Cyberinsurance Tips for Health Care
The last 18 months have seen an unprecedented digital transformation in many verticals. The health care sector is no exception, with a dramatic increase in the use of telehealth for the delivery of vital care. While this has improved efficiencies, it has also introduced risks. Confidential patient data is worth a lot of money to hackers. Along with new vulnerabilities and attack vectors, this all but guarantees health care organizations will remain targets for threat actors for many years to come.
Increase in Cyberattacks on Health Care Organizations
The exponential increase in cyberattacks on health care organizations has made cyberinsurance a necessity to offset business disruption, downtime and possible ransomware extortion. Cyberinsurance protects healthcare organizations financially and can help ensure your operations survive after a cyberattack, with many policies including help with incident response and coverage for ransomware.
According to the U.S. Department of Health and Human Services, 60% of observed ransomware attacks in 2021 targeted the health care sector. The average ransomware payment in the early part of 2021 amounted to $131,000. These sobering statistics have not gone unnoticed by insurance companies who have had to make numerous payouts to cover the claims from these attacks.
Overhaul of Underwriting Practices
These payouts have resulted in a complete overhaul of the underwriting practices surrounding cyber liability insurance. Insurance companies are now demanding to see the specific cybersecurity practices that a prospective policyholder has implemented. It is becoming increasingly difficult (and costly) for clinics and practices to get cyberinsurance, and health care organizations that have fallen victim to ransomware have found they are unable to renew their policies or that their insurance companies canceled them altogether.
The new threat landscape requires health care IT leaders to ensure they are addressing the most common vulnerabilities to meet not only regulatory requirements but also the new paradigm surrounding cyberinsurance.
Critical Steps
Health care IT leaders can take these eight critical steps to minimize exposure to risk and cyberinsurance costs:
- Ongoing security awareness training: This is a simple but highly effective method to ensure staff stays up–to–date and aware of social engineering hacking techniques such as phishing. Users learn how to identify phishing threats so they don’t click on malicious links. Many cyberinsurance policies provide this training and include it with the policy. You may also find yourself better positioned with the insurer if you or your IT services partner already have an established security awareness training program in place.
- Follow the principle of least-privilege: This ensures users are only granted the minimal access they require to do their job which lowers risk and the opportunities for a breach. Documenting who has access and the level of access that is required for them to do their job can help minimize risk and reduce cyberinsurance rates.
- Strong and complex passwords: Good password hygiene along with multifactor authentication (MFA) can prevent many attacks. Adding MFA to email and other accounts will reduce the chances of an account being hacked. Adding MFA for remote access and other system accounts provides another layer of protection should a breach occur.
- Maintaining offsite and secure backups: Offsite and secure backups can prevent data loss and help you recover more quickly from an incident. Network segmentation and the practice of keeping backups in a different network is key to protecting those backups.
- Endpoint detection and response(EDR): EDR provides a level of protection that legacy antivirus solutions are unable to match. The shift to remote work means many employees are no longer working behind the company’s perimeter firewall. This increases the importance of protecting endpoints to prevent breaches.
- Security information event management (SIEM): SIEM systems can detect anomalies before a breach occurs, with both traditional on-premises systems and systems that can also be integrated with cloud workloads. This can be a critical tool for forensic investigations and incident response but often requires an outside expert to help configure and manage.
- Regular patching and updating: Patching and updating your OS, application and firmware as fixes become available is a critical part of your security foundation to ensure vulnerabilities for critical systems are not exploited.
- Encryption: Encryption at rest secures data on disks and protects it from unauthorized access whether it is on servers, laptops or workstations. For example, if a laptop with sensitive information is stolen, the criminal would be unable to access the data if it was encrypted.
Be Prepared
Even if you’re doing all these things, an incident can still occur. Be prepared. Having a team of experts to help with forensic analysis and incident response—both with managing the event and recovering after the event—is key. Many cyberinsurance policies include those services or will cover the cost of incident response if you are working with a qualified partner of your choice. Having your own team (either in-house or through a partner) allows you to conduct planning sessions and for them to become familiar with your systems so you don’t have to bring them up to speed during a crisis. Note that some cyberinsurance policies may not cover the cost of regulatory fines, so it helps to check that this coverage is included.
There are no indications that health care organizations will cease to be targets of malicious threat actors. While this outlook may seem dire, health care IT leaders can take actionable steps to address common vulnerabilities and meet regulatory requirements while minimizing risk and cyberinsurance costs.
