Healthcare organizations continue to find themselves at the forefront of cyber risk. Exposures such as IT supply chain dependencies, website tracking litigation, ransomware attacks, new security regulations, and data breaches class actions can increase healthcare organizations of all sizes at a higher risk of cyber insurance claims. Understanding the trends in cyberattacks and the evolving regulatory and litigation environment is important to building resilience and maximizing insurance coverage.
Supply Chain Dependencies
The February 2024 Healthcare Technology Provider Violation had a major impact on almost every touchpoint in the healthcare industry, including healthcare providers, pharmacies, pharmaceutical companies, insurance companies, and patients. This attack demonstrated the risks of IT supply chain exposure in the healthcare industry segment and the considerations healthcare companies should have when engaging with IT vendors and considering operational dependencies.
Website Tracking Litigation
Website tracking is the use of code that contains pixels, cookies, or scripts to capture data about how users interact with the website. The website tracking lawsuit is a plaintiff's bar that uses existing laws that never considered enacting today's technology, not the result of new regulations, such as the California Privacy Invasion Act of 1967, the Federal Wire Tapping Act of 1968, and the Video Privacy Protection Act of 1988. These laws have statutory penalties ranging from $250 to $10,000 for each violation. Healthcare organizations tend to be a greater goal in website tracking litigation than other industries.
Ransomware
Healthcare organizations continue to be key targets for ransomware threat actors. According to Comparitech, in 2024 there were 118 confirmed ransomware attacks and 147 unidentified ransomware attacks on the US health sector, resulting in an average of 18 days of downtime. The healthcare industry tends to be targeted by ransomware threat actors given the massive amount of healthcare and financial data being processed and the critical need for operational uptime to support patients. On average, US healthcare providers lose $1.9 million per day due to downtime caused by ransomware attacks. Improved cybersecurity controls have led to less ransom payments, but the confusion caused by ransomware attacks is important.
New security regulations
In December 2024, the U.S. Department of Health and Human Services announced a proposed update to HIPAA security rules, in which healthcare organizations must implement additional security controls such as Multifactor Authentication (MFA), Data Encryption, Vulnerability Repair, Network Segmentation, Asset Inventory, and Proactive Security Testing. The update to this proposed rule has not yet been finalized and now falls within the scope of the new federal administration. Various states require healthcare providers to report violations within a specific period of time and improve cybersecurity management.
Class action lawsuit against data violations
Data breaches continue to affect healthcare providers. According to the HIPAA Journal, there were 13 data breaches in 2024, including over 1 million healthcare records. Of these, 11 were the result of organizational cyberattacks, with eight being attacked on business associates of HIPAA regulated entities. In many cases, ransomware attacks act not only as disruption to the service, but also as the basis for violations of HIPAA regulatory data, resulting in usually costly class action lawsuits.
With this challenging risk environment, how can healthcare organizations build cyber insurance to address the evolving claims environment? Insurance buyers should pay attention to:
Are limits appropriate for risk exposure? Many healthcare institutions have reduced limits while continuing to grow revenue, challenging the cyber insurance market situation from 2020 to 2022. When market conditions changed, only about half of these buyers increased the limit. What is the scope of the dependency/accidental business interruption? Indemnification for dependency/accidental business interruption may include compensation for loss of net profit and additional costs associated with disruption to the vendor that the insured relies on for a security breach or technology failure. Many policies require you to enter into an agreement with the vendor to provide this coverage. However, coverage may be available or expanded to avoid the need for a contract. Is billing coverage related to website tracking and related collection of data? Many policies may rule out compensation for the risk of this “illegal collection” or limit coverage to defense costs alone. The carrier has begun underwriting for this exposure and full restrictions may be available if controls are appropriate.
It's important to have a broker with cyber insurance expertise and a consulting approach. The Devil can be found in Cyber Coverage details. It is important for healthcare organizations to identify potential quantums of losses, understand the nuances of coverage available across the market, and partner with brokers who can provide data and analytics to advocate for the billing settlement process.
Healthcare institutions' prognosis taking this into consideration is favorable, and these organizations are better positioned to maximize the value of cyber insurance.
topic
cyber-
Are you interested in cyber?
Get automatic alerts for this topic.
