When the organization accomplishes milestones such as HITRUST certification, he says, that information is shared with the insurance provider and becomes part of how UPMC’s premiums are calculated.
“Over the past few years especially, I’ve seen them ask more detailed questions about what we’re doing in specific areas, including encryption and certifications. They’re asking for a lot of information to help them process and assess our risk profile,” he says. “And obviously, premiums have gone up.”
Positioning Healthcare Organizations for Cyber Insurance
Carmody says preparing for cyber insurance starts with IT leaders ensuring strong tech hygiene and being able to demonstrate defensive capabilities through certifications including HITRUST and SOC 2.
“Organizations should also consider an independent third party that can assess and evaluate the risks and contribute to positioning the organization to get cyber insurance,” he says.
Alla Valente, a senior analyst at Forrester serving security and risk professionals, notes that healthcare organizations must increase their investment in cybersecurity and risk management to ensure they are well positioned when applying for cyber insurance.
“For a long time, healthcare organizations have focused on compliance, specifically HIPAA compliance,” she says. “What we know now, since the pandemic and since the increase in cyberattacks specifically targeting healthcare, is that you can be fully compliant and still have a lot of cyber risk exposure.”
Valente cautions that organizations can’t rest on being HIPAA compliant; they must start looking at how they are securing their technology and infrastructure and how they are working with third parties.
“Are they doing the type of segmentation where third parties get access only to whatever it is they need to deliver on that project, or are there back doors that might give them access to something far greater?” she asks.
Carmody explains that UPMC has a chief risk officer who helps evaluate some components from the risk perspective.
“If you’re starting out fresh, talk to many different cybersecurity insurance providers, because they are all slightly different,” Carmody says. “Paying attention to those coverage details is important before you sign up, because you might not get the right coverage you need for your organization.”
The Benefits of Cyber Insurance Outweigh the Costs
Daniel Klein, chief business officer for Cynet, says it’s hard to make an argument against cyber insurance, considering the $10 million average cost of a breach for healthcare organizations.
“An immediate knock-on benefit of getting a cyber insurance policy is that the organization’s security posture will be improved to meet the insurer’s requirements,” he says. “Yes, this may mean investing in additional security personnel and better tools, but overall risk will be reduced as a result.”
He concedes that policy costs are a significant consideration, but he says the good news for healthcare organizations is that cyber insurance capacity has increased over the past 12 to 18 months, so they should have more options when shopping for a policy.
“Clearly, it benefits the industry if more organizations can afford insurance, so insurers and brokers are also offering useful guidance,” Klein says.
These efforts include publishing information and participating in events aimed at educating prospective clients about improving their security posture and obtaining lower premiums.
“If an organization is pursuing cyber insurance for the first time, it may be worth working with a qualified broker or other expert who can provide an honest assessment of the current security posture to identify any gaps,” he adds.
Valente also notes that some cyber insurance firms are partnering with attorneys and incident response specialists to help with auditing and to provide additional services for healthcare organizations.
“Being part of that collective network allows you to take advantage of all of these other professionals you might need when you’re dealing with a breach,” she says.