No industry is exempt from the nefarious impact of cyber-attacks. This is especially true for healthcare providers, who are consistently targeted with cyber-attacks such as ransomware, designed to disrupt and overtake their critical systems, networks, data and medical devices.
Cybersecurity insurance is a must for healthcare organizations, designed to be leveraged in the event that cyber-attacks are successful. However, while cybersecurity insurance remains necessary in the event of disaster, premiums have become increasingly less affordable as cyber-attacks continue to rise. For public healthcare providers and nonprofits who may not have the funding to support such insurance premiums, this is a concerning and ongoing challenge. By engaging the support of external vendors to help implement or improve their security counter-measures and controls, healthcare organizations can alleviate some of this challenge, ultimately leading to better insurance coverages and more affordable premiums.
Healthcare Focused Cyber-Attacks
For the last eleven years, the cost of data breaches in the healthcare industry have surpassed those in all other verticals, averaging over $9 million per breach.
A recent report by the FBI’s Cyber Division described increased vulnerabilities in healthcare facilities, specifically for unprotected data and medical devices, including outdated software they may rely or reside upon. With ransomware specifically, cyber threat actors look to exploit these vulnerabilities. If successful, these attacks significantly impact operational capabilities, risk exposure of confidential data, and most severely, may potentially impact patient safety.
“Malign actors who compromise these devices,” the report states, “can direct them to give inaccurate readings, administer drug overdoses, or otherwise endanger patient health.”
How should healthcare organizations protect themselves, especially considering the current everyday resource constraints that healthcare nonprofits and public healthcare facilities face?
It’s vital that organizations consistently improve upon, or implement new, security policies, processes and security-related technologies. This includes proactive plans and processes for review and remediation of vulnerabilities, as well as response to incidents (known as incident response). At a minimum, the FBI recommends healthcare providers invest in their cybersecurity defenses, including:
- Endpoint Protection
- Identity and Access Management
- Asset Management
- Vulnerability Management
Strengthening these critical areas helps protect organizations from the onslaught of cyber-attacks, which would otherwise be exceptionally vulnerable due to under protected medical technology, internet of medical things (IoMT), and outdated software. Unfortunately, even with these protections in place, it only takes one weak point for cyber criminals to successfully exploit.
Cost of Cybersecurity Insurance
There’s no way around it – cybersecurity insurance is an absolute necessity to mitigate the potential crippling financial burden of a cyber-attack. However, as cyber-attacks continue to rise, the cybersecurity insurance coverage packages offered have gotten smaller, all while being more and more expensive for organizations to procure. According to insurance brokerage Marsh & McLennan, cybersecurity insurance rates in the U.S. have increased by 79% in 2022 as compared to the previous year. While cybersecurity insurance payouts may increase, underwriting standards have become more stringent, with monthly premiums climbing steeply, and overall coverage packages being noticeably smaller. This has put many organizations, particularly cash-strapped public or nonprofit healthcare entities, in the uncomfortable position of not receiving appropriate coverage or being able to afford it.
Alleviating Risks while Reducing Costs
Cybersecurity insurance has been proven more affordable for entities who also improve their cyber security posture – not dissimilar to the way defensive driving courses assist in alleviating car insurance premiums. By enhancing cybersecurity posture, organizations can improve their risk levels and meet the tightened qualifying requirements, and costs, of insurers. The time and resources associated with investing in improving an organization’s cybersecurity is astronomically less than the potential time and cost associated with paying a ransom or mitigating other potentially catastrophic attacks. When organizations have appropriate cybersecurity measures and insurances in place, it protects them and mitigates the most detrimental risks of suffering a cyber-attack.
How Can QED National Help?
QED National has provided Cybersecurity services to healthcare organizations and similar entities for over 30 years. These services include helping organizations both assess and remediate security concerns (such as those raised by insurance providers), as well as address specific security risks for applications, systems, networks, data and medical devices. QED National also provides design and implementation services for security controls including but not limited to: Endpoint Protection, Identity and Access Management, Vulnerability Scanning, Data Protection, Cloud Security, etc.
Our comprehensive approach best prepares and supports our clients to both prevent and respond to cyber threats, all while ensuring they are well-positioned to address insurance provider concerns and comply with applicable laws, regulations, and best practices. This approach ultimately ensures our customers obtain the highest levels of insurance coverage at the most reasonable premiums offered.