Why cyber insurance is critical for healthcare organizations
Patient confidentiality is paramount in the healthcare industry. Healthcare providers and other related businesses are entrusted to collect, transmit, and store not only health-related information but also personal, financial, and other identifying details. This sensitive data is often required to be available digitally, making it a frequent target of cybercriminals.
Healthcare providers use many technologies that present cyber risks, such as internet-accessible medical devices, remote monitoring tools, and telemedicine applications. Organizations must not only protect sensitive patient information but also maintain security and availability of data, as well as lifesaving technology. Even a minor breach or failure can have major cyber implications, potentially hindering the delivery of service and impacting the health and safety of patients, underscoring the importance of strong security controls and cyber insurance.
How bad could one small security incident be?
$161,000
Average cost of a cyber claim for healthcare businesses
40%
Percentage of cyber attacks originating from email inbox
$265,000
Average ransomware loss for healthcare businesses
Unique exposures for healthcare companies
How essential technologies can create cyber risk
Electronic medical record (EMR) systems
Often cloud- or web-based, these essential systems are used to store, manage, and share patient records. A data breach or incident involving an EMR system could cause data privacy issues, regulatory violations, or even a disruption in services to patients in need of care.
Email & mobile devices
Mobile devices are essential for communication among healthcare workers, particularly email. However, business email compromise (BEC) is a frequent cause of cyber insurance claims for healthcare companies, which can trigger data breaches, business interruption and even reputational damage.
End-of-life software & hardware
Some organizations may use outdated technologies with the belief that upgrading would be expensive, time-consuming, and disruptive. However, technologies no longer supported by the manufacturer often have known security vulnerabilities and may lack important security features to protect against modern threats.
Medical devices
Outdated software, insufficient security features, and a lack of hardened baseline configurations can lead to vulnerabilities in medical devices. Exploitation of insulin pumps, defibrillators, and numerous other devices can compromise operations, patient safety, and data privacy
Patient portals
These websites enable patients to access electronic health records and make it easier to fill prescriptions or schedule appointments. However, a breach could expose large amounts of data and cause serious disruption due to the volume and sensitive nature of the information.
Telemedicine platforms
Telehealth relies on connecting with patients and exchanging information on the internet. Patients with vulnerable devices or networks can expose healthcare organizations to phishing, malware, and other cyber attacks.
How sensitive data can increase business liability
Biometric data
Fingerprints, retina scans, and other biometric data technologies are used by medical offices to ensure patient identification. Much like passwords, this data can be stolen and used to impersonate individuals and perpetuate cybercrime.
Financial data
Collecting and processing financial information requires adherence to industry standards. Mishandling or unauthorized disclosure of financial data can cause direct harm to patients and trigger industry and regulatory investigations.
Personally identifiable information (PII)
PII is any data that can potentially identify a specific person. PII can be used to launch cyber attacks or gain access to networks to initiate attacks. Organizations that mishandle PII or fail to respond to a data breach appropriately can be subject to fines, penalties, and other financial damages.
Protected health information (PHI)
Most healthcare organizations collect or access PHI. Bound by the Health Insurance Portability & Accountability Act (HIPAA) Privacy Rule, they carry additional data protection and reporting requirements if an actual or suspected data breach occurs.
For more insights, download our complete guide:
Business impacts for healthcare companies
What to expect after a cyber incident
Direct costs to respond
Responding to a cyber event typically requires numerous direct costs, also known as first-party expenses. If a healthcare organization experiences a data breach involving PHI, it will require a prompt response and the need for additional legal counsel, forensic investigation, victim remediation, and notification to comply with regulatory requirements. Simple investigations can cost tens of thousands of dollars, while more complex matters can increase costs exponentially.
Liability to others
Navigating the patchwork of laws and regulations after a security incident or data breach is especially difficult for organizations that operate in a highly regulated industry across multiple legal jurisdictions. A data breach or security failure can trigger liability to third parties and cause bodily harm or injury, even if the management of healthcare records is outsourced and the organization is otherwise in compliance with applicable regulations.
Business interruption and reputation damage
A cyber event that impacts essential technology can have a significant impact on a healthcare provider's ability to operate and can be highly visible to patients and other stakeholders. Even short periods of disruption can lead to direct loss of revenue and inhibit an organization's ability to support its patients, negatively impacting not only patient retention but also the delivery of essential care.
Cybercrime
Beyond ransomware and data breaches, cyber events can result in financial theft for a healthcare provider or its patients — often without an actual breach. If an attacker dupes someone in the billing department to alter payment instructions, an organization can lose tens or hundreds of thousands of dollars almost instantly. Attackers can also gain access to email accounts and send fraudulent invoices or payment instructions to patients, customers, and other third parties.
Recovery and restoration
After a cyber event, resuming operation is no easy task. If an attacker damages or destroys essential technology, data, or physical equipment, an organization may need to bring in external support or purchase new equipment to re-secure systems. Full remediation, restoration, and recovery can take a significant amount of time, when possible, and may require purchasing new software, systems, and consultants to rebuild the network.
CYBER INSURANCE BUYER’S GUIDE
Choosing the right cyber coverage for your business
Cyber insurance is an essential aspect of modern risk management, offering coverage for the losses associated with data breaches, cyber extortion, business interruption, and other cyber-related incidents.
Coalition created a Cyber Insurance Buyer's Guide to help businesses navigate the complex cyber insurance market and confidently select the right coverage for their business.
Already a policyholder?
Log in or activate your Coalition Control account, our policyholder risk management platform, to manage your business’s risk profile.
Coalition’s products are underwritten by certain underwriters at Lloyd’s of London (A.M. Best A+ rating) and Arch Insurance Canada Ltd. (A.M. Best A+ rating).
