Every healthcare executive knows by now that cybercriminals have been focusing their nefarious attacks on the healthcare industry for some time. When they successfully strike a provider organization, the results can be disastrous.
This is why many healthcare organizations invest in cyber insurance.
Think of cyber insurance like car insurance. When something bad happens, insurance is used to offset the cost of fixing the damage and getting you back on the road quickly.
Cyber insurance can be critical for healthcare organizations as efforts to recover quickly from security incidents are a must in order to avoid severe impacts on the ability to diagnose and treat patients. Cyber insurance provides the impacted organizations with the necessary resources to recover to normal operations quickly.
To offer readers a deeper look into cyber insurance, Healthcare IT News sat down with John Fowler, deputy information security officer at the prestigious Henry Ford Health System in Detroit, for an enlightening interview.
Q: How do you determine how much cyber insurance coverage is enough?
A: That is a thoughtful question that CISOs and CIOs should not consider alone. As a first step, engaging board and C-suite members in discussions on risk tolerance and priorities is necessary. One of the most common approaches to determining the amount of cyber insurance coverage necessary is to divide annual revenue by 365 (days in a year) and multiply that amount by the number of expected days to recover.
Unfortunately, this is not an entirely accurate equation, when factoring in: ever-increasing extortion demands for ransomware infections, breach response and notifications costs, civil and regulatory fines, and other expenses. Regardless, quantifying cyber risk is essential to ensure that your organization is not under-insured.
Q: Why do cyber insurers want to know about a healthcare organization’s cybersecurity program before approving a policy?
A: Annually, insurers will ask extensive questions about organizational cybersecurity programs in order to assess your organizational risk posture and to set premiums. Insurers will inquire about everything from board and C-suite involvement to employee engagement, from cybersecurity frameworks to maturity of processes, from security technology to access controls, and current and past security incidents.
The cyber insurance industry is still young, and actuarial tables are relatively immature in this space. In theory, the more mature your cybersecurity program, the lower your rates.
However, due to ransomware and the significant number of payouts due to breaches occurring in the last year, premiums are increasing, regardless. That’s not to suggest continually improving your cybersecurity maturity isn’t valuable, because any improvement will help to keep the increases to a minimum.
Just remember, the safer you drive, the better rates you will get.
Q: Will cyber insurance pay for ransom in the case of a successful ransomware attack? Why or why not? If not, what should a healthcare CISO and CIO do?
A: Yes, it will pay. Cyber insurance can include provisions to pay extortion due to ransomware infections. As the insurer assesses your organization’s risk posture, don’t be surprised if there are additional questions related to your defense posture specific to ransomware defense.
The FBI has long stated that paying ransom is not recommended. While the “pay or not to pay” debate continues, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) added a new wrinkle to the debate on October 1, 2020, when it released a warning against organizations paying ransom to entities who are on the Specially Designated Nationals and Blocked Persons List.
This now means that in addition to paying a ransom, your organization also could have significant civil penalties levied, too. It will be important to discuss with your insurer if your policy covers reimbursement for ransom paid to entities who are on the OFAC sanction list.
Healthcare CISOs and CIOs should consider adding cyber-breach insurance discussions to their security tabletop readiness scenarios to determine if, how and when to engage insurers.
Prior to a security incident, healthcare organizations should ensure that incident-response retainer contracts and business associate agreements (required by HIPAA) are in place with vendors that may provide incident response and recovery efforts. Working through contractual arrangements is the last thing you want to do during a crisis.
Cyber insurance is not a policy to set on the shelf and only [to] use when needed. To be effective, it needs to be understood and managed by CISOs and CIOs who seek to manage risk.