The healthcare sector has been a prime target for hackers over the last few years. Attacks have increased in sophistication, shifting at times from the obvious ransomware attacks to subtle, credential-stealing cyberattacks that hide in the background.
As hacks have increased in frequency, the costs for cybersecurity have exploded. To start, healthcare organizations spend 64 percent more in advertising in the two years that follow a breach. Overall, it takes around $1.4 million to recover from a cyberattack, according to a report from Radware, a security firm.
Those costs include a loss of productivity, damage to reputation, and service disruption, among other expenses.
To combat some of these costs and risks to reputation, many healthcare organizations are turning to cyber insurance, which can protect an organization from those costs associated with a breach.
Cyber liability insurance covers data breaches, digital security issues, cyber crime, and hacking. Much like fire insurance helps homeowners pay for the property damages and associated recovery from a fire, cyber insurance helps cover legal fees, damaged network, software, or hardware, and other associated losses. Some policies may also cover HIPAA-related fines.
However, not all policies and vendors are created equal. And because cyber insurance is relatively new compared to more common policies, such as life, health, or homeowner’s insurance, there are a lot of gray areas, which can lead to organizations not buying the right coverage.
As a result, C-suite members may think that they’re adequately covered by their insurance company, only to discover they’re not. As breaches happen on a near-daily basis in the healthcare sector, it’s crucial to understand the difference between insurers and policies, as well as the requirements of the covered entity.
Each vendor will differ in types of coverage and requirements, and there are many red flags to avoid when choosing a policy. It falls to the health provider to do their homework to avoid making a costly mistake.
What is cyber insurance, why is it important, and how can healthcare organizations ensure that they are picking a policy that best covers their needs?
What is Cyber Insurance?
Typically, a cyber insurance policy will cover losses and damages incurred by a breach or security event that includes the loss, exposure, improperly shared, or theft of patient data. Some coverage will also handle ransomware attacks, but health providers must ensure that the correct language is added to coverage when negotiating with an insurance agent.
CNA, Chubb, Beazley Insurance, Traveler, and Liberty Mutual are some of the top cyber insurers that serve multiple commercial sectors.
However, unlike with traditional insurance policies, there’s no standard format for underwriting these types of policies. Therefore, the burden falls to the purchasing team to research the differences in carriers, such as amounts and requirements of the holder.
For example, coverage will be broken down into first-party or third-party. The coverage will either be limited to the purchasing organization itself or extend to the organization’s covered entities, in the event of cyber threat, breach, and other security incidents.
The right cyber insurance policy will include breach management and activity monitoring funds. Organizations may also choose to purchase coverage that includes the cost to repair or replace tools or systems that were damaged by a cyberattack.
Cyber insurance may also cover the costs of investigations following the breach, along with the cost to notify patients and the public.
To start the purchasing process, an organization will need to work with a cyber insurance agent to identify the different types of policies. Typically, the greater the coverage, the more the policy will cost.
However, as with cybersecurity, cyber insurance should be considered an investment that will protect the finances across the entire organization. While cost is important, the scope of what is covered in the policy is crucial. Purchasing a policy without understanding the requirements of the organization, or the extent of coverage could be a waste of funds, if the policy doesn’t go far enough into the needs of an organization.
Why do organizations need cyber insurance?
As hackers continue to pummel the healthcare sector with cyberattacks, litigation stemming from a breach has increased in equal measure. Even when data isn’t breached, an organization can still be sued when a cyberattack impacts the ability to deliver patient care.
Consider the ransomware attack on Allscripts in January 2018. While officials said no data was impacted in the attack, the EHR-vendor was sued by several clients who were unable to access their EHRs during the week-long attack. They alleged that Allscripts should have better secured and audited its system to prevent such an event.
While the litigation is still pending, the risk to an organization’s reputation and bottom line can be severely impacted in the event of a cyberattack.
Not only that, but as a result of the increased litigation in recent years, almost all cyber insurance policies cover the cost of breach notifications and legal fees associated with a breach event.
This type of coverage could be critical if an organization faces a situation similar to that of the Erie County Medical Center (ECMC) in April 2017. The ransomware attack took down 6,000 ECMC computers over the course of six weeks. Even though the cyberattack was discovered within hours, all computer systems were locked down, driving providers back to pen and paper.
For two weeks, ECMC staff worked without email access and had to manually register patients. It took three weeks for lab results and other communications to be electronically delivered. Even worse, it took months for the system to recover and officials confessed that it cost nearly $10 million to recover from the attack, according to a Barkly report.
As hackers look to medical devices and new ways to break into a network, malpractice and other legal issues can arise from cyberattacks. The new reality for healthcare is that the risk of security incidents has expanded past the possibility of data loss: it is now a matter of patient safety.
