One of the many things I’ve learned from working with practices that have experienced a breach is that they don’t teach cybersecurity at medical school. Unfortunately, they probably should. Cybersecurity is increasingly becoming more of a concern for every practice owner and choosing the right cyber defense plan and cyber insurance policy is a decision up there in importance with choosing the right malpractice insurance.
For the last few years, healthcare organizations have been one of the biggest targets of ransomware gangs and hackers, and that trend is not slowing down any time soon. An independent report found that 66% of healthcare organizations were hit by ransomware in 2021, an increase from the 34% attacked in 2020. That is a 94% increase from one year to the next. The report, commissioned by IT vendor Sophos and conducted by Vanson Bourne, an independent research company, surveyed 5,600 IT professionals including 381 individuals from the healthcare industry and focused on mid-sized organizations with 100 – 5,000 employees.
Common Issues with Cyber Insurance
The most alarming conclusion in the report may be what it says regarding cyber insurance. As ransomware incidents become more prevalent, cyber insurers are increasing their costs and pushing their insurance out of the range of most small to medium-sized healthcare organizations. In other cases, it’s been determined that the risk outweighs the reward, and insurers are dropping their cyber policies altogether. In addition to the rising costs and limited availability of cyber insurance, the respondents reported that the policies have become more complex and have included an increasing number of cybersecurity defenses that the organization must implement to qualify for the coverage.
“With fewer organizations providing cyber cover, it’s a seller’s market,” the report stated. “They call the shots, and they can be selective about which clients they cover.”
Your practice is so attractive to hackers due to a few reasons, including the amount of sensitive information you have and the responsibility you have under HIPAA to protect that information. These factors weigh heavily in determining whether to pay the ransom or not and are some of the reasons healthcare organizations are more likely to pay the ransom than other industries.
Other Factors to Consider
Beyond the cost and availability, here are two other factors I have found to be most important when deciding on a cyber insurance policy.
- Full transparency on what is covered and how the plan works. If a policy leaves you confused and not 100% sure what is covered and when, you may want to look elsewhere. The last thing you want is to think something is covered and to find out too late it is not.
- A policy that includes an Incident Response team. You want experts in this field in your corner when it comes to the notification process, the forensics investigation, the data restoration, and the negotiation with the hackers. Your team should also be ready and available for an OCR investigation to follow the breach. This could come months after the initial incident and could consist of both a full HIPAA audit and a detailed risk remediation plan you will need to implement.
Having the right defensive measures in place, including anti-virus software, firewall, encryption and multifactor authentication, and a staff that’s properly trained on what they can and can’t do under HIPAA law, can and will go a long way in protecting your practice and lowering the chances of a breach. There is, however, no such thing as being 100% protected and no organization is immune to a cyber-attack. The only way to truly protect yourself is to do everything possible to prevent a breach and be fully prepared for when a breach occurs.