter et al. (2018) describe considerations from the perspective of modern behavioral economics on how needs and decision processes of insurance customers can be better understood. Using a selection of behavioral patterns, judges illustrate how insurance is not contracted and risks are misperceived. Results/Discussion Initial evaluations of the depth interviews already showed that due to the non-utilisation of insurance and justifications such as: “we have a software service provider who maintains the systems”, “my practice is too insignificant”, “the server only runs under tags”, “we are sufficiently protected”, apparently the described heuristics were resorted to. These here then led to systematic errors, which in the end rejected insurance cover. This may be due to the fact Academia Letters, January 2022 ©2022 by the author — Open Access — Distributed under CC BY 4.0 Corresponding Author: Claudia Pitterle, pitterle.c@gmail.com Citation: Pitterle, C. (2022). What do cyber-attacks and pandemics have in common? Some lessons from the German medical practices behaviour. Academia Letters, Article 4727. https://doi.org/10.20935/AL4727. 5 that the probability of becoming a victim of a cyber attack is classified as unlikely. Information that it could hit the doctor with his practice itself cannot be retrieved or is not imaginable. Similarly, that it could hit the “small, insignificant” medical practice is not perceived. Both judgement heuristics representativity and availability are manifested, so that the current state (anchor) is maintained and insurance is not taken out. However, this is contradicted by the small number of doctors in depth-interviews studied and the advanced time of the first-time survey and publication of the GDV results in 2019. It is planned to conduct online surveys in autumn 2021 with two associations: the German Association of Medical Specialists (Spitzenverband Fachärzte Deutschlands3 ) and the German Association of General Practitioners (Deutscher Hausärzteverband4 ). Both associations have interest, then the protection of physicians is important to them. An online survey will be conducted to investigate the attitudes of doctors towards insurance and towards the topic of cyber attacks and protection with a special insurance policy. This is to be tested once again to see whether it is once again apparent that doctors are subject to the judgment heuristics already described. What is desirable is an increased risk awareness among doctors about the significance of cyber attacks on their own medical practices. So prevention analogous to the protective measures, wearing a mask, keeping a distance analogous to Corona. As well as increased insurance coverage, i.e. a better vaccination rate. 3 4 https://www.spifa.de https://www.hausaerzteverband.de Academia Letters, January 2022 ©2022 by the author — Open Access — Distributed under CC BY 4.0 Corresponding Author: Claudia Pitterle, pitterle.c@gmail.com Citation: Pitterle, C. (2022). What do cyber-attacks and pandemics have in common? Some lessons from the German medical practices behaviour. Academia Letters, Article 4727. https://doi.org/10.20935/AL4727. 6 References Art. 82 DSGVO – Haftung und Recht auf Schadenersatz. (2018, March 26). DatenschutzGrundverordnung (DSGVO). https://dsgvo-gesetz.de/art-82-dsgvo/ Bechmann, G. (1993). Risiko und Gesellschaft: Grundlagen und Ergebnisse interdisziplinärer Risikoforschung (German Edition) (1993rd ed.). VS Verlag für Sozialwissenschaften. Eisenführ, F., & Weber, M. (2003). Rationales Entscheiden (Springer-Lehrbuch) (German Edition) (4., neu bearb. Aufl.). Springer. GDV. (2019, May 31). Branchenreport Cyberrisiken bei Ärzten und Apotheken. Www.Gdv.De. https://www.gdv.de/resource/blob/45196/ae262d6702e2d9f5446c780a22450d23/downloadbranchenreport-cyber-aerzte-und-apotheker-data.pdf#page=1&zoom=70,-466,853 Hiscox. (2021, April). Hiscox Cyber Readiness Report 2021 - Don’t let cyber be a game of chance.(No. 5-). Hiscox Ltd. Pfister, H., Jungermann, H., & Fischer, K. (2016). Die Psychologie der Entscheidung: Eine Einführung (German Edition) (4. Aufl. 2017 ed.). Springer. Richter, Andreas/Jochen Ruß/Stefan Schelling: Moderne Verhaltensökonomie in der Versicherungswirtschaft: Denkanstöße für ein besseres Verständnis der Kunden (essentials) (German Edition), 1. Aufl. 2018., Wiesbaden, Germany: Springer Gabler, 2017. Slovic, P., Fischhoff, B., & Lichtenstein, S. (1977). Behavioral Decision Theory. In Annual Review of Psychology 27 (pp. 1–39). Oregon Research Institut.Theil, M. (2002). Versicherungsentscheidungen und Prospect Theory. Springer Publishing. Slovic, P., Fischhoff, B., & Lichtenstein, S. (1982). Facts versus fears: Understanding perceived risk. In D. Kahneman, P. Slovic, & A. Tversky (Eds.), Judgement under uncertainty: Heuristics and biases (pp. 463–490). Cambridge University Press. Watson, S., & Buede, D. (1988). Decision Synthesis: The Principles and Practice of Decision Analysis. Cambridge University Press. Tversky, & Kahneman. (1974, September 27). Judgment under Uncertainty: Heuristics and Biases. Http://Links.Jstor.Org. https://www2.psych.ubc.ca/ schaller/Psyc590Readings/TverskyKahneman1974.pd Academia Letters, January 2022 ©2022 by the author — Open Access — Distributed under CC BY 4.0 Corresponding Author: Claudia Pitterle, pitterle.c@gmail.com Citation: Pitterle, C. (2022). What do cyber-attacks and pandemics have in common? Some lessons from the German medical practices behaviour. Academia Letters, Article 4727. https://doi.org/10.20935/AL4727. 7