As the threat of cyberattacks continues to pose daily threats to businesses large and small, more companies have turned to cyber insurance products to shore up protection against these disruptive threats. A spate of recent incidents has highlighted the importance of taking steps to prepare for and mitigate possible damages. As such, healthcare entities have begun exploring Cyberinsurance as a method of aiding in better securing company data, as well as financial security.
Cyberattacks may take several different forms and inflict various types of damages. Most commonly, hackers have managed to access consumer private information or protected health information (PHI) from companies. National retailers have recently been victimized by massive customer data breaches. Similarly, the health care sector has seen several entities fall victim to this type of cyberattack.
Ransomware, wherein hackers implant a virus/malware into an entity’s network blocking access to patient information, has begun to occur with more frequency as well. Hackers then demand a ransom payment in order to remove the virus/malware from company systems. MedStar Health, a 10-hospital system in the Maryland region, as well as Hollywood Presbyterian Medical Center, in California, both recently had to contend with Ransomware attacks.
In an alarming trend, hacker cyberattacks have spread to more than just data theft or ransomware. Johnson & Johnson recently issued a warning to users of an insulin pump that the device may be vulnerable to cybersecurity attacks. Horrifically, such attacks could result in a hacker infusing incorrect doses of the diabetes medications without the user’s consent, furthering an alarming trend of thousands of medical devices—dialysis machines, ventilators, medication dispensers, and patient monitors—being susceptible to data/privacy breaches, unauthorized access, and potentially life-threatening malfunctions.
Cybersecurity threats have become a nefarious fact of life for those in the healthcare industry. While no amount of security or diligence can completely eliminate the threats, the industry must work to manage the threats and mitigate their risks. Cyberinsurance is one option for these entities. Cyberinsurance policies are often packaged with risk monitoring and management programs and certain other benefits, such as security risk assessments and access to data breach response experts, to assist in shoring up an entity’s exposure. These resources are especially valuable for small to mid-size companies, which might lack the internal capabilities to prepare for and protect against the attacks.
Cyberinsurance policies are relatively new, so companies must conduct thorough due diligence and carefully select products that address specific business and insurance needs. Below is a sample list of considerations for selecting cyberinsurance policies:
- Determine desired scope of coverage—a broad policy might cover both data or access breach incidents and business interruption.
- Ensure policy matches size, business model, and potential exposure, including retroactive dates if necessary.
- Minimize gaps between specialty cyber policies and traditional lines of coverage, including commercial general liability and directors and officers insurance.
For any questions about this blog, please contact the authors.