Will your insurance coverage protect you against the latest threats?
There’s been a surge in large-scale cyberattacks against health care organizations this year, disrupting services and putting lives and private patient data at risk. It’s also intensified public pressure for the industry and regulators to do a better job of hardening defenses.
The early August cyberattack against facilities across five states run by Prospect Medical Holdings shuttered services at various emergency rooms and primary care clinics, and necessitated a reversion to paper records until data control and recovery were effected.
It was a continuation of escalating cybercrimes against the industry this year. By June, more than 300 cyberattacks and health data breaches had been reported to the U.S. Department of Health and Human Services. The two largest alone affected more than 14 million people.
The industry needs to put better controls in place. But providers also need to get up to speed on today’s cyber risks and grow a better understanding of the evolving insurance marketplace. Here are some starting points.
Four favored cyberattack ploys
Cyber crooks are creative in finding new and different ways to get what they want. They have a lot of patience, often lurking in a system for months – over 200 days on average – before pulling the trigger. And victims don’t even know their defenses have been breached until the worst happens.
Among today’s most common ploys:
No one is immune. Health care organizations are a trove of sensitive data, both health related and payment cards. While large companies are particularly vulnerable as big centralized pools of information, smaller operations don’t escape notice either. Smaller organizations may think they are too small for cyber criminals to worry about are less prepared for breaches. They should think again: One study found that almost 60% of ransomware attacks were against small- and medium-sized businesses.
The market for cyber insurance has been under pressure in recent years. It’s gotten more expensive as cyber attacks, losses, and claims have intensified. Still, if premiums have gotten heftier, that’s nothing compared to the cost of recovering from a ransomware attack. Plus, carriers have stepped up their risk management requirements of health care clients, which has helped to strengthen the industry’s defenses.
It’s important to look at specific, individual cyber risks and exposures, rather than standard benchmarking measures. Being aware of some nuances of cyber insurance also helps. Here are some pointers.
1. Invoice manipulation may not be part of the standard cyber policy, so always check. Coverages tend to be sub-limited. It’s key to follow provisions of the policy, particularly for callbacks. Not every carrier has amended this coverage to require callbacks on questionable transactions. But, stringent internal controls are essential to offset the risk of callbacks to legitimate parties – and not to the bad actors.
2. Some concerns may carry dual coverage against data breaches, through both the cyber policy and crime policy. It’s rare to see the full coverage limit for cyber breaches on a crime policy; cyber is unique in providing both first- and third-party coverage.
3. The U.S. maintains a sanctions list against parties or individuals known to be behind malicious cyber activities. Should a provider network be attacked by parties on the list, insurance will not cover the ransom payment.
4. There is some crossover between cyber, and kidnap and ransom (K&R) policies. Should a health system get hit with a ransomware attack, for example, the K&R policy might provide additional coverage. Bigger organizations are more likely to have this.
Pete Reilly is the practice leader and Chief Sales Officer of global insurance brokerage Hub International’s North American healthcare practice.In this role, he directs and coordinates HUB’s health care planning, growth and strategic initiatives. He also works with other leaders and experts within HUB to develop and introduce proprietary products that will help healthcare organizations and providers across the care delivery spectrum.