Exploring Challenges, Benefits of Cyber Insurance in Healthcare

May 05, 2022 - As the healthcare sector remains a key target for data breaches, more organizations are turning to cyber insurance to minimize the damaging effects of a breach.

Healthcare data breaches impacted more than 40 million individuals in 2021 alone. A single data breach costs healthcare organizations an average of $9.23 million.

Experts say cyber insurance can help, but due to the unpredictable nature of cyber threats and the lack of historical data to estimate losses, cyber insurers and clients may find themselves navigating uncharted territory.

"The cybersecurity insurance landscape is evolving quickly and not always for the client's benefit," Robert Bradford, senior project manager at 1898 & Co., explained in an interview with HealthITSecurity.

"Policy providers prefer to have some level of certainty about what they are insuring, and right now, that certainty does not exist."

Cyber Insurance Can Minimize Losses 

"The benefit, of course, is trying to protect yourself from loss—either from a ransomware attack or a data breach where PHI leaves your organization," Bradford explained.

Considering the volatility of the cyber threat landscape, many organizations have accepted that it is impossible to predict and avoid every type of cyber incident.

Cyber incident response plans and robust security architectures are crucial to mitigating risk and protecting sensitive data, and prevention efforts are still important. But the "it's not if, but when" mentality has become widespread, and organizations are preparing accordingly.

In the unfortunate event of a successful cyberattack or accidental data breach, cyber liability insurance can cover losses and the legal fees associated with cyber incidents. Depending on the policy, some may also cover HIPAA-related fines.

Each policy is slightly different, which puts the burden on healthcare organizations to assess what policy will help them most in the face of a cybersecurity incident. For example, some may cover the cost of a ransomware attack, while others will not.

With an adequate assessment of the organization's needs and the policy's coverage, cyber insurance can be an asset to healthcare organizations in the face of a breach.

The Question of Cost

According to a report by Index Market Research, the global cyber insurance market will be valued at approximately $22.5 billion by 2030. In 2018, the market value of cyber insurance was $4.3 billion.

But the increased demand for cyber insurance and the uptick in cyber incidents has also led to higher insurance costs, a 2021 US Government Accountability Office (GAO) report found.

"The extent to which cyber insurance will continue to be generally available and affordable remains uncertain," GAO noted.

"Despite the upward trend in take-up rates to date, insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as health care and education and for public-sector entities."

But even as costs go up, having some level of cyber coverage is likely to be financially beneficial. A data breach and its associated fees are likely to be significantly more costly than an insurance policy.

"Critical infrastructure sectors are not immune to this uncertainty," Bradford continued.

"The more uncertain the insurers are about any given sector, the more expensive the coverage. If organizations are paying more for policies, it indicates that the insurance industry can't comfortably quantify the risks, the appropriate mitigations to those risks, and the potential levels of liability that might result from a cyber incident."

Organizations must strike the right balance between having the right coverage and implementing adequate security controls to mitigate risk internally.

"And having the wrong kind or amount of coverage could be even worse than having none at all," pwc noted in a blog post.

"A false sense of security could ultimately end up costing your organization more — or cause you to lose your business altogether."

Lack of History, Uncertainty Makes Coverage Difficult

"With life insurance and auto insurance, there are actuarial tables built upon years of data that you can look at. You can look at the statistics behind those and be relatively assured of the probability and the degree of loss if something happened," Bradford explained.

"It's a brave new world with cybersecurity, and the landscape is changing so quickly with new devices and technologies coming online. Everyone has struggled with trying to quantify what an appropriate level of coverage is and what an appropriate level of risk is."

Although cyber insurance is not brand new, cyber threats are constantly changing, making it difficult to quantify risk and provide consistent coverage. Cyber insurance coverage is uncertain from both the insurer's and the healthcare organization's perspectives.

"Without comprehensive, high-quality data on cyber losses, it can be difficult to estimate potential losses from cyberattacks and price policies accordingly," GAO emphasized.

"Opportunities exist for improving the nation's capacity for collecting cyber event and loss data and for coordinating industry-wide efforts to collect and share that information."

In addition to a lack of historical data, GAO noted that cyber policies often lack standardized definitions for terms like "cyberattack." Without clear definitions for what a cyberattack is, organizations may find themselves thinking they have coverage for a particular cyber incident, only to find out later that their policy would not cover it. 

Getting the Most Out of Your Cyber Insurance Coverage

Even with uncertainties and challenges, healthcare organizations can benefit significantly from the right cyber insurance policy. The critical thing to remember is that cyber insurance is not a band-aid for inadequate cybersecurity measures.

"From a cyber insurance standpoint, especially in healthcare, the threat landscape is rapidly evolving and more changes are coming," Fortified Health Security suggested in a recent report.

"The cyber insurance space is also undergoing rapid changes, and your cybersecurity efforts must keep pace. Organizations must be proactive, involved and prepared to maintain adequate cybersecurity insurance coverage. Be aware of renewal deadlines and ensure your security protocols are in line with coverages."

To get the most out of a cyber insurance policy, organizations must understand the allowances and limitations that their specific policy affords. Prioritizing vulnerability management, patching, and basic cyber hygiene can help organizations reduce risk and ensure coverage.

"You need to have an asset list of devices and networks and how those are interrelated with one another to identify weak links in the system," Bradford recommended.

Some insurers would not cover expenses associated with a security incident if the organization failed to implement basic cybersecurity measures. Cyber insurers are increasingly requiring organizations to implement security technologies, such as endpoint detection and response (EDR) solutions, into their security architecture to mitigate risk.

Cyber insurance policies will not shield organizations from the fallout of a healthcare data breach. However, implementing a comprehensive security program and incident response plan in conjunction with a cyber insurance policy may enable healthcare organizations to lessen the impact of a data breach.

"Today, all of healthcare has a bullseye on its back and is being attacked thousands of times daily. No longer can healthcare organizations hope to not be targeted and attacked," the Fortified Health Security report insisted.

"It's not a question of if, but when. Prevention and mitigation are the only acceptable responses. Hoping for the best was never an acceptable position, and today is even less so."