The healthcare industry has become a prime target for cyberattacks, with threat actors exploiting the sector’s intricate systems and high-value data. In 2023 alone, the healthcare industry suffered around 133 million data breaches, a stark reminder of the challenges healthcare organizations face in safeguarding patient information. As the frequency and severity of these breaches escalate, the importance of cybersecurity and its counterpart—cyber insurance—has come to the forefront of industry discussions.
In this article, we explore the role of cyber insurance in healthcare, its evolving requirements, and the increasing regulatory pressures that healthcare organizations must navigate to secure both their systems and insurance policies. We also delve into the insights shared by Christopher Henderson, Senior Director of Threat Operations at Huntress, a leading cybersecurity company, who provides a closer look at how cyber insurance is reshaping the healthcare sector.
Cyber Insurance and Healthcare: A Complex Relationship
Cyber insurance, unlike traditional forms of insurance, operates in a dynamic and rapidly changing landscape. According to Christopher Henderson, the stakes are much higher for cyber insurers due to the ever-evolving nature of cyber threats. In traditional insurance, such as home or auto insurance, the risk is relatively static—fires don’t adapt and learn new ways to spread, but cyber adversaries do.
“Cyber insurance is unique compared to any other kind of insurance,” says Henderson. “Fires aren’t actively trying to find better ways to burn your house down. In cyber insurance, you’re working against an adversary capable of developing and pivoting faster than a policy might expire.”
This dynamic risk environment creates a difficult challenge for cyber insurers, who must continually adapt their risk models to keep pace with the latest threat intelligence. They rely heavily on insights from past breaches, incident response teams, and both open-source and closed-source intelligence. For healthcare organizations, this means the requirements to qualify for cyber insurance are constantly evolving, necessitating continuous updates to security protocols and procedures.
The Growing List of Requirements for Cyber Insurance in Healthcare
As cyber threats become more sophisticated, so too do the demands placed on healthcare organizations seeking cyber insurance coverage. Insurers are increasingly focused on ensuring that healthcare providers have robust cybersecurity measures in place, especially around critical areas like identity verification and strong authentication practices.
One of the most prominent tools being emphasized by insurers is multi-factor authentication (MFA). This added layer of security helps prevent unauthorized access, even if a password is compromised. Additionally, insurers are looking for strong internal procedures, such as those governing IT help desks. These procedures ensure that staff can verify the identity of anyone requesting sensitive actions, such as password resets or the setup of MFA.
“Cyber insurers are looking to ensure that your IT help desk has written procedures or policies to dictate that the person calling to reset a password, set up MFA, and so on, is who they say they are,” Henderson explains. This focus on social engineering defenses stems from a growing trend of attackers exploiting help desks as an entry point to gain administrative credentials, often through sophisticated social engineering tactics.
As these risks evolve, so too do the expectations from insurers. Some now require healthcare organizations to provide external proof of their security measures, such as vulnerability scans, as part of the underwriting process. Looking ahead, Henderson anticipates even more stringent requirements, including third-party audits or shorter policy terms that align more closely with the rapid evolution of cyber threats.
“Today, some are requiring external proof, perhaps a vulnerability scan for their own assessment during the underwriting process. We may start to see insurers eventually requiring third-party audits before securing a policy,” Henderson adds. “I could also see cyber insurance underwriting moving to a maximum six-month or even quarterly policy to keep up with the pace of risk modeling and the speed of threat evolution.”
The Regulatory Landscape: Balancing Consolidation and Compliance
Healthcare organizations are not only facing heightened demands from insurers but also increasing regulatory pressures to safeguard patient data. As the industry consolidates—through mergers and acquisitions, for instance—so does the risk. Larger organizations with complex systems present a more tempting target for cybercriminals, and regulators are keen to ensure that these organizations are adhering to stringent data protection standards.
“As healthcare consolidates, risk consolidates,” Henderson notes. “Regulatory pressure is going to build around acquisition speed and the diligence of post-acquisition governance and security.”
One of the unique challenges facing healthcare providers is that their primary focus is, understandably, on patient care. With doctors, nurses, and administrative staff dedicated to saving lives, cybersecurity often takes a back seat, creating vulnerabilities that cybercriminals can exploit.
“I think we need to realize that doctors and nurses are running around literally saving lives,” says Henderson. “This really isn’t a population that has the luxury of taking time to pay more attention to cybersecurity.”
Nevertheless, healthcare organizations must prioritize building platforms and hiring personnel dedicated to strengthening their defenses. Failure to do so will only lead to further breaches and rising cyber insurance premiums, as insurers adjust their models to reflect the increased risks.
The Rising Cost of Cyber Insurance: A Necessary Investment
Given the high value of healthcare data and the significant risks posed by cyberattacks, it’s no surprise that cyber insurance premiums are rising across the industry. According to Henderson, the average cost of a healthcare data breach in 2023 was around $10.9 million. These breaches often stem from creative tactics, such as phishing or the misuse of legitimate tools like remote monitoring and management software.
With such staggering costs, healthcare organizations are left with little choice but to invest in cyber insurance. However, as Henderson points out, cyber insurance alone cannot negate the damage caused by a breach. Instead, it serves as a vital safety net, providing essential services such as incident response teams, legal counsel, and even ransomware negotiation.
“Cyber insurance won’t negate the damages done when an attack occurs, but it can supply things like an incident response provider, legal counsel, or even ransomware negotiation,” Henderson explains.
The bottom line is that healthcare organizations must treat cyber insurance as a necessary part of their risk management strategy. However, securing a policy is only the first step. Organizations must also take proactive measures to assess their risk levels, implement strong security controls, and ensure compliance with evolving regulations. By doing so, they can better protect themselves from both cyber threats and the financial fallout of a breach.
Looking Ahead: Preparing for the Future of Cyber Insurance in Healthcare
As cyber threats continue to evolve, so too must the strategies employed by both healthcare organizations and cyber insurers. With the frequency and sophistication of attacks showing no signs of slowing, it’s likely that we will see even more stringent requirements and rising premiums in the coming years.
Healthcare organizations must stay ahead of the curve by investing in robust cybersecurity measures, educating their staff about the importance of data protection, and working closely with insurers to ensure they meet the necessary requirements. Only by doing so can they hope to secure not just cyber insurance coverage, but also the trust of their patients and stakeholders in an increasingly threatened digital landscape.
In this rapidly changing environment, the importance of cyber insurance cannot be understated—but neither can the need for healthcare organizations to take responsibility for their own cybersecurity posture. As Henderson aptly puts it, “Cyber insurance is absolutely necessary, but healthcare organizations must do what they can to get ahead of the process.”
In summary, the healthcare sector is at a critical juncture in its battle against cyber threats. While cyber insurance offers valuable protection, it is not a silver bullet. Healthcare providers must take a proactive approach to cybersecurity, investing in the tools, personnel, and processes necessary to safeguard patient data in the face of a constantly evolving threat landscape.