- Given the proliferation and cost of healthcare data breaches and ransomware attacks, it is surprising that 70 percent of healthcare organizations have no cyber insurance, according to a survey of security executives by Ovum for analytics firm FICO.
This compares with only 24 percent of US firms across industries not having cyber insurance coverage, down significantly from 50 percent in 2017.
“It's is great to see that progress is being made but still surprising, that nearly a quarter of US firms surveyed have no cybersecurity insurance coverage,” said FICO vice president for cybersecurity solutions Doug Clare.
“Given the number of large-scale and very public breaches in recent years, it's not surprising that we've seen a big increase in US organizations investing in it over the past 12 months, but there's still some way to go. As the insurance market matures and the litigation and fines increase we expect more firms will also go beyond basic coverage to seek insurance that is more comprehensive.”
The survey also found that only 32 percent of US firms said their cybersecurity insurance covers all risks, and only 26 percent said their insurer based their premiums on an accurate analysis of their risk profile. Most firms said premiums are based on an inaccurate analysis, on industry averages, or on unknown factors.
“Although US organizations now perform well in terms of the uptake of cyber insurance, the fact that only 32 percent have comprehensive insurance demonstrates there is still some way to go for these firms to have a broad view of their security posture and how to present it for insurance,” said Ovum Research Director Maxine Holt.
“It could also show that these companies have a current security posture that insurers are not prepared to cover comprehensively. We should not detract from the positive news here; 76 percent of US organizations have elevated the importance of cybersecurity to a level that requires insuring, even if only partially,” she added.
Healthcare providers should consider cyber insurance because the costs of healthcare data breaches are the highest of any industry. According to the 2018 Cost of a Data Breach Report, healthcare data breach costs average $408 per record, nearly three times higher than the cross-industry average of $148 per record.
The average cost of a data breach across industries and countries is $3.86 million, a 6.4 percent increase from 2017 and a nearly 10 percent net increase over the past five years.
Hidden costs in data breaches are difficult and expensive to manage, according to the report.
“While highly publicized data breaches often report losses in the millions, these numbers are highly variable and often focused on a few specific costs which are easily quantified,” said Global Lead for IBM X-Force Incident Response and Intelligence Services Wendi Whitmore.
“The truth is there are many hidden expenses which must be taken into account, such as reputational damage, customer turnover, and operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake,” Whitmore added.
In addition to data breaches, ransomware attacks can be costly for healthcare organizations. In fact, more than one-quarter of cyber insurance claims received by insurance giant AIG last year were the result of ransomware attacks, the largest percentage of any cyberattack type.
This was a large increase from the average of 16 percent of cyber claims coming from ransomware attacks in the years 2013-2016.
The WannaCry ransomware attacks, in particular, had a devastating impact on the healthcare industry, as well as the financial services, logistics, education, and manufacturing, according to AIG stats.
“The WannaCry outbreak, which hit hundreds of thousands of machines around the world, could have been worse in terms of scale and insured losses if a UK researcher hadn’t quickly found and activated the kill switch,” said Mark Camillo, head of cyber for Europe, the Middle East, and Africa at AIG.
Ransomware has become increasingly commoditized with the creators of recent variants offering revenue-sharing agreements to partners. There is no guarantee that victims will get their data back, even if they pay the ransom, AIG concluded.