Investing in cybersecurity controls and cyber insurance has never been more critical with constantly evolving and increasing cyber threats, particularly in the healthcare sector.
I recently hosted a Fortified Health Security webinar outlining the rising cost of cyber insurance, the steps organizations can take to bolster their cybersecurity posture, and methods to lower the cost of cyber insurance premiums.
The Rising Cost of Cyber Insurance
Before discussing how to lower premiums, it’s important to understand why and how cyber insurance costs continue to rise.
Increase in Cyber Attacks
According to HIPAA Journal Breach Statistics, as well as OCR data detailed in our most recent Horizon Report, cyber-attacks have steadily risen since 2018, with healthcare providers being the largest targeted group. Healthcare providers are particularly vulnerable due to the sensitive patient data hackers can gain with a successful cyber-attack, further emphasizing the importance of investing in cybersecurity to protect patient privacy.
Higher Claim Costs
As cybersecurity risks continue rising, the cost of managing a cyber-attack also increases. That’s because cyber incidents involve more than financial loss, including:
- Data breach response costs: The cost of forensics investigations, recovery operations, and notification delivery
- Business interruption reimbursement: The loss of income due to a system downtime caused by a cyber attack
- Ransomware and extortion payment coverage: The costs of ransomware, extortion payments, negotiation of extortion payments, data recovery, and system restoration to restore lost or corrupt data
- Public Relations and Reputation Management coverage: The cost of professional crisis management during an incident to rebuild trust
Stricter Regulatory Costs
Governments enforce stricter data protection laws, increasing liability and raising insurance costs for healthcare organizations. Insurers adjust pricing to cover escalating risks. More overhead for insurers means higher premiums for you.
Lawrence General Hospital: Case Study
In 2020, the now-infamous SolarWinds cyber-attack impacted one of Fortified Health Security’s clients, Lawrence General Hospital. The incident highlighted the gaps in the hospitals’ cybersecurity and the impact a cyber-attack can have on productivity and financial resources.
Lawrence General partnered with Fortified Health Security to develop and expand its cybersecurity program, where Fortified’s Central Command Platform became the cornerstone of their expansion, providing:
- Immediate incident response and remediation efforts, including real-time alerts, reporting, and the ability to act using mobile devices
- A security incident and event monitoring solution
- Visibility into new, system-hardening processes
- Pen testing, patching programs, incident response tables, and tabletop exercise implementation
Following the cyber-attack, Lawrence General faced significant increases in cyber insurance costs. Fortified and Lawrence General worked with the provider to demonstrate the proactive investments they made in their cybersecurity programs to lower premiums. These efforts resulted in a 15% reduction in their cyber insurance premiums and better coverage.
5 Security Controls to Reduce Cyber Insurance Costs
While every healthcare organization is different, and security controls vary based on your risk profile, these five measures are an excellent starting point for fortifying your cybersecurity program and achieving lower cyber insurance premiums.
Multifactor Authentication (MFA)
Organizations handling protected data can utilize MFA to prevent unauthorized access, mitigate risk from weakened passwords, defend employees from phishing and social engineering, and potentially reduce the impact of ransomware and insider threads. Many insurers require MFA for coverage, making it a great place to start strengthening your organization’s cybersecurity program.
Endpoint Detection & Response Solutions (EDR)
The faster threats are identified, the faster they can be mitigated, making EDR solutions a critical piece of an organization’s cybersecurity program. EDR solutions reduce risk by enhancing visibility, enabling rapid threat detection, automating responses, and minimizing the impact of security incidents. A strong EDR solution also logs detailed historical data about security incidents, helping security teams understand how attacks occurred and protect against future incidents.
Regular Security Assessments
Healthcare organizations should conduct frequent security assessments to validate cybersecurity controls. Security assessments like pen tests, vulnerability scans, and patch management not only ensure compliance but also enable you to examine your organization’s risk and identify potential vulnerabilities. Once these vulnerabilities are determined, you can better protect your organization and its patient data from an attack.
Incident Response Planning
Human error is the leading cause of cyber incidents, making ongoing employee training an integral part of every organization’s cybersecurity program. Conducting tabletop exercises and simulations and implementing cyber awareness programs ensure that all employees, from Senior Leadership to Frontline workers, are prepared if an incident occurs.
Third-Party Risk Management (TPRM)
Third parties introduce a new area of risk to organizations, which is why it is crucial to consider how and where a third-party breach would impact your organization. Organizations can start by:
- Identifying and mitigating third-party supply chain vulnerabilities
- Ensuring third parties comply with security and regulatory standards
- Reducing incident response and business continuity risk
Strengthen Your Healthcare Organization’s Cybersecurity and Lower Cyber Insurance Costs
By proactively improving cybersecurity defense, organizations can lower cyber insurance premiums, secure better coverage, reduce overall cyber risk, and ensure the safety and care of patients.
For more information about enhancing your cybersecurity posture and lowering cyber insurance premiums, download our guide here.
