Losing sleep over cyber security insurance? How to get the coverage your HDO needs.
Five key questions to ensure a strong risk profile with cyber security insurers and minimize the cost of skyrocketing premiums.
As if cyberattacks weren’t enough to keep CFOs awake at night. Now the corresponding “must-have” cyber insurance is becoming increasingly difficult to obtain, renew, and maintain.
Why? Largely because cyber insurers generally consider healthcare organizations high risk, which has given them license to boost premiums, apply more stringent requirements, reduce coverage – and in some cases – even refuse coverage or cancel policies.
With attacks on the rise, HDOs remain among the hardest hit – and the highest risk
According to one government agency, over the past five years, the U.S. has experienced over 4,000 ransomware attacks per day. Others estimate that attacks occur once every eight minutes. And in 2020, these crimes cost global organizations a projected $20 billion – a 75% increase over the previous year.
And unfortunately, healthcare delivery organizations (HDOs) remain among the hardest hit. While they continue to improve the quality of care, they also often – unintentionally - expose key security vulnerabilities.
Yet, despite the statistics and urgent threat warnings, healthcare has been slow to implement the security strategies that insurers now require. Which is why they label HDOs high-risk customers.
Higher premiums and increasingly stringent requirements
You are no doubt painfully aware that global cyber insurance rates have increased across all industry sectors by about 32% in the past year, and that one prominent insurer raised prices by almost 40% globally – with North America facing the largest increases. And mainly due to the sheer amount of attacks healthcare endures, cyber insurance policies for HDOs can cost several times more than those of comparable enterprises in other industries.
Along with rapidly growing numbers of ransomware claims, the Council of Insurance Agents and Brokers (CIAB) cites poor risk management protocols and lack of employee training among the main causes of these dramatic cost increases. Which means that implementing basic security controls such as password hygiene, patch management, employee training, and phishing simulations can significantly affect your organization’s risk profile.
According to Verizon’s 2021 Data Breach Incident Report, 61% of all breaches exploited credential data via brute force and credential-stuffing attacks. And since those credentials are tied to individual digital identities, enforcing the security of those identities has become paramount.
Indeed, several leading cyber insurance brokers now require documented evidence as well as a formal assessment of an organization’s identity access management (IAM) strategy to measure the quality of an HDO environment’s risk management preparedness, processes, security controls and tools – before determining whether their company will grant coverage.
Good password policies, single sign-on, multifactor authentication, identity governance and privileged access management: Meeting the new requirements for cybersecurity insurance
So how will you make sure your HDO qualifies for the coverage – all while serving your core mission of providing quality patient care?
Don’t let the overwhelming messages from cybersecurity vendors overwhelm you.
An effective and efficient architecture is actually well documented. In fact, NIST and H-ISAC lay it out very clearly. Core components include a good password policy, single sign-on (SSO), multifactor authentication (MFA), identity governance, and privileged access management (PAM), along with security information and event management (SIEM) and network monitoring and countermeasure tools. Multifactor authentication, for example, is one of the newest requirements for cybersecurity insurance for both privileged and non-privileged accounts, along with PAM being a key component.
Multifactor authentication is a best practice for a reason: should credentials become compromised and used by hackers with the intent to gain access to your critical systems and sensitive information, MFA solutions require a second factor to be validated before granting access. A strong deterrent for potential intruders, this security control is especially important for pandemic and post-pandemic workflows, which continue to rely heavily on remote access.
Deployed alongside SSO and PAM solutions, MFA is a powerful tool in your HDOs security arsenal and a crucial element for proving to insurers that your data is highly secure, and you have successfully met key access control and regulatory requirements.
Next steps: Start by asking your IT and security teams five key questions
Review your current security posture and take the necessary steps to ensure your HDO satisfies the increasingly stringent requirements of the cyber insurance industry. Start by talking to your IT and security teams. You may find that many of these components are already in place. But for insurance companies, you will need solid, documented answers to the following questions:
- Is the goal of your IAM strategy to build a zero-trust architecture that guards against unwarranted access?
- Have you undergone a comprehensive digital identity maturity assessment to quantify exposure and modify your security strategy accordingly?
- Are you planning to implement MFA to strengthen access security and regulatory compliance?
- Do you benefit from a PAM solution that protects privileged accounts from unauthorized access?
- Are you confident in your password hygiene regimen, patch management plan, employee training program, and phishing simulation tests?
True, cyber insurers have responded to the growing number and severity of claims in healthcare by raising premiums, reducing – and refusing – coverage, and imposing tougher security guidelines and requirements. But you can avoid nightmares and minimize skyrocketing costs by ensuring that your HDO creates and maintains a strong risk profile with insurers.
At Imprivata, our team of experts can help you boost your security posture to make sure you get the cyber insurance coverage your HDO needs, so you can focus on what you do best – providing the highest quality patient care possible. Reach out today.