Patient confidentiality means everything in the healthcare industry. When patients seek out services, they expect organizations to safely collect, transmit, and store their sensitive information. However, the healthcare industry has become a primary target for cybercriminals.
In 2024, the average cost of a data breach in the U.S. topped $4.88 million, a 10% uptick over the previous year. This can be attributed to the rise of electronic health records and the digital collection, storage, and transmission of sensitive data. Paired with how quickly data thieves can adapt their tools and tactics, it’s easy to see why healthcare organizations have become so vulnerable.
At this point, it’s not a matter of ‘if’ an attack will happen, but ‘when.’To protect themselves against the associated risks that come from cyber attacks, many healthcare organizations have started purchasing cyber insurance policies. But is cyber insurance actually worth the cost? Should you consider adding a policy?
Here’s what you need to know.
What Is Cyber Insurance?
Cyber insurance protects medical practices and other healthcare organizations when their sensitive information is compromised. A good cyber insurance policy should provide liability coverage related to:
- Data breach lawsuits
- Business interruption and recovery expenses
- Regulatory fines and penalties
Similar to car insurance, cyber insurance policies offer two different types of coverage, which can be purchased together or separately.
- First-party cyber liability insurance: Also referred to as data breach insurance, these policies help your business respond to data breaches that occur on your own network or systems. Organizations can use first-party insurance to pay for notifying your clients about the breach, along with paying for other expenses like fines, data security fixes, cyber extortion demands, and more. First-party coverage can often be added to your general liability policy or business owner’s policy.
- Third-party cyber liability insurance: This type of insurance helps protect your business against lawsuits caused by data breaches on a client’s network or systems.. Third-party cyber insurance liability coverage can help pay for court costs, settlements, and attorney’s fees.
First-party cyber liability insurance covers your own business’s losses from a cyber incident, while third-party cyber liability insurance covers your business’s liability for losses suffered by others due to a cyber incident on their systems. ISG recommends having both types of insurance to protect your business from data breaches that may happen outside of your organization.
Why Healthcare Organizations Need Cyber Insurance
As healthcare becomes more reliant on modern technologies, like telemedicine applications and internet-accessible medical devices, digital attackers have gained more opportunities to steal PHI. Even a minor data breach can have a devastating impact on an organization — with legal ramifications, damaged reputation, and massive financial losses all possible.
While it doesn’t prevent attacks from happening, cyber insurance can help mitigate the costs of data breaches. For example, a hospital’s computer system was the target of a ransomware attack that effectively shut down the entire facility. Even though the attacker only sought $500, the attack still resulted in hours of downtime and required the staff to resort to pen-and-paper chart monitoring. Fortunately, the hospital had cyber insurance, and the insurance provider paid out more than $700,000 for forensics, data recovery, business interruption, and crisis management costs.
Because it provides financial protection against a wide range of potential expenses, including legal fees, penalties for HIPAA violations, and costs associated with Incident Response services, all healthcare organizations should invest in a cyber insurance policy to mitigate risk.
The Risks of Not Having Cyber Insurance
It’s always difficult to determine if the potential risks justify investing in insurance. So, let’s break down several of the largest risk factors and how much they can cost an organization.
Unpredicted Financial Costs
Responding to a cyber event can become quite costly for healthcare organizations. First-party expenses, or direct costs, often include hiring additional legal counsel, forensic investigators, and victim remediators. Some organizations may have to pay out of pocket for critical tasks like implementing new security measures as part of their incident response plan, restoring encrypted or lost data, or investing in more efficient remediation tools. While more complex situations can cost millions of dollars, even simple investigations can cost tens of thousands of dollars. The average cost of a cyber claim for healthcare organizations is around $358,000.
Damaged Reputation
No matter what industry you’re in, the damage of a security breach can impact both customers and employees alike. However, for healthcare organizations, the stakes are higher, and patients are less forgiving of data breaches that result in their personal information being stolen. A Forbes survey revealed that 46% of organizations had suffered damage to their reputations and brand value as a result of a breach.
