Huntress: Cyber Insurance, Risks and Pressures in Healthcare
The healthcare industry faces mounting cybersecurity challenges, with approximately 133 million data breaches reported in 2023 alone.
This surge in attacks has prompted cyber insurers to reassess their risk models and underwriting processes, leading to stricter requirements for healthcare organisations seeking coverage.
Christopher Henderson, Senior Director of Threat Ops at Huntress, a cybersecurity firm that supports internal and external IT teams, explains the unique nature of cyber insurance: "Fires aren't actively trying to find better ways to burn your house down.
“In cyber insurance, you're working against an adversary capable of developing and pivoting faster than a policy might expire."
Evolving insurance requirements
Cyber insurers are increasingly relying on threat intelligence from past breaches, incident response firms and both open-source and closed-source intelligence to update their risk models and identify effective controls.
Christopher notes: "Cyber insurers are looking to ensure that your IT help desk has written procedures and policies to dictate that the person calling to reset a password, set up multi-factor authentication and so on, is who they say they are."
These new requirements reflect the growing trend of breaches initiated through social engineering attacks on IT teams to gain administrative credentials.
Yet as threats evolve, Christopher anticipates even stricter insurance requirements: "We may start to see insurers eventually requiring third-party audits before securing a policy.
“I could also see cyber insurance underwriting moving to a maximum 6-month or even quarterly policy, in order to keep up with the pace of risk modelling and the speed of threat evolution."
Regulatory pressures and consolidation risks
The consolidation of healthcare providers is leading to a concentration of risk, prompting increased regulatory scrutiny.
Christopher explains: "As healthcare consolidates, risk consolidates, regulatory pressure is going to build around acquisition speed and the diligence of post-acquisition governance and security."
Healthcare organisations face unique challenges in implementing cybersecurity measures. "We need to realise that doctors and nurses are running around literally saving lives," Christopher emphasises.
"This really isn't a population that has the luxury of taking time to pay more attention to cybersecurity."
To address these challenges, healthcare providers will need to invest in robust platforms and personnel to strengthen their defences.
Rising costs and premium increases
The healthcare sector can expect cyber insurance premiums to continue rising due to the escalating threat landscape.
Christopher says: "We're playing catch up at all times and risk profiles, models and more are almost never in balance with the reality of the threat landscape.
“In those millions of healthcare data breaches last year, the cost clocked in at an average of around US$10.9m."
Cyber attacks are increasingly sophisticated, utilising techniques such as phishing and leveraging legitimate tools like remote monitoring and management software.
While cyber insurance cannot prevent attacks, it can provide crucial support in the aftermath.
Christopher explains: "Cyber insurance won't negate the damages done when an attack occurs, but it can supply things like an incident response provider, legal counsel or even ransomware negotiation."
For healthcare organisations seeking cyber insurance, the risk assessment portion of the underwriting process is just the beginning.
Christopher advises: "Healthcare organisations should look at cyber insurance as absolutely necessary - but do what they can to get ahead of the process through looking critically at the cost to implement controls, their risk level, compliance factors and of course, how consolidation is affecting their security."
******
Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024
******
Cyber Magazine is a BizClik brand