The disastrous ransomware attacks on Change Healthcare and Ascension this year ran up staggering costs and put a spotlight on the healthcare sector’s vulnerability.
But healthcare orgs are hardly new to eye-popping bills after a major hack. Analyzing attacks on organizations in 16 countries, IBM/Ponemon Institute has shown healthcare to be the industry with the highest cost per data breach for over a decade, coming in at an average hit of $10.93 million in 2023.
One way healthcare orgs can offset their losses is by purchasing cyber insurance—but underwriters are requiring them to up their cybersecurity game, experts told Healthcare Brew, and they’re growing wary of risks in the sector.
Get me a policy—stat!
Back in 2017, roughly 30% of hospitals had cyber insurance—compared to 90% of finance orgs—according to research conducted by Soumitra Bhuyan, an associate professor at Rutgers University’s Bloustein School of Planning and Public Policy. A separate survey commissioned by security firm Sophos in 2022 found only 78% of healthcare organizations had cyber insurance in place.
“Surely, [the] rising number of cyberattacks and data breaches in the healthcare sector is pushing healthcare organizations to purchase cyber insurance,” Bhuyan told Healthcare Brew via email. “However, the threshold to qualify to purchase this insurance protection is going up and policies [are] becoming more and more complex.”
According to Stephanie Snyder Frenier, SVP of insurance brokerage CAC Specialty’s professional and cyber solutions practice, insurance underwriters have become more concerned about minimum security controls at healthcare organizations.
“Underwriters have a lot of concern around hospitals and healthcare because the type of information they’re holding on to is protected health information,” she told IT Brew. “It’s subject to HIPAA [privacy laws].”
The US Department of Health and Human Services’s Office for Civil Rights issues millions of dollars in fines annually over breaches of protected health information, which the agency says also cost far more than other breaches to resolve.
Another issue is that healthcare organizations, and hospitals in particular, generally can’t afford interruptions to operational uptime. The combination of these two factors makes hospitals a “bull’s-eye for threat actors,” Snyder Frenier added.
Additional risk factors, Bhuyan pointed out, include the difficulty of controlling physical access to equipment in a hospital setting and the age of the equipment itself. In late 2023, a warning from the Government Accountability Office emphasized that while there’s little evidence attacks on healthcare orgs via medical devices is common, a widespread lack of preparedness and the possibility of patient harm indicated the issue requires “significant attention.”
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
Premiums plateau…for now
The good news, Snyder Frenier said, is that cyber insurance remains a competitive market—in her experience, the cost of a policy premium has been flat to -5% percent on a year over year basis. However, more robust underwriting processes mean rates can vary widely between organizations with differing levels of preparedness.
Underwriters are likely going to be looking for “robust risk management practices, including regular security audits, employee training and awareness, and incident response planning,” Bhuyan wrote in an email.
The other big factor in pricing is size. Small business research firm AdvisorSmith found premiums for organizations with an annual revenue of $1 million and a $10,000 deductible ran between $650 and $2,357 per month in 2021, though those numbers predate major spikes in rates in late 2021 and early 2022.
Prognosis hazy
While insurance rates plateaued in 2023, industry experts told cybersecurity news site Dark Reading that premiums are likely to begin rising within the next two years due to the increase in claims. Omid Rahmani, associate director of US public finance at credit rating agency Fitch Ratings, recently told Axios that individual health systems are still often hit with major increases and coverage is now “unaffordable or frankly unavailable for a lot of small- to medium-sized issuers.”
According to Snyder Frenier, near-term factors that will shape the insurance market for healthcare operators include the growing awareness of single points of failure, or parts that can disable an entire system if they fail. The attacks on both Change and Ascension had rippling consequences—such as disruption of billing and diverted patients—showing how the effects of one incident can quickly spread across the industry.
“There hasn’t been, at this point, a very thorough analysis of single points of failure that sit within an industry segment,” Snyder Frenier said. “Be aware where you have critical dependencies within your IT supply chain to make sure you have redundancies built in.”
Bhuyan warned that the rise in breaches should be a wake-up call.
“Many healthcare systems still see cybersecurity [as] more like a cost center, not like a long-term investment,” Bhuyan said. “They want to wait until something bad happens to react.”