Interrupted Services
Any disruption to essential technology can significantly impact a healthcare provider’s ability to support its patients. The average cost of downtime for small businesses in 2023 ranged between $137 and $427 per minute. For healthcare in particular, even slight delays in treatments can result in diminished patient care and increased patient turnover.
Increased Risk of Cyber Attack
Financial theft can occur without ransomware and data breaches. Without an insurance policy’s safeguards keeping your organization secure, your team might become increasingly vulnerable. Attackers can trick employees within an organization by altering payment instructions, causing the organization to lose a significant amount of money almost instantly. Criminals can also steal access to email accounts and send fraudulent invoices to patients and customers. Human error is responsible for a shocking 74% of data breaches — and your organization could be on the line for the consequences.
How Is The Cost of Coverage Calculated?
It’s evident that healthcare organizations need cyber insurance, but often the determining factor of whether or not to invest is costliness. So how much does cyber insurance actually cost?
The answer is, it depends.
Insurance costs for healthcare organizations are based on several factors, including:
- Amount of PHI handled
- Healthcare services offered, such as cardiology or oncology
- Medical equipment and other business property
- Company revenue
- Location
- Number of employees
If it feels like cyber insurance coverage is getting more expensive, you’re not wrong. Inflation, increased demand, and the frequency of cyber attacks have caused insurers to raise the price of coverage.
Does My Organization Qualify for Cyber Insurance?
Unfortunately, with the increase in cyber attacks, organizations now have a harder time qualifying for cyber insurance. The application process itself now involves filling out 10 or more pages that often require input from numerous personnel across various teams.
Although the process for applying for cyber insurance is constantly evolving and becoming increasingly complex, following these steps can help set your organization up for the highest chance of success:
- Meet with Insurance Brokers: Research cyber insurance brokers and set up a meeting to ask about security requirements for their policies. Make sure to get a written list of their policies to do more research later. Try speaking with several different brokers to gain a better idea of the types of coverage offered.
- Conduct a Risk Assessment: Use the ONC Security Risk Assessment tool to evaluate your organization against the HIPAA Security Rule. You can also pay to have a third party complete this step for you.
- Analyze the Assessment Results: The risk assessment should show key areas for improvement. Your qualified broker should then be able to help you identify additional gaps and discuss solutions.
- Consider First and Third-Party Coverage: Like we stated before, most healthcare organizations only need first-party coverage. However, for maximum protection, consider adding third-party coverage as well.
The Rise of Cyber Insurance Denial
Just like how car insurance agencies can deny coverage if you have a history of reckless driving, cyber insurance companies can do the same.
Companies with weak cyber security policies in place can expect to pay more — or be denied coverage — if the insurance company deems your organization as too big of a liability. Some factors that can lead to cyber insurance denial include not being HIPAA compliant or lacking multi-factor authentication and endpoint detection procedures. Improving internal protocols will lessen your chances of being denied coverage.
It’s important to note that even if you have coverage, cyber insurance agencies may still deny your claims. A 2023 report revealed that 44% of cyber insurance claims are denied because the organizations didn’t meet their insurance provider’s security requirements. And, as a warning, lying on either your application process or on a claim can result in a lawsuit.
Qualify for the Best Coverage Possible
Cyber insurance helps protect healthcare organizations from the ever-growing cost of a data breach. The right cyber insurance policy will either partially or entirely pay for the costs of data breaches, ransomware and phishing attacks, and other acts of cybercrime.
To ensure your organization obtains the best policy at the best price, take action now to assess your security program and begin building or enhancing your security roadmap. At ISG, we work with healthcare organizations to continuously level up your security posture, ensuring you are well-armed against potential threats.
Ready to minimize threats and secure a stronger cyber insurance policy? Learn more.