“People who live in glass houses should take out insurance” and right now, the winds are blowing at hurricane strength.
Between two years of COVID and the seemingly daily headlines of breaches and ransomware attacks, healthcare organizations are reeling. According to a report from Comparitech, attacks in 2020 were double those in 2019, impacting over 600 healthcare facilities and more than 18 million patient records. Because of the increase in “double-extortion” attacks where the criminals not only lock up computer systems but also steal data and threaten to sell it on the web, many healthcare entities have felt pressured to pay ransom sums that varied from hundreds of thousands to well over one million dollars.
It’s no wonder that attempting to buy affordable healthcare Cyber Insurance these days is akin to finding the holy grail. As insurance companies are forced to pay out on skyrocketing claims, they are quickly rewriting their policies, jacking up premiums, and in some cases, excluding cyber coverage completely.
Back in the “good old days” a company got “technology” or “IT insurance” (which included cyber coverage) by answering a few basic questions – primarily around the value of its hardware infrastructure.
Ahh… the good old days.
In the last 3 months, I’ve looked at policy renewals for several of my clients, varying in size from small physician practices to large health systems. Every single renewal had the same theme –
- Cyber Insurance was specifically called out (or in one case, excluded)
- The cost for Cyber Insurance increased for every client – anywhere from 25% to 200%
- Every single insurance provider asked a series of very technical, very specific IT security questions, and these questions impacted the cost of cyber insurance, or whether it would even be provided
That last point is an important one. While every insurance company had its own underwriting criteria, these questions turned up on every application in one form or another.
- How often do you do security training – especially Phishing awareness? It’s amazing to me that I still have clients who have never, or rarely, conducted this type of training – even though it’s the number one method criminals use to gain access to your systems.
- Do you deploy and keep current a next generation end point protection product? Again, some folks feel traditional antivirus/anti-malware products are adequate, but they only protect against known threats. Next generation products use algorithms to predict bad behavior and if configured correctly, will prevent them from happening and/or spreading.
- How frequently do you patch your systems, and are you running obsolete systems? Again, a common “failure point” in healthcare. The continued “fear” of downtime and user dissatisfaction, or lack of resources, prevents some organizations from patching at a frequency that helps protect them.
- Are you using multi-factor authentication (MFA) for folks that access systems remotely? Many healthcare organizations are embracing this technology, especially when so much of the workforce moved offsite because of Covid, but there are still holdouts out there.
While there are a variety of other questions that are also asked (depending on the insurance provider), these have been on every renewal quote I’ve seen. These four items are “security 101” and easily resolved/implemented. If you haven’t addressed these yet – be prepared – your insurance premiums will probably increase dramatically at renewal, or you may be denied cyber insurance altogether.
Our glass house is a target. Installing hurricane windows is your best defense against attack from the bad guys (and your insurance carrier).
Be safe. Be Secure.