Cyber insurance is becoming increasingly important and necessary as cyber attacks become more sophisticated and frequent. Healthcare is one of the most targeted industries because of the valuable medical data they handle and the lack of proper cybersecurity protections. Although cyber insurance doesn’t prevent security breaches, it provides a safety net for businesses to cover their financial losses.
Because the healthcare industry has increased risks of losing sensitive data or experiencing security breaches, many cyber insurance service providers are charging large premiums or outright denying institutions coverage if they have poor cybersecurity practices.
In order to lower cyber insurance costs, healthcare institutions need to begin prioritizing their cybersecurity, especially in accordance with HIPAA-compliance standards. Though insurance premiums can be costly, it’s still far less costly than the potential damages and fallout from a data breach. This article will focus on what healthcare organizations can do to cut their monthly premiums, lower their overall costs, and improve their cybersecurity defenses.
Why Cyber Insurance is Important for Healthcare Institutions
In an IBM data breach report, they found that the average data breach cost for the healthcare industry was about $10.1 million, more than double the global average data breach cost of $4.35 million and the highest of any industry. With this level of risk, cyber liability insurance is a must, especially with all the risks that the industry faces.
Considering that the Office for Civil Rights (OCR) will fine healthcare businesses for failure to implement proper data security policies, it’s worth knowing that in 2022 it took an average of 207 days to identify a data breach and 70 days on average to contain it.
The most common reasons why healthcare organizations are targeted include the following:
- Large amounts of sensitive information - Healthcare institutions handle large amounts of protected health information (PHI), personally identifiable information (PII), and other sensitive medical records that make them attractive targets for cybercriminals. The value of the data also allows cybercriminals to demand higher ransoms after a ransomware attack.
- Use of legacy systems and technology - Many hospitals are still transitioning from outdated systems and legacy hardware and software. The transition process can make a healthcare center vulnerable to cyber attacks since the totality of the data is not yet stored or processed securely. The use of outdated hardware or software is also a risk factor because they tend to have vulnerabilities that cybercriminals can exploit to gain unauthorized access to personal data.
- Multiple departments - A complex organizational structure can lead to communication and security challenges. Many hospitals are segmented by department or location, each with its own security policies, which can expose security weaknesses that threaten the safety of private data throughout the health center.
- Outsourcing to third parties - Healthcare organizations often contract third-party providers for specific services. Working with third-party service providers introduces new risks if they are not up to par with their cybersecurity practices, especially if they are allowed access to critical data.
Learn how to implement a cybersecurity program for the healthcare industry >
Biggest Threats to the Healthcare Industry
Cyber threats can span multiple industries, but here are the biggest threats to healthcare:
- Compromised credentials
- Phishing or social engineering scams
- Ransomware attacks
- Software misconfiguration and system errors
- Use of old, outdated technology
- Employee error leading to a data leak
- Distributed denial-of-service (DDoS) attacks
- Unsecured IoT medical devices
What Does Cyber Insurance Cover?
Cyber insurance companies cover damages or losses from the following incidents:
- Cyber forensic analysis and investigation costs
- Cyber theft or extortion
- Data breaches and leaks
- Data recovery costs, whether successful or not
- Distributed denial-of-service (DDoS) attacks
- Hardware and software replacement
- Lawsuits and other legal fees
- Loss of data caused by network outages
- Phishing and ransomware attacks
- Public relations (PR) costs
- Social engineering scams
However, insurance companies will NOT cover financial losses from prior cyber incidents, cases of human error or negligence, or non-security related issues, including the following:
- Known unresolved vulnerabilities
- Technology or software upgrades
- Third-party security breaches
- Insider attacks or other criminal activity
- Cyber risk management program costs
- Physical property or device damages
- Phishing and ransomware attacks as a result of faulty employee actions
12 Ways to Reduce Cyber Insurance Premiums
Cyber insurance policies for businesses can range from several hundred to several thousand dollars per $1 million of coverage in premium payments. In 2021, the average annual cost of cyber insurance premiums was about $1600 for businesses. However, this number depends on the overall risk level, which is based on the industry, business type, business size, the cybersecurity measures that are taken, and any previous incidents.
Additionally, insurance premiums are expected to rise drastically due to the increasing rate and severity of attacks. As a highly targeted industry, insurance companies consider hospitals and other healthcare facilities high-risk organizations.
The following cybersecurity best practices can help healthcare organizations reduce perceived risk and thus lower their cyber insurance premium payments.
1. Comply with the Insurer’s Assessment Process
Most cyber insurance providers will ask their clients to take part in an assessment so they can determine the level of risk involved. Complying fully with requests and providing full disclosure will favor potential policyholders.
Insurers will conduct risk audits and determine an overall risk profile using security questionnaires, risk exposure levels, and factor-based calculation models. They will appreciate evidence of strong security measures that are well-maintained and updated regularly.
Insurance firms understand how to navigate cybersecurity risks in the threat landscape and can advise institutions on how best to reduce those risks. The risk assessment process is not just a point-in-time evaluation — it can also give organizations a better idea of what they can improve to lower their costs.
Learn how cybersecurity risk assessments work here.
2. Implement a Cybersecurity Framework
Implementing cybersecurity frameworks can help optimize business processes to improve information security practices. Documentation of framework compliance can help insurers see intent to improve cybersecurity and can lower the organization’s risk profile.
HIPAA is the primary framework for healthcare organizations, but other frameworks and compliance standards can also be incorporated in tandem with HIPAA. Failure to comply with HIPAA can also result in penalties for the organization and denial of coverage from the insurance provider.
One of the benefits of using a cybersecurity framework is that it uses a set of standards to measure security and prove an organization and its third parties have met cyber insurance minimum security requirements. Cybersecurity frameworks can also serve as a checklist for healthcare institutions to implement better security practices. Frameworks can also be tailored and customized to the organization’s needs.
