Cyberattacks are dangerous for any organization. Health care organizations can be particularly vulnerable, however, because breaches often reveal sensitive patient information and may result in fines, loss of reputation, and lost revenue, and in some cases can affect patient care.
By Vikas Khosla, Chief Digital Health Officer of Intraprise Health
According to the Government Accountability Office (GAO) the number and severity of cybersecurity attacks continue to increase, as has the cost to recover from them. According to the HIPAA August 2021 Healthcare Data Breach Report, while the number of breaches in August 2021, was less than those reported in July 2021, 5,120,289 health care records were breached, “which is well above the 12-month average of 3.94 million breached record in a month.”
Ransomware was responsible for several of the August breaches, the report says, including attacks on the University Medical Center Southern Nevada and the St. Joseph’s/Candler Health System; those breaches resulted in a combined 2.7 million patients being affected. Class action lawsuits have already been filed on behalf of those patients.
The breaches are also costly. IBM Security’s, Cost of a Data Breach Report 2021 reports that between 2020 and 2021, data breach costs increased from $3.86 million to 4.24 million, representing the largest single-year cost increase in the last seven years. The report notes that remote working and digital transformation due to the COVID-19 pandemic contributed to the increase.
To protect themselves against such attacks, businesses are increasingly securing cyber insurance. The number of businesses that purchased cyber insurance increased 60 percent from 2016 to 2020.
Cyber insurance protects your organization against losses related to cyber-risks, such as data theft/loss, business interruption caused by a computer malfunction or virus, and fines or lost income because of system downtime, network intrusion, and/or information security breaches.
Cyber insurance can include first-party coverage for the health care organization that covers such things as data breaches where patient information is stolen, protection if your computer systems are hacked, and can also cover ransom payments and professional help if your network, data, or website are being threatened.
Third-party coverage can include coverage of legal costs if your organization is found liable for a data breach or cyber-attack. It provides defense and settlement costs if you did not secure your systems and your patients or customers suffered damages and can protect against digital media claims that can include copyright infringement and violation of privacy. But this type of coverage comes at a price that can be quite steep if your security program isn’t comprehensive and holistic.
According to Intraprise Health’s Chief Operating Officer, Neal Pason, “Based upon what our clients have told us, the total cost to address a single breach can be in the millions of dollars. Many of our clients have either obtained or plan to get a cyber insurance policy.”
Industry specialists say that while cyber insurance is relatively new, they notice a trend: As the number of cyberattacks against health care organizations increases, so too, do cyber insurance premiums. In some cases, insurance providers will refuse to cover some organizations, considering them too much of a risk. Commercial property-casualty insurance prices in the U.S. rose an average of 14% in the third quarter, driven by a 96% average price hike for cyber coverage, according to Commercial Insurance broker Marsh’s latest Global Insurance Market Index. The 96% jump for cyber insurance coverage is 40 percentage points higher than in Q2, the highest average increase since 2015. Prices rose even higher in some months, with a 112% increase in August.
So how can a health care organization position itself to enjoy comprehensive cyber insurance coverage at a better premium? One way is to ensure it has a rigorous, comprehensive security program that is based on industry-accepted standards such as a cybersecurity framework. The coverage is even stronger if it covers its third-party vendors or those individuals or organizations that provide contract services to the health care organization. A framework serves as a system of standards, guidelines, and best practices to manage risks that can arise in health care. A cybersecurity framework prioritizes a flexible, repeatable, and cost-effective approach to promote the protection and resilience of your business.
A cybersecurity framework both protects your organization and helps it grow. Using a framework to align controls like local, offline, and cloud backups will improve resilience from any attack or reliance on hardware. The NIST Cybersecurity Framework and HITRUST CSF are the two leading frameworks utilized in health care.
“Insurers are in the business of mitigating risk,” Intraprise Health COO Pason says. “So they take a number of factors into consideration when evaluating a health care organization’s security. If they don’t have confidence the organization’s security is sound and uses best practices, they could decide not to insure the organization or to charge higher rates than they would charge a company with a comprehensive security program.
About the Author
Vikas Khosla is the Chief Digital Health Officer of Intraprise Health. Vikas works with the leadership team and partners to develop strategies and market differentiation for the advancement of security risk management programs across the health care industry.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.