Understanding Cyber Insurance in Healthcare

Every business should have one or more types of insurance policies to protect it from certain issues or accidents. A type of insurance still relatively new to the healthcare marketplace is cyber insurance. Since it is an immature product in many aspects, there can be a lot of confusion as to what a business should consider when evaluating the need for cyber insurance. It is rare that general liability or umbrella policies extend to the special circumstances caused by a cyberattack. The record number of ransomware attacks in 2018 and 2019 and their crippling impact on small to medium-sized businesses and state and local government agencies is rapidly making cyber insurance a must-have.

According to the National Association of Insurance Commissioners, the premiums paid for cyber insurance policies in 2018 were approximately $2 billion. As with other insurance policies, it is important to know the coverage options. Work with your risk management or insurance provider to be sure you have adequate coverage. They can help you avoid buying coverage that you do not need.

The following information was obtained from the Federal Trade Commission (FTC) and the Department of Homeland Security. There are two main types of cyber insurance: first-party and third-party. They cover very different aspects of a cyber incident.

First-party insurance covers direct losses your business incurs from a cyberattack such as data theft, denial of service, and ransomware, among others. It covers the business’s own damages for the incident such as the cost of providing notices to patients and providing credit monitoring services to patients, which is becoming a common state law requirement. It can also help cover costs related to any specialized technological services like data recovery and repair.

Third-party insurance covers damages that others, like patients or customers, might have because of the attack, penalties required by law, or costs related to litigation. This is a type of coverage you may also want to ensure your vendors carry if they handle any of your practice’s sensitive business information or patient data.

Healthcare cyber insurance can provide a certain level of protection, but it should not be used as a substitute for proper security controls, or incident response, business continuity, or disaster recovery plans. It is common for cyber insurance policies to exclude cyber-related incidents that could be prevented by a standard security measure – like having a firewall set up. If an employee maliciously mishandles patient information or network credentials and it causes a cyberattack, it may not be covered under this type of policy.

For more information, you can review the checklist provided by the FTC on its website (www.ftc.gov): Tips & Advice > Business Center > Protecting Small Businesses > Cybersecurity > Cyber Insurance and talk with your risk management or insurance provider.