Health Care Providers Are Turning to Cyber Insurance

Ransomware and other cyberattacks on the health care industry have been on the upswing, prompting some practices to buy cyber insurance in case they fall victim to these crimes. This insurance, however, presents potential pitfalls when it comes to HIPAA compliance.

“In order to have cyber insurance, providers need to meet certain standards and minimum requirements set by the insurance carriers which facilitates HIPAA compliancy and therefore mitigate the risks of hefty HIPAA fines for non-compliance,” said Fernando Sosa, managing partner of WorryFreeMD.com.

According to a 2021 IBM Data Breach Report, the average cost of a health care data breach is now $9.42 million dollars.¹ Unless practices have a 6- or 7-figure fund set aside for breach-related expenses, they should think of cyber insurance in the same way they think about fire insurance, Sosa advised. “I typically tell them that it only takes 1 security breach to ruin their reputation and force them to shut down their practice,” Sosa said.

Insurance policy lingo can be confusing, and cyber insurance is no different. Cyber insurance, however, is a relatively new type of insurance and definitions for what is and is not covered are major concerns. The National Defense Authorization Act for Fiscal Year 2021 included a provision for the US Government Accountability Office (GAO) to study the US cyber insurance market. The GAO report was released in May and it identifies key trends in the current market for cyber insurance and the challenges faced by the cyber insurance market.²

Common Definitions Lacking

The GAO analyzed reports on cyber risk and cyber insurance from researchers, think tanks, and the insurance industry. It also interviewed officials with the US Department of the Treasury and industry associations representing cyber insurance providers. The GAO report found that cyber policies lack common definitions and industry stakeholders noted that differing definitions for policy terms, such as “cyberterrorism,” can lead to a lack of clarity on what is covered. The stakeholders suggested that federal and state governments and the insurance industry should work collaboratively to advance common definitions.

“I see 2 big challenges related to developing common definitions,” said John H. Pendleton, the GAO Director Financial Markets and Community Investment. “First, the cyber threat is evolving quickly as evidenced by the rise in ransomware. Second, organizations or companies that are the victims of a cyberattack have been reluctant, often for business reasons, to share the details of what happened to them and how they dealt with it.”   

The evolving threat paired with lack of good information about attacks have made it difficult to build and price insurance coverage, according to Pendleton. The GAO report found that cyber insurance can help offset the costs of responding to and recovering from cyberattacks. The growing frequency and severity of cyberattacks have led more insurance clients to opt for cyber coverage. The report shows it is up from 26% in 2016 to 47% in 2020.

The GAO concluded that developing cyber insurance products can be difficult because insurers do not have much historical data on cyberattack-related costs. Determining what is covered can be hard for clients because key terms do not have standard definitions.

Upfront Costs Can Be a Barrier 

Industry sources interviewed for the GAO report said higher prices have coincided with increased demand and higher insurer costs because of more frequent and severe cyberattacks. In a recent survey of insurance brokers, more than half of respondents’ clients saw prices go up 10% to 30% in late 2020. Industry representatives told the GAO the growing number of cyberattacks led insurers to reduce coverage limits for some industry sectors, such as health care and education.

Insurers increasingly have offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits. The report notes that there are limited historical data on losses. Without comprehensive high-quality data on cyber losses, it can be difficult to estimate potential losses from cyberattacks and price policies accordingly. Some industry participants said federal and state governments and industry could collaborate to collect and share incident data to assess risk and develop cyber insurance products.

The authors of the report write that malicious cyber activity poses a significant risk to the federal government and the nation’s businesses and critical infrastructure. Cyberattacks result in billions of dollars in losses annually in the US. Threat actors are becoming increasingly capable of carrying out attacks, highlighting the need for a stable cyber insurance market.

Oscar Miranda, chief technology officer for Healthcare at Armis, a security platform provider in Palo Alto, California, said just as carrying medical malpractice insurance is essential for physicians, so is the need for cyber insurance. “As the number of financially motivated cyberattacks, targeting both health care providers and health systems, increased in 2021, so have the operating costs resulting from loss of productivity, damage to reputation, and service disruption,” Miranda said.

Most cyber insurance will cover losses and damages incurred by a breach or security event that includes the loss, exposure, improperly shared, or theft of personally identifiable information or personal health information. Additionally, Miranda said they also help with the costs and services needed for breach notification and customer service such as dedicated call centers. “Remember that HIPAA protects patients, not covered entities. Cyber insurance will help cover regulatory penalties resulting from a data breach involving personal health information,” Miranda said.

Cyber insurance premiums can range from $650 to $2,350, based upon companies with moderate risks.³ Miranda said these premiums are based on liability limits of $1 million with a $10,000 deductible. “The unfortunate reality is that financially motivated cyberattacks are only increasing,” Miranda said. “As a physician, you have invested your time and money in building your practice, so it is only prudent to protect your investment with cyber insurance.”