CyberVitals: Cybersecurity Insurance - Placebo or Painkiller?

Contributor: Vidya Murthy, WEMBA’42 
To learn more about Vidya, click here.

 

With the healthcare sector remaining a top target for cybercriminal activities, one of the emerging trends over the last few years has been around cybersecurity insurance. To be clear, I’m not a lawyer or an insurance specialist, but as an executive of a small business focused on medical device cybersecurity, I’ve certainly encountered this strategy and observed a few things.

Risk management experts agree that cybersecurity insurance can help, but the evolving landscape for both attackers and defenders, in conjunction with a lack of historical data for modeling, means both insurers and consumers are facing unpredictable risks.

What is cybersecurity insurance?

A relatively new product in the insurance market, cybersecurity insurance ‘...enables business to mitigate the risk of cybercrime activity…’. Similar to other insurance practices, the idea is to shield enterprises when an exploit or incident occurs with a root cause in cybersecurity.

What makes this different in healthcare?

A recent study from Ponemon noted that 57% of attacks experienced by healthcare provider organizations resulted in adverse impacts on patient care.  This speaks directly to what the FDA has been citing for years - cybersecurity is patient safety.

Most healthcare systems were not initially designed to be connected. Devices started out as analog, then as software ‘became a thing,’ the potential for improved clinical experiences emerged. Suddenly a modicum of data standardization meant patient health information could be more easily shared across the value chain. Rapidly adopting the USB, then the Internet, to Bluetooth, and now mobile/app-based care, the adoption of connectivity has been quick.

The focus at every step, and justifiably so, was on enhancing the patient care experience. But this means we have built an ecosystem of connectivity without clear ownership of the increased burden of connectivity and the potential cybersecurity vulnerabilities they introduced.

One such case is if a cybersecurity incident causes care delivery to be compromised, which means patients are rerouted to other institutions during emergencies or procedures are canceled/delayed. The attacks can also leverage data: as of September 2022, a hospital in France has been battling hackers holding data and releasing sensitive information on the dark web.

Is insurance a silver bullet?

No industry is immune from cybersecurity-related vulnerabilities; but given the lack of historical data, it can mean that cybersecurity insurance in healthcare is more expensive because there is more uncertainty (not to mention the threat landscape is constantly evolving, making it difficult to assess risk by insurers). This means pursuing cybersecurity insurance can become a cost-benefit analysis.

As the United States Government Accountability Office (GAO) notes in a report issued in May 2021, rates have significantly increased with diminishing coverage. The report further points out we haven’t normed on the same lexicon - terminology and definition variability has resulted in presumed coverage being misaligned with actuality.

This hasn’t necessarily deterred companies from pursuing cybersecurity insurance, but there has also been a change in requirements to obtain coverage. In particular, the diligence for meeting coverage requirements has increased and is constantly evolving. Which isn’t a bad thing – insurance can certainly play a role as part of a multi-layered security strategy. However, it would be naïve to assume that insurance, and the related criteria required, is sufficient in building a defensive strategy that will persist with an evolving threat landscape.

How to build a strategy around cybersecurity insurance?

Starting with the basics, every organization should have an executive who owns the decision on mitigating cybersecurity risk, and, with that, accountability for the decision on pursuing insurance coverage or not. While the CEO is ultimately accountable, there will be a variety of inputs to that decision - requiring cross-functional coordination and collaboration.

When determining level of coverage, or even pursing coverage or not, cybersecurity frequently falls victim to the “show me what could have happened” narrative, i.e., $x has been spent in building security, but there have been no incidents to prove it worked. There are moments when cybersecurity spend will directly correlate to top-line revenue. But proving the defenses are the reason the incidents never occurred is a difficult task and can muddy the business case for cybersecurity.

In determining pursuit of coverage, it’s important to assess whether the provider understands your niche of healthcare and the related risks. Between HIPAA, GDPR, and FDA expectations, the variability of impact on your specific business can be massive. But if it can be clearly defined because of existing regulatory environment constraints, perhaps the scope of exposure can be sufficiently defined.

Ultimately, healthcare has been suffering through a global pandemic, and cybersecurity is likely the next pandemic. Comprehensive and sustainable security strategies include prevention and mitigation spanning technology, people, and processes.


Contact Vidya at: [email protected]