REAL ECONOMY BLOG | January 05, 2023
Authored by RSM US LLP
For more information, contact Patrick Rost, CISSP at firstname.lastname@example.org.
Over the past decade, cybersecurity breaches in health care have become more pervasive and costly, and the nature of the attacks have changed. And while cyber insurance could be a way to protect organizations from these costly threats, there’s much to consider about this coverage.
At one time cyberattacks were external, penetrating IT firewalls and stealing information. Today hackers are now more advanced, disguising ransomware attacks that are activated from the inside by an employee accidently opening the wrong email or clicking on the wrong link, often referred to as a phishing attack.
Many health care organizations struggle to defend against such phishing attacks, since nearly any employee with an email address can be a potential fraud vector. In 2020, the proportion of attacks at health care entities perpetuated by phishing increased to 69% of total attacks, a dramatic increase from 12% in 2014, according to the U.S. Department of Health and Human Services.
Much of this threat growth comes as health care providers embrace the pandemic-era realities of virtual care and remote work, digital advances that provide improved outreach to patients, but can also expose organizational cyber vulnerabilities. And these attacks can cost organizations significantly. In 2020, a health care data breach cost $7.13 million on average, surpassing the average cost of breaches in 17 other leading industries worldwide.
Insurance helps, but know your policy
To help mitigate the financial impact of cyberattacks, many organizations can purchase cyber liability insurance. These policies can cover expenses related to a patient data breach at a doctor’s office, for example, and cover expenses related to data security fixes, data breach notifications, cyber extortion demands and public relations.
Small businesses can benefit from cyber liability insurance and protection from cyber threats just as much as large businesses. While much of the news you hear about cyberattacks and data breaches most likely involves security lapses at large corporations, the reality is that small businesses are just as at risk, if not more vulnerable.
According to Advisor Smith’s small business survey, 42% of small businesses experienced a cyberattack in 2021, and 69% of small businesses were concerned about being attacked in the next 12 months.
As cyberattacks have increased, so has the cost of insurance premiums. The average cost of cyber insurance has risen by 80% since 2020. Insurers are becoming stricter with their policy requirements, and it’s important for an organization to understand what is in a policy and what protocols are being implemented to meet these guidelines.
As a result of policy options and complexity, many health care providers may not clearly understand what is or is not covered by their current policy. Organizations may work hard to comply with underwriting requirements and pay the premiums only to discover, often after a breach has occurred, that their policy does not cover the cyber incident due to policy exclusions related to property type or attack occurrence. Restriction of coverage can be prevented with strong controls, including multifactor authentication, endpoint detection and proper backups, but organizations must be mindful of these fortifying measures that complement policy coverage.
As more service delivery options become available in the health care industry, organizations need to continue strengthening their day-to-day cybersecurity protocols.
In addition, an assessment of current cyber insurance and a full understanding of coverage is essential. Organizations cannot afford to be hacked or lose patient trust.
A culture of cybersecurity, where staff members view themselves as defenders of patients and their data, will have a tremendous impact in mitigating cyber risk to the organization and to patients.
For more on this topic, download RSM’s cybersecurity special report.
Contributor: Paul Fountain, SPR ePHI National Health Care Director, RSM US LLP
This article was written by Michael Haas, Matt Wolf and originally appeared on 2023-01-05.
2022 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
For more information, contact
Patrick M. Rost, CISSP, CMMC-AB RP
Patrick assists clients with improving their cyber security from a technical perspective. With nearly 10 years of information technology experience in a variety of industries, he is well-suited to assist clients in implementing, maintaining and protecting their computer networking environments.