4 points healthcare leaders should consider in their cyberinsurance calculus
Rising premiums and reduced coverage amid growing threats are making a healthcare organization’s decision to acquire cybersecurity insurance a far-from-straightforward proposition.
In spring of 2023, two ransomware groups, Cl0p (or CLOP, per the U.S. Cybersecurity & Infrastructure Agency) and LockBit, attacked 130 organizations in the United States, many of them in healthcare.a Fortunately for healthcare organizations with cybersecurity insurance, those breaches would have been eligible for coverage.
Yet the same may not have been true for organizations that experienced attacks by Iranian-state-sponsored hacking groups in early May, because of the nature of the attacks.b Depending on the organization’s carrier, recent changes would have resulted in denials of coverage in some cases.
This situation highlights challenges healthcare organizations face today with cyberinsurance. The four key points below provide an overview of what’s happening in this arena.
1 Slow adoption of cyberinsurance
Only 55% of all business organizations have cyberinsurance, according to an article in Forbes.c Compare that percentage with the 94% of drivers who carry auto insurance.d The relatively low percentage of the cyberinsured means payouts for claims eat up a larger proportion of the collected premiums.
Exacerbating the problem, insurers’ payouts have risen 100% over the past three years, according to the Forbes article. Put simply, the cyberinsurance game is not that profitable for insurers.
Industry leaders like Lloyd’s of London are acting accordingly. In 2022, Lloyd’s instructed all its carriers to drop “nation-state attacks” from cybersecurity plans. Premiums had already been raised between 25% and 75% that year.e
Whether it’s taking nation-state attacks off the table, requiring customers to take greater security measures or reducing the services they offer after a breach, cyberinsurance companies are finding ways to limit their liability.
2 Domains of cyberinsurance coverage
2 The domains of cyberinsurance coverage
While the robustness of cyberinsurers’ offerings depends on the insurer, all policies will encompass the following basic domains.
First-party coverage. This coverage covers losses resulting from incidents affecting the organization’s own systems or data. including
- Data breach response and notification
- Business interruption
- Ransoms charged by hackers
- Reputational management in the wake of an attack
Third-party coverage. This coverage protects the policyholder against legal suits from consumers whose confidential information was stolen in a cyber incident, as well as from other stakeholders who might bring legal claims against the policyholder.
California-based Regal Medical Group, for example, experienced a breach in 2022 in which 3.3 million patients had data exposed. The group is currently facing 11 class action suits as a result of the breach.f
Cyber incident response services. These services provide various forms of professional assistance — including from incident response managers, forensic data analysts and cyber law experts — in the event of a cyberattack.
Cyber risk management services. Such services include risk assessment tools and programs that provide data security training for employees. Such preventative measures are intended to help hospitals and health systems limit their vulnerabilities and avoid breaches.
3 Cost of cyberattack-related shutdowns
A report by Philips and CyberMDX found that hospitals’ costs incurred from such shutdowns range from $21,500 to $45,700 per hour. g And an IBM report found in 2022 that for the 12th year in a row healthcare had the highest average costs associated with breaches of any industry, with average breach costs amounting to $10.1 million per breach.h Moreover, healthcare saw a 41.6% increase in the average cost of breaches from 2020 to 2022.
With cyberinsurance providing less coverage, healthcare organizations may be tempted to operate as usual, just with less coverage. But they can’t afford to — especially given that midsized hospitals and medical groups are among the most frequent targets and are likely to face among the highest costs per hour for a data breach.
4 Continuing changes in cyberinsurance
As noted previously, in the face of mounting numbers of data breaches in healthcare, cyberinsurers are both raising costs and reducing coverage. This trend leaves hospitals with the need to assess other options, such as the following.
Make no changes to cyber-defense strategy, staffing or partnerships. Where a hospital lacks cyberinsurance coverage, this is the least responsible path amid growing risks of cyberattacks to healthcare organizations.i Cyberattacks have contributed directly to the closure of smaller and midsized hospitals recently.j No healthcare leader should feel comfortable courting such an existential risk
Drop cyberinsurance coverage, but use the savings to partly fund an account to be used when a breach occurs. With the average cost of a breach in the millions, this option is only open to healthcare organizations with a substantial amount of cash on hand.
Find alternatives for reducing reliance on cyberinsurers. One practical alternative, for example, is for the organization to assess whether some sections of the cyberinsurance policy could be removed from the policy and managed by the hospital instead. For example, assuming the hospital or medical group has a 24-hour security operations center (SOC) — which is a requirement under many cyberinsurance policies — it may be possible for the SOC to cover forensics in the event of a breach. Adding a rider to the insurance policy to that effect (i.e., removing responsibility for such actions from the cyberinsurer) will reduce a healthcare organization’s premium immediately. It also makes sense in the long run, because the SOC staff will invariably be more familiar with the hospital’s systems than someone supplied by the insurance company after an attack.
Circumstances demand creative thinking
Protecting healthcare organizations — and their patients — against cyberattacks means staying up to date about the latest threats as well as all the latest defenses. It also means tailoring those defenses to the needs of the hospital. For example, many groups rely on AI to scan for and flag abnormal traffic and potential threats. While this approach can be highly effective, the organizations also should make sure a human is vetting those flags to avoid unnecessary interruptions in system operation.
There are many ways to get complete coverage. As cyberinsurers narrow their role in addressing healthcare organizations’ risk, these organizations’ leaders will need to tap additional IT staff or resources to step up their efforts in this area.
Changes in cyberinsurance have changed the data protection calculus. Healthcare leaders need to understand not only how cyberinsurance coverage has changed and continues to evolve, but also to what extent they can safely reduce their reliance on it to manage today’s risks.
Footnotes
a. Adams, K., “Healthcare’s recent cybercriminal activity attributed to ransomware gangs Cl0p & LockBit,” MedCity News, May 3, 2023; and CISA, “CISA and FBI Release Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability,” press release, June 7, 2023.
b. Arghire, I., “Microsoft: Iranian APTs exploiting recent PaperCut vulnerability,” Security Week, May 9, 2023.
c. Yeap, Y.P., “New Changes are altering cyber insurance that once paradoxically benefitted cybercriminals,” Forbes, April 18, 2023.
d. Sham, J., “Auto insurance statistics and facts,” Bankrate, June 28, 2022.
e. Johansmeyer, T., “The cyber insurance market needs more money,” Harvard Business Review, March 10, 2022.
f. Diaz, N., “11 lawsuits filed against California medical group over ransomware attack that affected 3 million patients,” Becker’s Health IT, March 15, 2023.
g. Mitchell, H., “Cyberattacks can cost hospitals $47K per hour of downtime,” Becker’s Health IT, Aug. 12, 2021.
h. IBM, Cost of a data breach 2022: A million-dollar race to detect and respond, July 2022.
i. Fitch Ratings, “Cyber risk continues to grow for U.S. not-for-profit hospital and health systems (cost pressures could amplify cyber vulnerabilities),” Aug. 29, 2022.
j. Lyngaas, S., “Cyberattack is a factor in Illinois hospital’s closure,” CNN Politics, June 12, 2023.