Can healthcare keep pace with new cyber insurance security requirements?
In just the last two years alone, industries facing an onslaught of cyberattacks, like healthcare, began facing another problem: cyber insurance carriers were limiting coverage, increasing premiums, and added security requirements needed to obtain a policy.
In 2021 and 2022 the Government Accountability Office confirmed these growing challenges, noting that the embattled sectors were simultaneously opting into cyber coverage — with a much higher price tag. The reports drew alarm from healthcare stakeholders, who recently confirmed to SC Media that these hurdles are likely to remain into the foreseeable future.
Industry leaders are saying that it’s getting to the point where cyber insurance carriers are telling potential clients that the entity must add specific security elements or they won’t be able to provide coverage, or will only do so at a significantly higher rate, explained Dave Bailey, vice president of security services for CynergisTek.
Related story: HIPAA update expected to raise new tech compliance questions
Many healthcare entities are responding by pivoting to reach those security goals so that they can demonstrate due diligence in the event of a breach or security incidents. But resource challenges are making those lofty goals harder to reach.
In short, healthcare providers understand the importance of the new requirements, but are finding it extremely difficult to add all of the required additions, especially smaller providers.
Ideally, those providers would have partners able to help raise their risk posture, but it’s been challenging to invest the needed resources. It’s the position that the vast majority of small providers find themselves in, with a lack of capital resources and people needed to support what cyber insurance carriers are requiring.
“The vendors will tell you the same thing,” said Bailey. In the end, the “work has to be done, no matter what size you are.”
As threats evolve, insurance requirements follow
Ransomware is seemingly inevitable under the current threat landscape, and more often than not, the carrier isn’t going to get the money back like they would in an auto accident, explained Fortified Health Security CEO Dan Dodson.
The shift in risk and these evolving threats have created new challenges for cyber insurance, and it’s the lesser-resourced industries like healthcare that are struggling to gain and maintain coverage.
Several years ago, buying cyber insurance was an annual process where entities could “buy it, set it, and forget it.” With the constant barrage of ransomware attacks and extortion efforts, those days have long fallen by the wayside. To Dodson, cyber insurance requirements are in the early innings of an evolution, as the carriers try to determine how to manage that risk.
For health systems, it’s translated into increased scrutiny during the application process. What began as simple questionnaires has “evolved today into very specific requirements of technology and security technology being deployed in the environment,” he explained.
Take multi-factor authentication for example. Last year, MFA was a primary discussion point for determining coverage. But during the policy renewal cycle this year, Dodson has seen multiple carriers requiring advanced endpoint protection, “which is an expensive proposition.”
As a result, health systems are now having to work to balance the increased cost of cyber insurance policies with the additional required investments in their cyber programs to implement additional advanced monitoring technologies.
The insurance process is typically an annual purchase. However, the underwriting, done during the application process, has become more stringent. And carriers are now putting in financial caps for how much the carrier will pay per event and breach.
Entities must now buy the policy, adhere to its attestations for its security tools and policies, and ensure they continuously adhere to a management process that can verify if the entity is indeed doing what they attested to during the sign-on process, or else the policy becomes “worthless,” said Dodson.
The process has become much more detailed, and in doing so, reducing the coverage, which is fueling the debate of self-coverage. For large health systems, it may be an easier option and may do well in keeping up with these amended requirements and policies because they have the teams, the time, and the funds to do so.
Some cyber insurance companies are now performing a quarterly check-in with policyholders, as well. It’s unclear whether the increased check-ins have led to an end in coverage.
The concern is that these changes could indeed lead to “the most vulnerable organizations, from a cyber perspective, with the least amount of coverage,” said Dodson.
“More frankly, it’s more likely they’ll have to claw-back if they’re not that good in adhering to the policy,” he added. Small entities receive grants, which have requirements for obtaining cyber insurance coverage. The goal is to determine how to manage this risk.
In some instances, there’s been a “scuttlebutt” for some entities that forgo the mainstream carriers to self-insure, as the policies and requirements have essentially doubled the insurance costs “for half the coverage,” he added.
Won’t security requirements bolster cyber posture?
Healthcare has long struggled with adhering to some of the most basic security compliance requirements outlined in The Health Insurance Portability and Accountability Act. But as the industry works to update HIPAA to reflect the needs of digital innovation, it would seem the requirements of obtaining cyber insurance could only improve the state of healthcare cyber.
A lack of resources and staff may, however, hinder the overall impact of these requirements, while widening the chasm between the large, heavily resourced provider organizations and small clinics and entities already struggling to meet compliance.
“If I’m a smaller hospital, and I’ve got these demands from my cyber insurance, the asks of the cyber insurance are based on statistical prevention of known breaches,” Dodson added. The insurance companies are clearly right with these requests, which are essentially the “fundamentals of what a good cyber program should have anyways.”
Insurance carriers are “trying to minimize the damage.” If an attacker gains access through a medical device that doesn’t have the security tech and crosses into the network onto an asset that does, “the theory is that that would be discovered on the second asset and provide the protection,” said Dodson. “It limits the potential impact of an event and is caught more quickly.”
Providers must understand that the environment they describe during the application process immediately begins to evolve once the policy is in place, explained Dodson. If they attest to having certain elements and fail to execute those attestations as the environment changes, coverage issues may arise in the event of an incident.
Typically, a cyber insurance company will do a claim review after a reported incident to determine whether the provider is upholding their end of the contract. For Dodson, this is where the industry will face “massive clawbacks.”
“What I’m most concerned about is clients are moving forward with cyber insurance, by and large,” said Dodson. For the most part, entities are implementing what they attest to in order for the policy to be enforced.
However, “when push comes to shove, given the fluid nature of these environments, there could be a scenario where they’re not actually upholding what they’re supposed to be doing relative to this insurance plan, and that’s a concern.”
Recent data has shown that even the biggest health systems are reporting significant costs around cyberattacks, with the ransomware and subsequent outages at Scripps Health and Tenet Health costing well over $100 million.
Unfortunately, the impact on small providers has led to significant disruption to patient care and revenue when systems are down, he explained. “That is a catalyst for changing healthcare coverage anyway.”
But some providers that recognize that a two- or three-day period of downtime would be a serious business issue, see the correlation and make those adjustments and advance as much as possible to address the evolving threats and coverage issues.
At the end of the day, obtaining coverage may seem like “a pure financial decision is really more complicated based on other elements of your hospital or health system,” said Dodson.