Changing Cyber Landscape Poses Challenges For Health-Care Market
If you’ve sold a cyber liability insurance policy lately, you know how quickly the market has evolved. Policies that were once inexpensive and universally available are now high-priced and hard to find.
Just a few years ago, we could get bindable quotes fairly easily for an insured, no matter how exposed they were. Believe it or not, the questions on an application were: name of the organization; address; website and revenue. That’s it!
Premiums were low, coverage was broad and policies had generous limits. Needless to say, a lot has changed. Nowhere have those changes been more apparent than in the health care market, which includes hospitals, nursing homes, doctors’ offices and other medical providers.
A Health Care Wake Up Call
Not too long ago, agents couldn’t even get their health-care clients to consider a cyber policy. They just didn’t see the need. But with an increase in data breaches, new threats such as ransomware and several high-profile, health-care-related cyberattacks, the medical community began to take notice. One of the early wake-up calls was a data breach in the UCLA Health System, where 4.5 million patient records were compromised.
Since then, cyberattacks have literally crippled the operations of hospitals and nursing homes, delaying critical care and jeopardizing the safety of patients.
Cyber-protection firm Emsisoft reported, “at least 68 health-care providers in the U.S. were impacted by ransomware in 2021,” including multi-hospital health systems with over 1,200 sites. And Fierce Healthcare noted an all-time high of 45 million people affected by health-care breaches in 2021, up from 34 million in 2020.
Hospitals are prime ransomware targets, according to Healthcare IT News, because they have large amounts of mission-critical data that can be encrypted, the money to pay the ransom and boards that aren’t particularly tech-savvy.
There’s no doubt that health-care facilities possess vital information about their patients, but cyber-risk today extends well beyond privacy. More recently, business interruption has become a top concern for medical providers.
Responding to Ransomware
When ransomware strikes a hospital, it can be life-threatening. Doctors can’t access patient records or look up dosages. Machines can’t dispense medication or provide oxygen.
A good example is CommonSpirit Health, which has 142 hospitals in 21 states and is the second-largest nonprofit health system in the U.S.
In October, it suffered a disabling ransomware attack. As reported by Axios, the attack “delayed surgeries and caused widespread disruptions in patient care.” In addition, millions of patients were left wondering if their personal information had been compromised.
Luckily, hospitals are developing ways to counter these attacks. By creating layers of communication and redundant systems, hospital staff can access alternative infrastructure in the event of a cyberattack. This may include an external, secure cloud platform or a separate network that operates outside of the hospital’s main network.
Not every health-care provider has the resources to invest in these types of protections. Many are vulnerable to attack and haven’t done enough to defend against cybercriminals. This puts them at a disadvantage when it comes to qualifying for cyber insurance.
Required: Basic Cyber Controls
To stem mounting cyber losses, carriers have become very selective in whom they will insure. Applicants won’t be considered for coverage unless they can demonstrate they have some basic cybersecurity controls in place. These include:
- Multifactor authentication (MFA) to log into data management systems, email and applications. Most insurers want to see MFA in place across the enterprise.
- An incident response plan.
- Endpoint detection and response solutions, which combine real-time monitoring and analytics, scanning the external environment at its endpoints.
- Upgrades and patches to ensure the most recent software and security protections are running on systems and devices.
- Regular backups of data — segregated and offline.
- Employee training to prevent and respond to cyberattacks.
In addition, the renewal cycle of existing policies is forcing relatively less secure enterprises that need coverage to enact continuity and cybersecurity reforms. That increases their costs and affects their ability to make a profit.
While the health-care industry is better prepared for cyberattacks than it was a few years ago, there are still providers who don’t see a compelling need for cyber insurance protection. Agents should do their homework and be ready to make the case for coverage. Any provider that handles electronic medical records should have cyber insurance.
Tips for Agents
Following are a few suggestions for agents and brokers selling in this market.
Provide cyber-risk assessment tools. Cyber-risk assessments are conducted by independent firms or made available through a carrier or wholesale broker. An assessment can identify security vulnerabilities and suggest ways to reduce exposure, so your client has a better chance of getting insured.
Partner with a wholesaler that specializes in cyber. Cyber liability is a nonstandard coverage that varies from carrier to carrier. If you’re unfamiliar with this market, partnering with a wholesaler with experience in cyber insurance may be the best way to meet your client’s needs.
Make sure the right people are filling out cyber applications. Cyber apps have become extremely technical. Have someone with cybersecurity knowledge fill them out correctly.
Understand that coverage is only part of the equation. Make sure the carrier has proven claims-handling ability. Cyber liability lawsuits are expensive to defend.
Ask what the carrier will do to help your client mitigate risks and respond to incidents. What services or products can they provide your clients to help them reduce their cyber exposures, making them better insureds?
It’s not clear what the next big cyber risk will be for health-care providers. With the industry increasingly dependent on digital communication — think telemedicine — odds are high cybercriminals will devise new ways of attacking critical systems and networks.
Agents can help their health-care clients steer clear of danger by apprising them of the latest risks and working with them to secure needed cyber-liability protection.