Find out how your organization can stay HIPAA-compliant here.
3. Get Expert Help / Hire Dedicated Teams / Use Dedicated Tools and Solutions
Achieving regulatory compliance is not easy for a firm to achieve alone. Seeking advice from IT professionals trained in cybersecurity can help a business get on track more quickly.
Since healthcare often has to contend with a number of security issues, it can be worth hiring a dedicated IT team to develop or improve the IT infrastructure. Additionally, hiring an IT director or a CISO to lead the cybersecurity program can help healthcare entities improve their practices.
On top of seeking expert advice and hiring dedicated IT teams, organizations can also use SaaS security solutions such as an attack surface management (ASM) tool that can provide continuous security monitoring, immediate threat detection, and risk management workflows or a third-party risk management service (TPRMS) that can help monitor and secure third-party vendors.
These tools and solutions can help health organizations save time, money, and resources by automating various processes and outsourcing much of the legwork they would have had to do otherwise.
4. Address Vendor Risk
Vendor risk management (VRM) plays a significant role in reducing cyber insurance premiums because no matter how strong an organization’s internal cybersecurity is, poorly secured third parties can still compromise an entire system. Third parties must meet minimum information security requirements set by the healthcare entity to minimize the entity’s risk.
Effective VRM processes will enable a healthcare organization to assess and secure its third-party attack surfaces properly and ensure they are HIPAA-compliant. Vendor risk management tools like UpGuard VendorRisk can help organizations discover and address potential risks, monitor vendor security postures, and determine remediation workflows.
Learn more about UpGuard VendorRisk here.
5. Maintain Updated Software
When a healthcare institution uses legacy hardware and software, it puts personal data at risk. Cybercriminals can easily exploit vulnerabilities and unpatched risks from old, outdated technology. It’s important to update all technology to maintain adequate security protections against major cyber threats.
Software developers constantly create and release fixes to patch known vulnerabilities and security risks. Not completing these security updates means missing out on patches that could be essential to data protection and network security.
6. Maintain Data Backups
Since cyber insurance businesses tend to cover data recovery costs and loss of data caused by network outages, a business’s efforts to ensure it has robust data backup systems can reduce cybersecurity insurance premiums. The goal of maintaining data backups is so that even if data is compromised, the backups can be restored to ensure the business continues operating.
A common strategy that many businesses use for data backups is the 3-2-1 backup method. This means creating three separate data backups on two different storage types or devices with one backup copy completely offline.
7. Perform Regular Penetration Testing & System Audits
Healthcare organizations can reduce cyber insurance company premiums by demonstrating to insurance underwriters that they regularly test their networks to identify major risks and vulnerabilities. This includes reviewing program policies to see if they still apply to the current threat landscape, evaluating new vendors and services procured during the year, and testing security defenses to ensure they can protect against the newest threats.
Penetration testing is an authorized, simulated attack on IT systems. It aims to mimic the same techniques a cybercriminal would use to see the effectiveness of an organization’s security controls as part of a broader cybersecurity strategy.
8. Provide Cybersecurity Training for Staff
Human error is responsible for more than 80% of data breaches. Cybersecurity training can significantly lower the risk of human error and demonstrates a strong commitment to data security for cyber insurance providers.
Recognizing potential threats is the best defense against a potential breach. Training and education should include topics such as:
- Recognizing social engineering, phishing, and ransomware attempts
- The importance of multi-factor authentication (MFA)
- Creating strong, reliable passwords
- Physical device security
- Accessing data from safe, secure Wi-Fi networks
- HIPAA-compliance standards
9. Have Documented Incident Response Plans
Incident response plans outline procedures and responsibilities in the case of a security incident. Organizations with comprehensive cyber incident response plans had roughly $2.66 million less in damages and costs compared to those that didn’t have incident response plans or teams in place.
It is in cyber insurance policyholders’ interest to have a documented incident response plan to show their insurance provider how prepared they are for a cyber attack or data breach. Like other organizations, healthcare businesses must also test their plans regularly to ensure they keep up with changing structures, procedures, technologies, and responsibilities.
10. Implement Access Control Policies
Implementing access control is a strategic approach to protect data from unauthorized access. For example, zero trust architecture (ZTA) achieves this by assuming all parties are untrustworthy and completely restricts access to data until the accessing party can verify their identity, whether using authentication processes or biometric verification.
Access control policies can also employ the principle of least privilege, which prevents access to data to only the parties that require access to complete a specific job. After the job is over, access privileges to the data are revoked. This means the healthcare entity will need to implement some form of role-based access control, which assigns specific roles to individuals.
11. Implement Endpoint Protection
An endpoint protection tool can help prevent file-based malware and assists with the detection, diagnosis, and remediation of risks in endpoint devices. Endpoint devices, such as laptops, cell phones, and tablets, increase a network’s attack surface, and endpoint security aims to ensure that these connected devices comply with specified standards.
This security comprises cutting-edge antivirus software, threat detection, data leak protection, and device management, among other tools that reduce security risks on a network and may convince cyber insurance providers to lower their premiums.
12. Secure Physical Devices
While improving cybersecurity largely focuses on security through networks and IT systems, healthcare organizations should also remember that cybersecurity also applies to physical security measures to prevent device theft or loss. Stolen or lost devices pose significant risks of data breaches if fallen into the wrong hands.
Physical measures include CCTV, locks, security guards, protective barriers, and, most importantly, device policies. Healthcare institutions need to mandate network access rules, device checkout policies, VPN use, and password protection. Other security measures that health organizations should consider are device encryption and MFA to enhance physical security.