Topics
More on Risk Management

As count of cyberattacks swells, healthcare orgs seek extra insurance against losses

Increased awareness of danger from hackers has propelled demand for cyber ransom liability insurance, expert says.

Jessica Davis, Associate Editor

Over the last few years, the healthcare industry has had its consciousness raised over hacking and cybercriminals, as cybersecurity has been thrust into the spotlight – especially with the recent surge in ransomware attacks, according to Paula E. Litt, a partner with and the leader of the insurance recovery and advisory practice group at Honigman Business Law Firm.

And with this increased awareness, cyber ransom liability insurance has really taken off, Litt said.

Cyber ransom liability insurance is a developing area, with no standard form for the insurance on the market. Litt explained that because of this, "it's an area where the purchaser has to be a good consumer and understand the needs of their company."

[Also: Intermountain CIO presses Congress for clear strategy on cybersecurity for HHS]

Companies need to ensure they understand the coverage they're getting – including coverage dates. According to Litt, especially in cases of ransomware, many organizations discover an insurance policy doesn't cover that type of cyber breach.

She went on to say that all policies have a limit – both monetarily and often within a specified timeframe – and it's up to the insured to completely understand their policy.

"Cyber ransom liability insurance is to protect the victim of a crime," Litt said. "But there are all different components within a cyber-policy. Everyone is at risk for a cyberattack, and organizations need to figure out the risk and what kind of coverage they need."

[Also: Cybersecurity insurance, business agreements among major healthcare privacy pitfalls]

"If you're the insured, you want it to cover all of the incurred costs due to the breach – including third-parties," she added. "It's critical we understand the risk. We need to build in protection for undetected problems that happened before the policy went into place. It's a big issue in cyber insurance – and a big issue for the insured."

And as the industry matures, there are many risks for organizations to consider when purchasing a policy, according to Linda S. Ross, a partner with and leader of the health care practice group at Honigman Business Law Firm. She listed failing to meet a standard of care and even malpractice claims, when ransomware forces the return to paper.

[Also: Healthcare is now top industry for cyberattacks, new research shows]

There's also the HIPAA component, with respect to the integrity of data and security of an EHR, she added. And more obviously, breaches put patients at risk for identity theft.

Healthcare organizations need to educate employees on risks as well as simple prevention methods. "You can taint a whole network with just one e-mail," Ross said. "When a breach occurs, it's already too late for insurance."

"Hospitals are at the mercy of criminals. If someone wants to get into your system, they can," Ross said. "But not every cyber ransom liability insurance policy includes ransomware. I think insurance companies don't want to pay claims. And those with insurance, they think they're covered, but when you get into the nitty gritty, sometimes organizations are surprised. Read your policy, know what it covers and make sure it covers your business needs."

This article first appeared in Healthcare IT News.

Twitter: @JessiefDavis