Getty Images/iStockphoto

Healthcare Organizations Struggle to Obtain Cyber Insurance Policies, Report Shows

As healthcare ransomware attacks increase, Sophos observed healthcare organizations struggling to obtain coveted cyber insurance policies.

Healthcare ransomware attacks are not slowing down, prompting an increased demand for reliable cyber insurance policies. But as healthcare cyberattacks skyrocket, cyber insurers are pushing up prices or leaving the market altogether, Sophos stated in its “State of Ransomware in Healthcare 2022” report.

Sophos surveyed 5,600 IT professionals, including 381 in healthcare, to garner insights on how healthcare organizations are navigating the cyber threat landscape.

The report found that 66 percent of surveyed healthcare organizations were hit by ransomware in 2021, up from just 34 percent in 2020. About 61 percent of those attacks resulted in data encryption. Survey results also revealed that healthcare was the most likely sector to pay a ransom. Just over 60 percent of respondents who experienced encryption admitted to paying the ransom, compared to a cross-sector average of 46 percent.

With these figures in mind, it makes sense that healthcare organizations are increasingly turning to cyber insurance to protect their assets and minimize damage. Across all surveyed sectors, 83 percent of organizations reported securing cyber insurance, while only 78 percent of healthcare organizations said they had coverage.

“Given the high rate of ransomware incidents in healthcare, this insurance coverage gap leaves many organizations exposed to the full cost of an attack,” the report stated.

In addition to challenges with obtaining coverage, 51 percent of respondents said that the level of cybersecurity needed to qualify is now higher, and 45 percent said that the policies are now more complex.

“These changes are closely linked to ransomware, which is the single largest driver of cyber insurance claims. In recent years, ransom attacks have increased and ransoms and payout costs have soared. As a result, some insurance providers have left the market as it has simply become unprofitable for them,” the report noted.

“Those that remain are looking to reduce risk and exposure. They’re also pushing up prices considerably. With fewer organizations providing cyber cover, it’s a sellers’ market. They call the shots and they can be selective about which clients they cover. Having strong cyber defenses will significantly improve an organization’s ability to secure the coverage they need.”

Despite these challenges, organizations that have managed to obtain cyber insurance appear to be reaping the benefits. Over 95 percent of healthcare respondents said that they have made changes to their cyber defenses in order to improve their cyber insurance positions.

Over half of covered organizations increased staff training and nearly half have implemented new security processes and behaviors to mitigate cyber risk. In addition, 97 percent of healthcare ransomware claims were paid out by their insurers, and 81 percent of respondents said that their insurer at least paid for cleanup costs.

The results suggest that the increased demand for cyber insurance has prompted organizations to invest in enhanced cybersecurity measures to improve their chances of getting a worthy cyber insurance policy.

“Looking at what cyber insurance coverage paid for across all sectors, the survey reveals an increase in the payment of cleanup costs and a decrease in ransom payments by insurers compared with the findings of our 2020 survey,” Sophos continued.

However, the report also emphasized that while cyber insurance policies can help healthcare organizations pick up the pieces after a damaging cyberattack, it does not cover expenses associated with “betterment,” or investing in better tech to address security weaknesses. Rather, healthcare organizations should have these defensive measures in place already and only rely on insurance policies in the event of a cyberattack and subsequent recovery.

In Fortified Health Security’s recent report, similar sentiments were raised. Researchers urged healthcare organizations to remember that cyber insurance is not a band-aid for inadequate cybersecurity measures.

“Having cyber insurance doesn’t take the place of a strong cybersecurity infrastructure. Increasingly sophisticated attacks continue with larger payouts that make obtaining cyber insurance more difficult — and more expensive,” the February report stated.

“Insurance companies are demanding more rigorous attestations and taking additional steps to ensure minimum security standards are met. Remember, if you don’t comply with the terms of the policy, you may not be truly covered during a time of need.”

Sophos recommended that organizations prepare for the worst and implement cybersecurity defenses that allow for quick recovery from a cyber incident. In addition, organizations should keep data backups, implement endpoint detection and response (XDR) solutions, and review existing security controls.  

Next Steps

Dig Deeper on Cybersecurity strategies