Health breaches, including ransomware attacks, continue to rise. As a result, many healthcare organizations looking for cyber coverage to help cover the costs associated with a ransomware attack or other data incident may find that carriers have increased premiums, reduced coverage, and tightened underwriting requirements. Leaders of healthcare organizations should understand that implementing reasonable administrative, technical, and physical safeguards to protect the organization’s information and operational systems is not only required by laws such as HIPAA , but is increasingly necessary to obtain cyber coverage.
A recent report from Sophos, a technology security company, confirms this new reality. Sophos reported that one of the reasons for the growing demand for cyber insurance by healthcare organizations is the rampant growth of ransomware (Sophos Report). According to the Sophos report, ransomware has resulted in more payouts and less profit for insurers, making cyber insurance coverage difficult and expensive to obtain, and even driving some insurers out of the market.
Healthcare organizations interviewed by Sophos responded that:
- 66% experienced a ransomware attack in 2021;
- 78% have cyber insurance;
- 93% of respondents with cyber insurance had difficulty renewing policies; and
- 45% of respondents with cyber insurance said the policies were incredibly complex.
Despite the complexity of the policies, the Sophos report outlines the benefits of having this insurance in place. Indeed, 97% of insurers paid the damages for the largest attack, 47% paid the ransom, and many are paying huge cleanup costs to facilitate the healthcare organization’s return to normal operations. .
To be eligible for cyber insurance in today’s market, organizations must increasingly demonstrate that they have information security measures in place. For example, 97% of healthcare organizations responding to the Sophos survey indicated that they had changed their cyber defenses to have better cyber insurance postures. For example, they have intensified staff training and education activities to improve cyber defenses and/or implemented new technologies and services.
As summarized in the Sophos report, other steps can help healthcare organizations prepare for attacks and gain cyber cover:
- Ensure high quality defenses are in place and periodically review and update security controls;
- Implement tools to proactively search for threats in the organization’s information systems and hire managed detection and response experts to provide outsourced monitoring and response assistance;
- Review the organization’s environment to ensure all security vulnerabilities are closed and utilize a broad detection and response platform to help collect and monitor threat data across the organization ‘organization ;
- Have an incident response plan in place and practice it to be ready in the event of a cyberattack; and
- Maintain backups of critical organization data offline and practice restoring backups to ensure minimal disruption in the event of an attack.
Recent serious attacks demonstrate the urgency of this issue. Yuma Regional Medical Center in Arizona recently revealed one of the largest ransomware attacks in the second quarter of this year. (Read more here). According to his notification to potential victims, social security numbers and other personal data were stolen. However, the facility’s services remained mostly unchanged, thanks to backups and other emergency procedures. Yuma’s experience shows why healthcare organizations should invest in administrative, physical, and technical safeguards to protect their information systems. This will better position these healthcare organizations in their efforts to obtain insurance coverage while minimizing risk to the organization and helping them meet their regulatory obligations.