06. 15. 22
One of the many things I’ve learned from working with practices that have experienced a breach is that they don’t teach cyber-security at medical school. Unfortunately, they probably should. Cyber security is increasingly becoming more of a concern for every practice owner and choosing the right cyber defense plan and cyber insurance policy is a decision up there in importance with choosing the right malpractice insurance.
For the last few years, healthcare organizations have been one of the biggest targets of ransomware gangs and hackers, and that trend is not slowing down any time soon. A recent independent report found that 66% of healthcare organizations were hit by ransomware in 2021, an increase from the 34% attacked in 2020. That is a 94% increase from one year to the next. The report, commissioned by IT vendor Sophos and conducted by Vanson Bourne, an independent research company, surveyed 5,600 IT professionals including 381 individuals from the healthcare industry and focused on mid-sized organizations with 100 – 5,000 employees.
The most alarming conclusion in the report may be what it says regarding cyber insurance. As ransomware incidents become more prevalent, cyber insurers are increasing their costs and pushing their insurance out of the range of most small to medium-sized healthcare organizations. In other cases, it’s been determined that the risk outweighs the reward, and insurers are dropping their cyber policies altogether. In addition to the rising costs and limited availability of cyber insurance, the respondents reported that the policies have become more complex and have included an increasing number of cybersecurity defenses that the organization must implement to qualify for the coverage.
“With fewer organizations providing cyber cover, it’s a seller’s market,” the report stated. “They call the shots, and they can be selective about which clients they cover.”
Your practice is so attractive to hackers due to a few reasons, including the amount of sensitive information you have and the responsibility you have under HIPAA to protect that information. These factors weigh heavily in determining whether to pay the ransom or not and are some of the reasons healthcare organizations are more likely to pay the ransom than other industries.
Beyond the cost and availability, here are two other factors I have found to be most important when deciding on a cyber insurance policy.
Having the right defensive measures in place, including anti-virus software, firewall, encryption and multifactor authentication, and a staff that’s properly trained on what they can and can’t do under HIPAA law, can and will go a long way in protecting your practice and lowering the chances of a breach. There is, however, no such thing as being 100% protected and no organization is immune to a cyber-attack. The only way to truly protect yourself is to do everything possible to prevent a breach and be fully prepared for when a breach occurs.