Cyber insurance is a hot topic these days. Many healthcare organizations are adopting the use of electronic systems like electronic medical records to meet regulatory requirements, quick retrieval of stored data, processing and access to a wide range of information. These days, health facilities are using electronic systems for their day-to-day work and transmitting protected data to other locations heavily. This, coupled with the high value of data handled, results in an increase in the level of exposure to cyber attacks. Specifically, protected health information (PHI) of patients fetches large sums of money in the black market. Ransomware is a type of cyber attack that has been a growing problem for healthcare entities as well, where multiple organizations have paid ransom in order to get back access to their systems and data. A cyber attack can lead to loss of systems and information, disruption of procedures, and serious reputation risk. As risk of cyber attack keeps growing, so does the compelling need to take insurance cover against their cyber risks.
If a hospital has a cyber insurance policy, and there’s a breach, the policy may cover some of the expenses. Each organization should plan for cyber insurance depending on their specific Cybersecurity infrastructure and budget. Having cyber insurance does not preclude the organization from strengthening their security infrastructure, on the contrary, insurance companies may offer special discounts to companies who have invested well in their Cybersecurity and compliance infrastructure.
There are different kinds of insurance coverage and each insurance company may have different names, inclusions, exclusions and sublimits for the various types of liability coverages they offer.
Some of the types of available cyber insurance coverages include:
- Regulatory fines and penalties – offers insurance coverage for regulatory fines and penalties that could be huge.
- Business Interruption - Cyber attacks can be so damaging that the hospital may be unable to resume daily operations after the incident, for instance, damaged databases, inoperable life-support systems, or loss of networks.
- Credit monitoring – covers identity protection and credit monitoring costs for victims of a data breach.
- Forensics - covers costs involved in forensics investigation, gathering evidence, and resolution co-ordination.
- Litigation – offers some financial protection in the event of a lawsuit.
- Notification Expense – takes care of expenses involved with individual and government notifications, call center costs and advertisements.
Cyber Extortion coverage
Ransomware is a type of malicious attack in which a hacker gains access to an organization’s systems and data, and blocks all other access until ransom is paid. Ransomware attacks fall under 'Cyber Extortion'. A cyber insurance policy may or may not include cyber extortion – be sure to check for this. Often, an insurance policy may only cover ransom payment partially. Nevertheless, having a cyber insurance cover part of a ransomware attack may still be more beneficial than not having one at all.
What should healthcare firms look for when shopping for a cyber insurance policy?
Your insurance agent is most likely already working with one or more cyber insurance companies. When looking for a suitable insurance policy to cover your health organizations, here is what you should consider.
1. Read through the Insurance Agreement and ask these questions;
- When is the coverage triggered?
- When is notice to the insurers required?
- How are breach counsel and vendors selected?
- What requirements does insured company have to meet, to be eligible for payment of claims?
2. Are there exclusions/sub limits of the cover? Some examples are:
- Portable electronic device exclusions
- Intentional Acts Exclusion
- Terrorism Exclusions or Acts of God.
- Negligent Computer Security Exclusion
- Sub-limits
- Post-Breach Services
- Information maintained and stored by third parties
- Coverage for investigations and fines
- Breaches that may have happened before purchasing coverage, but discovered afterward.
We had an active discussion on this subject during an incident response workshop we conducted at a conference recently. View the video summarizing some parts of the discussion, below.
Cyber Insurance discussion at SF-ISSA incident response workshop 2017 from 24By7Security, Inc. on Vimeo.
Cyber insurance has a significant role to play in an organization's overall security strategy as a key risk mitigation component. It is crucial that healthcare organizations include funds for cyber insurance policies in their annual budget, setting aside a rainy day fund for cyber liability.
