Managing Cyber Risk in Healthcare: The Essential Role of Cyber Insurance

In today’s digital age, the healthcare industry faces significant cybersecurity risks that can have severe legal, financial, and reputational consequences. Based on a claims report by Marsh, the parent company of Marsh McLennan Agency, the healthcare industry has consistently reported the highest number of claims annually from 2020 to 2023. Healthcare is an appealing target for cyberattacks due to the sensitive nature of the information stored on systems and the critical and time-sensitive nature of operations.

By Kacey Wheeler and Michael Hummel, Marsh McLennan Agency

Threat Landscape Today
Email compromise and ransomware are the two most common incident types affecting healthcare according to Kroll1. Healthcare organizations, including community health centers (CHCs), store a vast amount of valuable information including personal and medical information. Cybercriminals can use this data for various malicious purposes, such as identity theft, financial fraud, extortion, or selling on the dark web. Email compromise and ransomware attacks provide direct access to this valuable data. CHCs operate in a time-sensitive and critical environment where uninterrupted access to patient data and systems is essential for providing quality care. Ransomware attacks, which encrypt data and demand a ransom for its release, can severely disrupt operations, leading to potential harm to patients and financial losses associated with recovery or a potential ransom payment. The healthcare industry also faces ongoing risks from insider threats. It is important to recognize that attackers may not always originate externally but can also emerge from within the organization itself.
​
Vendor Cyber Risk
Third party cyber risk imposed from relationships with vendors continues to be a prevalent issue for CHCs, especially since healthcare organizations often have complex supply chains and relationships with third party vendors. Third party vendors provide countless crucial services that can lead to large losses if shut down by a cyber-attack or other failure such as systems crashing from a software update. This can lead to critical downtime or breach of data within the custody of a vendor. Furthermore, network connections with the third-party vendor can provide an entry point for attackers if the third party is breached.

How Cyber Insurance Helps You Stay Protected
Cyber insurance plays a crucial role in managing cybersecurity risks for CHCs by providing financial protection and support in the event of a cyber incident. Here are six key areas that policies cover:

1. Event Management / Breach Response: Costs associated with a security breach or a privacy breach such as legal expenses, forensic investigation, notification, credit monitoring services, and PR response.
2. Cyber Extortion: Expenses related to responding to ransomware attacks or other forms of cyber extortion.
3. Data Asset Protection: Costs to restore, recreate, or recollect your data and other intangible assets that are corrupted or destroyed.
4. Business Interruption Coverage: Income loss and extra expenses incurred due to a cyber incident that disrupts normal business operations.
5. Liability and Defense: Legal expenses incurred in defending against third-party claims and costs associated with settlements or court-ordered judgements in favor of third parties affected by a security breach or data breach. This also includes fines and penalties assessed by regulators for the breach of sensitive data.
6. Cyber Crime – Costs associated with various cybercrimes committed, such as social engineering where attackers manipulate organizations into transferring funds.

What to Consider when Selecting Cyber Coverage

1. Specific to Your Needs: Each organization’s needs are different when it comes to cyber insurance. The coverage needed depends on organizational risk factors, such as the nature of the business, number of records with personally identifiable information or protected health information, and whether the CHC stores monetary cardholder data. It also depends on the security controls implemented.
2. Healthcare Specific Coverage: Every industry has unique risks. When it comes to cyber risk for CHCs, patients could experience bodily injury as the result of a cyber-attack. A cyber incident impacting the security or functionality of medical devices connected to networks or that utilize software for operations can lead to bodily injury to patients. Contingent bodily injury coverage under a cyber policy covers this.
3. Claims Handling: Cyber claims can be extremely complex and require a unique skillset to appropriately navigate and respond. Obtaining cyber insurance from someone with specific experience in navigating claims and cyber incidents is crucial to ensuring you not only have broad coverage, but your policy works when it matters most.

Battling Cyber Risk
Technology plays a crucial role in the healthcare space, enabling advancements in patient care, medical research, and operational efficiency. However, along with these benefits, technology also brings inherent risks, particularly in terms of cybersecurity. Balancing the advancements that technology allows with a robust cybersecurity management program is essential. While implementing security controls is of utmost importance, the significance of having a well-crafted insurance policy is a critical component to the cybersecurity puzzle.

 
https://www.kroll.com/en/insights/publications/cyber/state-cyber-defense-healthcare

​To learn more check out the free Managing Cyber Risk in Healthcare: The Essential Role of Cyber Insurance Webinar!

​https://mmc.zoom.us/rec/share/I7dT5NCXFWzCfYfOei4rUVe3X6zzkvkfTJrkY4-J9KImiSBmoqCIuEzqJGmp0T8V.iZ9p3bjcWpeWeVGC?startTime=1724778023000
Passcode: 2H&9bn5&

Kacey Wheeler
Cyber & Technology Specialist, Marsh McLennan Agency
960 Broadway Avenue, Suite 500, Boise, Idaho, 83706
Work Phone: 208-338-6401, Cell Phone: 208-866-1424
Email: [email protected]
​

Michael Hummel, RPLU
Sales Executive, Business Insurance – Healthcare Practice, Marsh McLennan Agency
CA Insurance License #4277151
1202 North 16th Avenue, Suite 200, Yakima, Washington, 98902
Work Phone: 509-853-4234, Cell Phone: 509-907-1287
Email: [email protected]

NWRPCA welcomes and regularly publishes white papers and articles submitted by members, partners and associates with subject matter expertise. The appearance of any guest publication in our Health Center News database represents the views of the author and does not constitute endorsement by NWRPCA of the stated opinions or perspectives, nor does it suggest endorsement of the contributor's products or services.