At the end of the day, an organization can’t be 100 percent certain they’re protected from hackers and other cyber threats. While cyber insurance isn’t a magical, fix-all solution to protecting revenue and reputation, the right cyber broker and policy can provide some protection from losses associated with data breaches and other security events.
Evaluating an Organization’s Needs
Purchasing cyber insurance begins with a complete top-to-bottom assessment of an organization’s IT and security capabilities. Before beginning the process of evaluating brokers and policies, the right people need to be involved to determine the right coverage for the organization.
To start, organizations must get key stakeholders involved with the process. This will include privacy and security leaders, security officers, and IT leaders. Key business decision makers and the legal team should also be involved.
These stakeholders will conduct the evaluation process that will look at the number of patients served by the organization and the type and amount of data to be covered. They should also be able to communicate those details to the cyber insurance agent.
The idea is to have these stakeholders provide the necessary information about how these security needs relate to patients, as well as the inside information into how the data flows within the organization. For example, IT and security leaders should have an inventory of where the data lives, which will have an impact on what coverage is required.
Further, organizations need a grasp on their control environment.
The risk manager and IT director should evaluate their incident response plan, which is crucial in cyber insurance coverage. The healthcare organization needs to hold up its end of the bargain when it comes to security, or a claim can be denied by the carrier if a breach occurs.
As a result, organizations need to assess their incident response plans, disaster recovery protocols, security tools, patching practices, and other processes to ensure that their security program is up to the standards of the insurer. This risk assessment should go above and beyond checking the boxes of HIPAA compliance. Often, hiring a third-party forensics team can help with the evaluation of the security program.
Evaluating Cyber Insurance Vendors
The cyber insurance market is predicted to reach $6.2 billion by 2020, according to Verisk Analytics, leading to an abundance of options when it comes to carriers and policies.
But the idea is to find an insurance carrier that will truly partner with the organization on security.
To start, look for a reputable carrier with sound reviews and a membership in the National Association of Insurance Commissioners. This organization is a US standard-setting and regulatory support organization, governed by chief insurance regulators.
Next, look for a carrier that is open and honest about policies and will work with the organization to develop policies that will enhance the security program. The insurer should also be reasonably priced, and the organization should compare coverage costs across the different policies to determine the right one for their needs.
A carrier will provide a questionnaire to be filled out by the organization, which will provide an overview of their security posture, program, tools, and policies. It’s crucial this process is completed carefully and accurately, as failure to hold up to the items and policies outlined in the form could lead to a denied claim. It’s also important to be conservative in the answers, for this reason.
Organizations should meet with the insurance agent to discuss any questions that may have an effect on the accuracy of their statements. If an organization documents that there are certain security measures in place, but in reality they are out of date, then a claim can be denied.
Transparency is crucial to coverage. The key to successful coverage is the strong risk assessment performed before shopping for a policy. This provides the underwriter with clear documentation that the organization’s security program is sound.
However, any changes to the program, such as a new tool or patching issue, should be noted to the underwriter to maintain coverage and accuracy.
Providers should review each insurer’s offered services and read customer reviews to choose the right insurer. A company with healthcare experience is ideal. The insurer must understand the difficult nature of cybersecurity in healthcare and should have a grasp on healthcare’s specific needs.
Lastly, an organization must be sure of what is covered in case of a breach or cyberattack. Often providers rush the process to focus on costs, but fail to adequately assess what is being covered. Don’t rely on word of mouth; have the legal team assess the document carefully to ensure that precisely the right data, systems, and breach recovery processes are covered.
In case of a breach, the carrier will likely work with the organization – especially around the investigation. Each carrier will have its own method of handling a breach situation, with many companies that want to be hyper-involved.
Some IT leaders have made the mistake of assuming that they’ll be in charge of the investigation. However, with cyber insurance, most policies include the use of the insurance company’s preferred forensics team,” according to a report from cybersecurity company Symantec.
“Typical first party coverage includes coverage for the following: forensic investigators to determine the scope of the cyber or privacy incident; a law firm to act as breach counsel to advise the insured of its obligations arising from any breach of sensitive data; costs of notifying affected individuals; a public relations firm to provide advice on whether and how to make public statements, credit and/or identity monitoring; and call center support,” the report authors wrote.
“Cyber policies will help to stem an event but do not pay for the expenses incurred to correct or remediate technical problems or provide the upgrades necessary to prevent future data breaches.”
Therefore, if an organization wants that type of control, the stakeholders must outline their preferences during the contract process.
The key to successfully buying cyber insurance is time, research, and a thorough, transparent risk assessment. As the healthcare sector continues to be a prime target for cyberattacks and given that the risk surface is substantial, the best way to buy a policy is to be proactive. The benefit of working with an agent with healthcare experience will also ensure that the coverage is applicable for the needs of the organization.