Security

Cyber Insurance for Healthcare: What Are the Benefits and Requirements?

Cybersecurity insurance can mitigate the financial consequences of a data breach and offer services in the event of an emergency, but the costs and application complexity are rising.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

Cyber insurance for healthcare organizations has become increasingly important. As the industry undergoes digitalization and organizations’ attack surfaces expand, there is a growing need to adequately protect data from malicious actors.

Healthcare has seen a significant uptick in cyberattacks, and the sector continues to experience the highest average cost for data breaches, according to IBM’s annual Cost of a Data Breach report.

Many healthcare organizations, particularly rural health networks and community hospitals, are seen as softer targets because their IT budgets are relatively limited, and they are more likely to be using dated systems that are more difficult to protect.

This creates challenges when they shop for cybersecurity insurance, as carriers may charge higher premiums or deny coverage outright based on the higher perceived risk.

Even larger healthcare organizations with robust security teams and budgets face higher premiums than comparably sized counterparts in other industries because personal health information is an attractive target for cybercriminals.

“We’ve had cybersecurity insurance for at least a decade,” explains University of Pittsburgh Medical Center CTO Chris Carmody. “It really goes to the core of our risk mitigation strategy. Healthcare has always been a large target, so we need a plethora of controls and safeguards to ensure we can maintain operations and keep UPMC secure.”

Click the banner for access to exclusive HealthTech security content and a customized experience.

When the organization accomplishes milestones such as HITRUST certification, he says, that information is shared with the insurance provider and becomes part of how UPMC’s premiums are calculated.

“Over the past few years especially, I’ve seen them ask more detailed questions about what we’re doing in specific areas, including encryption and certifications. They’re asking for a lot of information to help them process and assess our risk profile,” he says. “And obviously, premiums have gone up.”

Positioning Healthcare Organizations for Cyber Insurance

Carmody says preparing for cyber insurance starts with IT leaders ensuring strong tech hygiene and being able to demonstrate defensive capabilities through certifications including HITRUST and SOC 2.

“Organizations should also consider an independent third party that can assess and evaluate the risks and contribute to positioning the organization to get cyber insurance,” he says.

Alla Valente, a senior analyst at Forrester serving security and risk professionals, notes that healthcare organizations must increase their investment in cybersecurity and risk management to ensure they are well positioned when applying for cyber insurance.

“For a long time, healthcare organizations have focused on compliance, specifically HIPAA compliance,” she says. “What we know now, since the pandemic and since the increase in cyberattacks specifically targeting healthcare, is that you can be fully compliant and still have a lot of cyber risk exposure.”

Valente cautions that organizations can’t rest on being HIPAA compliant; they must start looking at how they are securing their technology and infrastructure and how they are working with third parties.

“Are they doing the type of segmentation where third parties get access only to whatever it is they need to deliver on that project, or are there back doors that might give them access to something far greater?” she asks.

Carmody explains that UPMC has a chief risk officer who helps evaluate some components from the risk perspective.

“If you’re starting out fresh, talk to many different cybersecurity insurance providers, because they are all slightly different,” Carmody says. “Paying attention to those coverage details is important before you sign up, because you might not get the right coverage you need for your organization.”

The Benefits of Cyber Insurance Outweigh the Costs

Daniel Klein, chief business officer for Cynet, says it’s hard to make an argument against cyber insurance, considering the $10 million average cost of a breach for healthcare organizations.

“An immediate knock-on benefit of getting a cyber insurance policy is that the organization’s security posture will be improved to meet the insurer’s requirements,” he says. “Yes, this may mean investing in additional security personnel and better tools, but overall risk will be reduced as a result.”

He concedes that policy costs are a significant consideration, but he says the good news for healthcare organizations is that cyber insurance capacity has increased over the past 12 to 18 months, so they should have more options when shopping for a policy.

“Clearly, it benefits the industry if more organizations can afford insurance, so insurers and brokers are also offering useful guidance,” Klein says.

EXPLORE: Understand the importance of improving healthcare’s cyber resilience.

These efforts include publishing information and participating in events aimed at educating prospective clients about improving their security posture and obtaining lower premiums.

“If an organization is pursuing cyber insurance for the first time, it may be worth working with a qualified broker or other expert who can provide an honest assessment of the current security posture to identify any gaps,” he adds.

Valente also notes that some cyber insurance firms are partnering with attorneys and incident response specialists to help with auditing and to provide additional services for healthcare organizations.

“Being part of that collective network allows you to take advantage of all of these other professionals you might need when you’re dealing with a breach,” she says.

Who_I_am/Getty Images