Is Cyber Insurance Worth the Hype?

Cyber insurance is becoming more difficult to obtain and less reliable. So, health systems should harden their defenses.

By Scott Trevino 

Cyber insurance policies have become increasingly important as healthcare systems face a growing number of cyberattacks. The healthcare sector faced an average of 1,410 attacks per week in 2022—an 86%  increase from 2021, according to research from Check Point Software Technologies. Cyber insurance can help hospitals mitigate the financial damage of a breach, but it often fails to comprehensively cover the financial damages, regulatory impacts, and reputational damages. Policies are also becoming more difficult and more expensive to obtain as insurers weigh the risk of covering such a desirable target for hackers. 

To best protect their patients and themselves, health systems need to improve their overall cyber-risk posture, which will better their chances of being insured and potentially lower premiums, while helping prevent breaches before they occur.  

A Prime Target for Cyberattacks 

Healthcare is one of the top industries that cybercriminals pursue. After all, health systems store extensive financial and personal data, making them an ideal target for cybercriminals. Ransomware actors may also believe hospitals will be willing to pay up if an attack disrupts life-saving care.   

To make matters worse, as an industry, healthcare is behind the curve in cybersecurity. Unpatched vulnerabilities remain an ongoing concern and an ever-present risk for healthcare organizations. More than half of connected medical devices and other Internet of Things (IoT) devices in hospitals have known critical vulnerabilities that can be exploited. Dealing with this potential threat is difficult because patches are often unavailable for networked medical devices. In fact, TRIMEDX’s database of medical device cybersecurity vulnerabilities reveals that 60% of affected models lack an OEM-validated patch or remediation.

Health systems also struggle to establish responsive healthcare cybersecurity strategies because of disconnected or incomplete information sources and inventory inaccuracies. Inaccuracies in device inventories and lack of monitoring capabilities can create an incomplete view of a health system’s risk posture, making it harder for hospitals to monitor devices and networks, detect and identify anomalies, and respond quickly to cybersecurity incidents.

Finally, health systems are especially vulnerable to cyberattacks because biomedical engineering teams and IT departments have historically operated separately. IT teams have cybersecurity expertise but don’t deal with medical devices daily. Engineering teams know the medical devices but may lack cybersecurity knowledge. These siloed teams make it more difficult for health systems to prevent, discover, and respond to cyberattacks.  

Cyber Insurance Constraints

Because hospitals are prime targets for cyberattacks, insurers are demanding that health systems have stricter cybersecurity standards in place to obtain coverage.

Insurers are looking to reduce their exposure and are imposing more requirements for coverage, such as demonstrating reduced risk. Before agreeing to a policy, many insurers will ask health systems about their current mitigation measures, including:

• “How are you educating your employees?”
• “How are you protecting against phishing attacks?” 
• “Do you have multi-factor authentication?”

If a health system can prove a comprehensive prevention strategy is in place, they’ll look more favorable to an insurer. If a health system can obtain cyber insurance, they’ll still likely face a pricey premium. Those have risen significantly, driven by the rise in demand and the likelihood of losses. What’s more, ratings firm AM Best reports U.S. cyber insurance premiums spiked by 50% in 2022. And premiums collected from policies written by insurers reached $7.2 billion. While there are many outside factors contributing to the cost of premiums, better informed health systems with strong cybersecurity governance pose a lower risk to insurers.

Cyber insurance Won’t Cover All Costs of an Attack 

Even so, hospitals are finding that cyber insurance falls short of fully compensating all breach-related expenses. While these policies do assist in covering direct financial consequences such as ransom payments, lawsuits, fines, and fees for third-party service providers like ransom negotiators, they may not shield hospitals from significant financial losses entirely. Even in cases where financial losses are identified as a direct result of a cyberattack, the payouts from cyber insurance policies may amount to only a small percentage of the damages health systems experience.

Consider this: The cost of a breach in the healthcare industry rose 42% between 2020 and 2022. The average total cost of a healthcare data breach is more than $10 million—the highest of an industry for more than a decade. 

In response to increased losses, insurers are offering less coverage and imposing wider restrictions on cyber insurance policies. Many insurers exclude state-sponsored attacks from their coverage. Lloyd’s of London has directed its syndicates to exclude state-backed attacks from cyber insurance policies, saying “losses have the potential to greatly exceed what the insurance market is able to absorb.”

It’s important to note that no insurance policy can undo patient harm or reputational damage when a breach occurs. In one survey, 70% of health delivery organizations who suffered a ransomware attack reported delays in procedures and test results. And more than one-third reported an increase in complications from medical procedures. These are potentially life-altering consequences that erode reputation and patient trust, which can’t be valued.

A Strong Cyber Defense Is Key

Despite the limitations of cyber insurance, it can still play a crucial role as the last resort in a health system’s cybersecurity strategy to mitigate damage from cyberattacks. However, it should not be viewed as a substitute for robust preventative measures. Health systems must prioritize proactive, preventative strategies to strengthen their overall cybersecurity defenses.

To truly bolster their security posture, health systems should adopt a multifaceted approach that includes real-time monitoring of IT resources and medical devices. Continuous assessment of security risks based on a standardized methodology allows organizations to identify vulnerabilities promptly and take necessary actions to address them. Additionally, health systems should develop remediation strategies for cybersecurity vulnerabilities that lack vendor-validated patches, ensuring that malicious actors don’t exploit these weaknesses.

Moreover, establishing a mature cybersecurity program requires integrating this level of security awareness and best practices throughout the entire lifecycle of technology assets like medical equipment. Capital planning and clinical engineering teams need to understand how cybersecurity risks impact their day-to-day work as well as how they can take an active role in protecting the significant investments that many devices represent from attacks. And emphasizing the importance of security throughout all stages of a medical device’s life creates a closed loop for managing risk effectively and helps foster a proactive security culture.

Like every cybersecurity best practice, cyber insurance is one important piece of the full picture for protecting health systems and patients. But no single approach should be an organization’s only line of defense. By layering proactive strategies in front of a cyber insurance policy and emphasizing security awareness throughout the organization, health systems can better protect their technology resources and prepare to react quickly in the event of a worst-case scenario.

Scott Trevino is senior vice president of cybersecurity at TRIMEDX. Listen to a podcast he recently did with 24×7 here.