How healthcare organizations can maximize their cyber insurance strategies in 2022

By Wes Wright, Chief Technology Officer at Imprivata

April 24, 2023

*Originally posted on Forbes

According to several leading players, the cyber insurance industry is in the midst of a “crisis moment.” This has largely been driven by the rapidly growing prominence and sophistication of ransomware attacks over the last 12-18 months.

While it’s by no means a new type of attack, the disruption caused by ransomware to individuals and organizations around the world reached new levels in 2021. More than one-third (37%) of organizations globally experienced a ransomware attack last year.

A major issue is that recovering from a ransomware attack is extremely costly. According to IDC, 87% of organizations that reported experiencing a ransomware attack or breach ended up paying a ransom, at an average cost of nearly a quarter of a million dollars. Global ransomware damages were expected to hit $20 billion last year, according to Cybersecurity Ventures.

This all means cyber insurance is more important than ever, particularly for healthcare delivery organizations (HDOs) that often work on tight budgets and are attractive targets due to the huge amount of sensitive patient information they hold. However, finding the right insurance is often easier said than done.

So, what’s the outlook for healthcare organizations as we kick off 2022, and how can they put themselves in the best position to meet their coverage needs?

Rising risk and premiums

The challenge facing healthcare organizations is that obtaining, renewing and maintaining cyber insurance is becoming increasingly difficult. On the one hand, cyber insurance premiums have increased significantly — in some cases as much as 40% — as insurers seek to maintain profitability amidst the rising ransomware threat. These cost increases are typically even more severe in the healthcare sector due to the sheer quantity of attacks.

On the other hand, HDOs are typically labeled as "high-risk customers" by insurance providers due to a perceived lack of adequate security strategies and controls compared to other industries.

For example, several leading cyber insurance brokers now require documented evidence as well as a formal assessment of an HDO’s identity access management (IAM) strategy to measure the quality of its risk management preparedness, processes, security controls and tools before determining whether it will grant coverage. The Council of Insurance Agents and Brokers (CIAB) cites poor risk management protocols and a lack of employee training as two key factors. Similarly, Willis Towers Watson highlights human error (25%) and inadequate IT security measures (24%) as the top two first-party root causes of breaches.

This all means using common security practices such as good password hygiene, employee training and phishing simulations can have an impact on an organization's risk profile and make it more insurable. While cyber insurance typically covers costs like extortion demands, remediation efforts and other losses, HDOs that don’t meet certain security requirements may end up receiving more limited coverage that leaves them exposed.

In order to reduce premiums and put themselves in the best position to qualify for coverage that meets their needs — all while maintaining the core mission of providing quality patient care — HDOs must ensure that their cybersecurity infrastructure is up to standard.

Meeting security requirements

The key question HDOs need to answer is: What are the core components of an effective cybersecurity and data protection architecture? Although it can feel overwhelming, there are some simple measures healthcare organizations can put in place to quickly enhance their security posture.

For example, privileged access management (PAM) should be a central element of any organization’s security strategy. Providing security for the most high-risk accounts, assets, and tasks, PAM reduces the risk of data breaches and compromised credentials by adhering to the principle of least privilege. Users get just enough access to complete a task and nothing more, driving security as well as ensuring regulatory compliance.

In my opinion, you’re wasting your time deploying PAM if you’re not putting it behind a multifactor authentication (MFA) system, which is one of the newest cybersecurity insurance requirements for both privileged and non-privileged accounts. MFA is considered a best practice for a reason. Requiring a second factor to be validated before granting access to critical systems and information acts as a roadblock to cybercriminals. Even if credentials are compromised, hackers will still be unable to break in.

Having this level of control has become particularly important for workflows that have been affected by the pandemic. These workflows now typically rely on remote access, significantly increasing the risk for those organizations that don’t have the right security in place.

Ultimately, if they want to get the best cyber insurance for their needs, HDOs have to prove to insurers that their data and systems are highly protected. They must demonstrate their ability to meet key access control and regulatory requirements by adequately protecting their critical accounts from unauthorized access.

Ransomware now accounts for 75% of all cyber insurance claims. But by creating and maintaining a strong risk profile with insurers, HDOs can minimize rising premium costs and drive the most value from their cyber insurance strategy.