More on Risk Management

Cyberinsurance options a 'Wild West' for healthcare organizations

The evolving industry rewards hospitals that have done their due diligence before even seeking a policy, experts say.

Beth Jones Sanborn, Managing Editor

The healthcare industry is playing a dangerous game of catch-up when it comes to understanding and implementing cyberinsurance to protect them from hackers and other cybercriminals.

"It is wild wild west out there when it comes to cyberinsurance," said Mary Chaput, CFO of Clearwater Compliance, a healthcare cybersecurity consulting firm. 

Even though cyberinsurance is already evolving, what's covered can vary and so can the costs. A full understanding of your system's liabilities and needs will be key to successfully navigating the winding path to coverage, once your system decides they want it. Reading the fine print is crucial too.

HIMSS20 Digital

Learn on-demand, earn credit, find products and solutions. Get Started >>

[Also: Panel tells Congress that financial incentives will get healthcare providers to share cybersecurity data]

"Start off with getting an understanding of things that are problematic enough to take the hosptial out of business," said Jack Lennon, senior vice president of Aon Risk Services, a broking company and consulting firm with stratified interests including a specialization in the healthcare industry.

Then, Lennon said, hospitals should obviously look to align themselves with a brokerage that has a dedicated cyber practice. The purchase of cyberinsurance is always about culture and risk tolerance, as well as what the system can afford.

"Some entities feel that they have tightened everything down regarding policies and procedures and are relatively secure from a breach, but that in my opinion is close-minded. Everyday there is a new hacker or risk that must be dealt with," Lennon said.

[Also: Cybercriminals targeting FTP servers to compromise health data, FBI says]

Also, Chaput stressed the importance of doing research on your potential insurance carrier to see if they denied claims, and if so, why. Often, cyberinsurance will cover major areas like forensics costs, communication costs, legal costs and in some cases settlement costs. Both Lennon and Chaput said these areas are musts for robust coverage. However reputational damage, including loss of revenue and future patients as well as staff, may not be covered, a deficiency that could deal a major blow to a hospital or health system if they aren't prepared.

She said premiums can start at $10 million a year, with deductibles also in the millions. And if an organization has already been breached when they seek out their cyberinsurance policy, that will almost certainly raise premiums.

Ten million dollars in coverage is a benchmark for community hospitals, but not all of them "are there yet," Lennon said. However, some carriers are building out pre-breach offerings as part of the policy package, working with hospitals to become as immune to breaches as possible and therefore potentially diminishing the amount of coverage they might need. Clients can also get credit for working with a monitoring system that detects potential threats.

[Also: Almost all healthcare organizations plan investments in cybersecurity, report says]

Cliff Kittle, principle healthcare information security expert at SecureWorks, pointed out that some policies will offer resources to clients like incident response plan guidance, and may give discounts or lower deductibles if the client has a formal risk management program and has done risk analysis.

"It's sort of like putting a smoke alarm in a house, or safe-driver discount. That applies to cyberinsurance. If you're doing things like a formal risk management program that includes a mitigation plan and you can prove from a documentation perspective that you're working that plan, that can impact your premium."

That's a prime pitfall for healthcare organizations, Kittle said. Reluctance from organizations to do the size scope of risk assessment needed for their enterprise frequently means they get wrapped around the HIPAA security rule, and fail to expand it out to business associates.

"Not understanding mitigating those risks gives insurance providers an out because the organization didn't meet that requirement." Third party vendors and business associates should always be part of a cyberinsurance policy's coverage Kittle said.

"Hospitals have learned that the insurance companies will put them through a very vigorous due diligence process, and if what is recommended or required at the onset of the policy isn't covered then the coverage will be declared null and not in effect," said Lennon.

As such, healthcare leaders must be very specific in their negotiations when coming to an agreement of what their policy will cover and what requirements insurance providers place on them, such that organization can be comfortable that they will be covered in case of breach.

For instance, Chaput pointed out that when it comes to forensics, it should be clear in the language that if there is a breach it doesn't matter if it's an insider or an outsider. If the breach is significant, those costs should be covered.

If appropriate due diligence and preparation have been done, and the policy's requirements are met, a hospital or system in this kind of good standing that has approximately $10 million in coverage might pay around $80,000 or $90,000 a year, Lennon said.

Lennon's last piece of advice: Have a bitcoin stash. 

"Largely folks in healthcare and other industries don't realize bitcoin tends to be necessary in a data breach, so with coverage in place for providing bitcoin, it should be an asset in the treasury of the hospital that can be accessed quickly."

Twitter: @BethJSanborn