Healthcare data breaches occur on a daily basis in the US. Most healthcare providers expect it is a matter of "when" not "if" they will be impacted. The US Department of Health and Human Services reported 325 healthcare data breaches in in the first six months of 2021.  As the threat of being hacked increases, more health care providers are purchasing cyber liability insurance to protect against data breaches or online attack.

The timing could not be worse. With cyberattacks on the rise, and demand for coverage surging, the $3 billion cyber insurance industry is facing higher costs and substantially more risk than ever before. According to the National Association of Insurance Commissioners, premiums have more than doubled since 2015. Some companies report their policy premiums increasing 35% over prior year.  Almost all premiums climbed by double digits in 2020.

As a result of soaring losses, insurers are doing more due diligence on customer's applying for coverage, raising prices, and limiting the liability coverage. Upper limits of $10M are really a thing of the past and policy holders are receiving notices that the coverage is being slashed to $5M or even less if the policy holder cannot demonstrate their compliance with data privacy standards and best practices.

Due to the uptick in ransomware losses, the underwriting process now often requires the applicant to provide written documentation of security audits, submission of incident security plans, disaster recovery plans, and compliance with industry standards like SOC or HITRUST. Some companies will find that they are unable to obtain cyber coverage at all.

Companies that have sensitive data subject to international, federal and state privacy laws must be sure that they have adequate cyber liability coverage and demand the same from their vendors. Best practices include requiring the vendor to provide a copy of the cyber policy page and including contractual obligations for the vendor to provide notice if they have a lapse in coverage.  Companies can no longer rely on assurances from their vendors as to the adequacy of their security processes and insurance coverage but instead have an obligation to audit and review the integrity of their vendors IT security.

Purchasing cyber coverage and ensuring that your vendors have adequate coverage is just one part of the solution.  Hackers have targeted public and nonprofit entities, such as healthcare providers, because they often have computer networks running on old systems, minimal cybersecurity and understaffed IT departments. Companies must constantly evaluate their cyber security and protect against ransomware attacks. The ability to demonstrate a robust IT process may be key to obtaining cyber liability coverage. The White House issued a memorandum on cybersecurity best practices to business executives on June 1, 2021. In its memo, The White House lists the following five best practices for safeguarding against ransomware attacks.

  1. Backup your data, system images, and configurations, regularly test them, and keep the backups offline:  Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
  2. Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
  3. Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
  4. Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
  5. Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber-incident.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.