Increasingly sophisticated cyberattacks continue to cause data breaches at medical practices and healthcare organizations. From ransomware and malware attacks to phishing and smishing campaigns, hackers can target any employee or business. And while many companies may have solid cybersecurity plans in place to protect their data and patients’ personally identifiable information (PII), a separate cyber risk insurance policy can help cover the expenses associated with an attack, such as notifying patients of a security breach, paying for legal fees, recovering data and replacing compromised devices and systems.
To help the healthcare industry understand the risks of a data breach and how cyber liability insurance fits into an IT security ecosystem, Pixel Health recently hosted an educational webinar. This article shares some of the highlights from the webinar, sharing the underwriting process, differences in insurance coverage, and best practices for planning ahead.
Recognizing the ongoing cybersecurity challenges
A data breach in the healthcare industry averages $10.10 million in costs (2022 IBM report) and 658 data breaches were reported in the U.S. healthcare sector in 2022 (Critical Insight report), which involved the health records of nearly 50 millions Americans.
“Threat actors are continuously evolving their phishing and smishing methods,” said Jennifer Brown, Vice President of Customer Operations for Pixel Health Technology Services. “Even with the best laid plans in an organization, data breaches can happen to anyone with an email account or a phone number.”
Navigating cybersecurity insurance forms starts with an assessment
Obtaining an insurance quote starts with understanding the security of a healthcare organization’s IT systems.
“When our clients are considering a cyber risk policy, we can provide an assessment of their current HIPAA practices and network,” said Jennifer. “With this vulnerability scan, we can help them answer questions on the insurance forms, provide guidance for the next steps and even help companies make upgrades after they receive their insurance appraisal.”
Understanding the underwriting process
Before offering a policy, underwriters work to understand the current key technology controls or tools at an organization.
“Historically, underwriters have evaluated a company’s segregated offsite backup, patch management, intrusion detection, and firewalls,” said Ben Adler, Principal of Wellstone Insurance. “More recently, they are also looking at a company’s capabilities involving multifactor authentication (MFA), endpoint/managed detection and response, email authentication, filtering, and the security of their external website. The more sophisticated an organization, the more the carriers are probing.”
Non-technology controls are also evaluated, such as business continuity planning, third-party provider agreements, PCI compliance for companies that accept credit card payments, and the level of employee training related to cybersecurity best practices.
Determining the level of cyber risk insurance coverage needed
At a high level, Ben explained how cyber risk policies offer varying levels of coverage. First-party coverage pays for the costs associated with respond to a data breach, including forensics, and the costs to get systems back up and running.
“Most people don’t necessarily appreciate that the policy will negotiate with a bad actor and also pay a ransom, if needed,” explained Ben.
If personally identifiable information was compromised in an attack, the first-party coverage policy will also cover the expense of notifications and any required credit monitoring services for people affected by the attack. Any income lost due to an attack would also be covered.
Third-party coverage expands on first-party coverage to include the cost of legal services to defend any claims made against an organization.
“Third-party coverage is when essentially somebody—a third party—makes a claim against you, or sues you,” said Ben. “This insurance pays for an attorney to defend your company against allegations that your company was involved in somebody else suffering a loss. It could be as simple as an email containing a computer virus and was sent from your company to another company and caused a data breach.”
Preparing with best practices
Even with adequate insurance coverage and IT cybersecurity policies in place, cyberattacks happen.
“It’s horrible if you’ve been attacked and your systems are down,” said Ben. “With a cyber risk policy, you know that help is coming, which provides reassurance.”
“Cyberattacks are ubiquitous, affecting everyone from small businesses all the way up to the largest of organizations and the federal government, even those with good IT practices in place,” added Jennifer. “We encourage our healthcare clients to be as proactive as possible with user training, simulation phishing software, data backups, and a cybersecurity plan in place.”
To get more insights on cybersecurity insurance and developing a robust cybersecurity plan, watch the full webinar here.