Huntress: Data Protection & Cyber Insurance in Healthcare

Share
Cyber insurance and the healthcare sector
The role of cyber insurance in healthcare, according to Christopher Henderson, Senior Director of Threat Ops at cybersecurity company Huntress

In 2023 alone, there were around 133 million healthcare data breaches. Unfortunately, healthcare is traditionally a very complicated system to secure, something threat actors are actively exploiting. This leaves both healthcare organisations and cyber insurers playing a cat-and-mouse game.

Chris Henderson runs threat operations and internal security at Huntress, a company which is supporting the security programmes for Internal and External IT teams. 

“It is my team's task to observe the activity of threat actors and ensure our clients are defended against modern tradecraft,” he says.

Chris tells us more about cyber insurance and its impact on healthcare.

The role of cyber insurance in healthcare

Cyber insurance is unique compared to any other kind of insurance, says Chris. 

“Fires aren’t actively trying to find better ways to burn your house down. In cyber insurance, you’re working against an adversary capable of developing and pivoting faster than a policy might expire,” Chris explains. “So, cyber insurers are building more insight into how they model risk during the underwriting process.” 

Cyber insurers are looking to threat intelligence from past breaches, incident response firms and open-source or closed-source intelligence, to determine updated risk models and identify the most effective controls. 

This is creating a new wave of requirements, because they have to and that means healthcare organisations have to evolve in order to get coverage.

Cyber insurers are emphasising help desk verification and strong authentication, using tools like multi-factor authentication (MFA). These are reshaping the requirements from cyber insurers.

“Cyber insurers are looking to ensure that your IT help desk has written procedures/policies to dictate that the person calling to reset a password, set up MFA and so on, is who they say they are,” Chris continues.

These requirements are a direct response to the increased number of breaches we are seeing that start by social engineering an IT team in order to gain administrative credentials. 

As this trend evolves, Chris expects stricter insurance requirements, or maybe new coverage types for emerging cyber threats?

“Today, some are requiring external proof, perhaps a vulnerability scan for their own assessment during the underwriting process. We may start to see insurers eventually requiring third party audits before securing a policy,” Chris says. “I could also see cyber insurance underwriting moving to a maximum 6-month or even quarterly policy, in order to keep up with the pace of risk modelling and the speed of threat evolution.”

Increasing regulatory pressure for better data protection and compliance in healthcare

“As healthcare consolidates, risk consolidates,” says Chris. 

Regulatory pressure is going to build around acquisition speed and the diligence of post-acquisition governance and security. 

“I think we need to realise that doctors and nurses are running around literally saving lives,” Chris emphasises. “This really isn’t a population that has the luxury of taking time to pay more attention to cybersecurity.” 

Healthcare organisations will need to put more focus on platforms and personnel to fortify their defences.

It stands that cyber insurance premiums will continue to increase because the risk models simply can’t outpace the threat actors. 

“We’re playing catch up at all times and risk profiles, models and more are almost never in balance with the reality of the threat landscape. In those millions of healthcare data breaches last year, the cost clocked in at an average of around US$10.9m,” says Chris. 

These are originating from creative measures like phishing or leveraging legitimate tools like remote monitoring and management. With numbers like these, Chris says the healthcare sector can expect premiums to continue to rise. 

“Cyber insurance won’t negate the damages done when an attack occurs, but it can supply things like an incident response provider, legal counsel or even ransomware negotiation,” he explains.

The bottom line is that for healthcare organisations seeking cyber insurance, the risk assessment portion of the underwriting process is only the start of highlighting potential negative financial outcomes. 

“Healthcare organisations should look at cyber insurance as absolutely necessary - but do what they can to get ahead of the process through looking critically at the cost to implement controls, their risk level, compliance factors and of course, how consolidation is affecting their security.”

This is a case where an ounce of prevention is definitely worth a pound of cure.

**************

Make sure you check out the latest edition of InsurTech Digital and also sign up to our global conference series for our sister site – FinTech LIVE 2024.

**************

InsurTech Digital is a BizClik brand. ​​​​​​​

Share

Featured Articles

Pegasystems: How AI Revolutionises the Insurance Industry

Manoj Pant of Pegasystems discusses how AI and Gen AI are transforming customer service and personalisation in UK insurance sector

Zego's Business Van Insurance: Protection for Tradespeople

For today’s businesses, commercial vehicles are more than just a means of transport — they’re essential tools for getting the job done

MoneyNext: Banking Transformation Summit

Events organiser MoneyNext has announced that the Banking Transformation Summit will be held in Charlotte, North Carolina, in the autumn of 2024

Streamlining Claims: How AXA UK is Leading the Charge

Insurtech

Swiss Re Expands Gen AI Partnership with mea Platform

Insurtech

Verisk 2024 Global Modelled Catastrophe Losses

Insurtech