A report by Verisk Analytics projects the cyber insurance markets to reach $6.2 billion this year. That may seem like a high number, but compared to the projected $305 billion losses in healthcare over the next five years, the single-digit investment is minor.
Healthcare has long been the most targeted industry for cyberattacks for years, and the trend continues. The money invested into cyber insurance is a very good sign because it shows that more healthcare providers are taking their cybersecurity seriously.
A cyber insurance policy, or cyber liability insurance, covers incidental damages from a cybersecurity attack or data breach.
Coverage may include damages and costs related to HIPAA-related fines, replacement of damaged IT infrastructure, theft/destruction, ransom, filing lawsuits, etc. It helps to cover breaches and threats regarding HIPAA and protected health information (PHI).
SEE ALSO: What is a HIPAA Violation?
Why healthcare organizations need cyber insurance
Healthcare is the most vulnerable business sector. With COVID and the increase of remote workers, network security is even more critical than usual. Cyberthreats are more prominent as cybercriminals take advantage of transitions and uncertainty of how to handle new COVID-19 related protocols.
Cyber insurance policies help protect medical and healthcare organizations from legal, financial, and reputational blows at the hand of cybercriminals. For example, a data breach involving PHI can lead to lawsuits from governing agencies and patients, a loss of trust, and ultimately, business.
What to look for
Like all insurance policies, coverage varies widely among firms. Since cyber liability insurance is relatively new, there is no standard or expectation of coverage, making it harder to make the right choice.
However, we have gathered some key inclusions that a cyber insurance policy should offer.
- Activity/network monitoring
- Breach notifications
- Network security
- Business interruption costs
- Legal fees
Typically, the organization’s specific circumstances tailor most cyber insurance policies. This is a good thing, but it also means that the buyer must do their due diligence to assess which elements are right for them.
Insurance carriers should always be transparent about the efficacy and relevant offerings. Always assess your organization’s needs and vulnerabilities when shopping for an appropriate policy.
First-party vs. third-party coverage
There are typically two separate categories for cyber insurance policies, first-party and third-party coverage.
SEE ALSO: The Costs of Ransomware Attacks
Third-party coverage is typically the aftermath of an attack. Any damages resulting from the initial attack – such as claims made from outside parties – fall into this category. This includes HIPAA violation claims from Health and Human Services, fines from credit regulatory agencies, patient lawsuits, etc.
It is important to note that first-party and third-party coverage include different features and often are separate policies. Consult with your underwriter to ensure adequate coverage.
Prevention is the best step
Investing in cyber insurance is a good – and even necessary – measure for protecting your organization. With the prevalence and frequency of attacks in the healthcare sector, no protection is too much.
Proactive measures, however, are the preferred method. Rather than having to react and invoke costly cyber insurance, you can do yourself a huge favor by following some guidelines to protect against an attack at all.
According to Chubb, there are some actions you can take to help protect yourself from a threat:
- Limit access to privileged accounts
- Conduct regular penetration tests
- Improve password hygiene
- Protect yourself against email phishing attacks
Even with taking these precautions, it is important to realize that there is never guaranteed protection from cyberthreats. These steps are critical measures to reduce your risk significantly.
How Paubox can help
Our solutions are HIPAA compliant by default, so you always protect your organization and patient data with zero-step encryption.