In March 2016, Congress established a Cybersecurity Task Force with the directive to determine the state of cybersecurity within the healthcare industry. They published their findings in June of 2017 and they were not good. In summary, the findings reported that healthcare cybersecurity is in critical condition, citing severe lack of security talent, legacy equipment, premature/over connectivity, vulnerabilities impacting patient care and known vulnerabilities endemic of medical devices. It should come as no surprise then that healthcare continually ranks as experiencing the highest number of data breaches and cyber-attacks year over year.
It is important to understand that the risk extends beyond hospitals, health systems, direct care physicians and health insurers, to all areas of healthcare as defined by the task force, including laboratories and pharmaceuticals, medical materials, healthcare IT, federal response offices, health plans/payors, and public health. Any organization within or related to healthcare is vulnerable.
Healthcare entities, like all businesses, are susceptible to a variety of cyber crimes. In early 2017 the WannaCry cyber-attack spread across the globe impacting over 200,000 computers and causing billions of dollars in disruptions, including hospitals in the United Kingdom that had to cancel 19,000 appointments costing over $120 million and an additional $94 million in subsequent clean up and upgrades to IT. In January 2018 the U.S. Department of Health and Human Services Office of Civil Rights fined 21st Century Oncology $2.3 million for a 2015 data breach. This does not even include the 45 billion data records compromised so far this year, including personally identifiable information.
In order to use cyber insurance as a vehicle to mitigate financial loss, it is critical to understand not only your risks, but also how and when the coverage will respond. According the National Association of Insurance Commissioners, as of 2016 over 500 insurers offered some form of cyber insurance, with 375 of those offering coverage as part of a package policy. The remaining 125 insurers offer stand-alone policies. It is important to understand that there is no standardization among these options regarding definitions, language, triggers, proactive risk management resources and post-breach response services. To further complicate matters, the nature of cyber crime is continuing to evolve with ever-changing attack vectors and methods.
Associated Benefits and Risk Consulting offers specialized expertise to assist employers in healthcare and other industries in evaluating cyber insurance options and making the right coverage decisions for their organizations. For more information about cyber risks and coverage, contact us.
Send a Message
Find a Location