Over the past decade, cybersecurity breaches in health care have become more pervasive and costly, and the nature of the attacks have changed. And while cyber insurance could be a way to protect organizations from these costly threats, there’s much to consider about this coverage.
At one time cyberattacks were external, penetrating IT firewalls and stealing information. Today hackers are now more advanced, disguising ransomware attacks that are activated from the inside by an employee accidently opening the wrong email or clicking on the wrong link, often referred to as a phishing attack.
Many health care organizations struggle to defend against such phishing attacks, since nearly any employee with an email address can be a potential fraud vector. In 2020, the proportion of attacks at health care entities perpetuated by phishing increased to 69% of total attacks, a dramatic increase from 12% in 2014, according to the U.S. Department of Health and Human Services.
Much of this threat growth comes as health care providers embrace the pandemic-era realities of virtual care and remote work, digital advances that provide improved outreach to patients, but can also expose organizational cyber vulnerabilities. And these attacks can cost organizations significantly. In 2020, a health care data breach cost $7.13 million on average, surpassing the average cost of breaches in 17 other leading industries worldwide.
Insurance helps, but know your policy
To help mitigate the financial impact of cyberattacks, many organizations can purchase cyber liability insurance. These policies can cover expenses related to a patient data breach at a doctor’s office, for example, and cover expenses related to data security fixes, data breach notifications, cyber extortion demands and public relations.
Small businesses can benefit from cyber liability insurance and protection from cyber threats just as much as large businesses. While much of the news you hear about cyberattacks and data breaches most likely involves security lapses at large corporations, the reality is that small businesses are just as at risk, if not more vulnerable.
According to Advisor Smith’s small business survey, 42% of small businesses experienced a cyberattack in 2021, and 69% of small businesses were concerned about being attacked in the next 12 months.
As cyberattacks have increased, so has the cost of insurance premiums. The average cost of cyber insurance has risen by 80% since 2020. Insurers are becoming stricter with their policy requirements, and it’s important for an organization to understand what is in a policy and what protocols are being implemented to meet these guidelines.
As a result of policy options and complexity, many health care providers may not clearly understand what is or is not covered by their current policy. Organizations may work hard to comply with underwriting requirements and pay the premiums only to discover, often after a breach has occurred, that their policy does not cover the cyber incident due to policy exclusions related to property type or attack occurrence. Restriction of coverage can be prevented with strong controls, including multifactor authentication, endpoint detection and proper backups, but organizations must be mindful of these fortifying measures that complement policy coverage.
The takeaway
As more service delivery options become available in the health care industry, organizations need to continue strengthening their day-to-day cybersecurity protocols.
In addition, an assessment of current cyber insurance and a full understanding of coverage is essential. Organizations cannot afford to be hacked or lose patient trust.
A culture of cybersecurity, where staff members view themselves as defenders of patients and their data, will have a tremendous impact in mitigating cyber risk to the organization and to patients.
For more on this topic, download RSM’s cybersecurity special report.
Contributor: Paul Fountain, SPR ePHI National Health Care Director, RSM US LLP
