The Covid-19 pandemic marked one of the most difficult times the healthcare industry has ever faced — and not just from the perspectives of patient care, clinician wellbeing, and revenue loss. As it turns out, there was another crisis brewing in the form of ransomware attacks.
And instead of slowing down in the years following the initial lockdown, the problem has only worsened. According to Dan Borgasano (Vice President, Imprivata), ransomware incidents increased by more than 600 percent from 2021 to 2022, and the trend shows no signs of letting up. With the average cost of healthcare breaches estimated at $10 million, it’s becoming an “expensive problem,” he said during a recent panel discussion.
For some organizations, unfortunately, it’s going to get worse. The more money health systems lose to attacks and data leaks, the higher the price tags for cyber insurance coverage. “We’re seeing an industrialization of cybercrime,” said Esmond Kane (CISO, Steward Health Care), who also participated, along with Brian Cayer (CISO, Keck Medicine of USC). “Organizations are being hit with ransomware on a daily basis, to the extent that the insurance industry can’t keep up with the demand.” As a result, premiums have skyrocketed, and requirements have become far more stringent.
And that means CISOs and other leaders have to step up their game, according to the panelists. During the discussion, they shared perspectives on how the landscape has shifted, what insurance providers are looking for, and how to navigate a situation in which CISOs are “operating under heightened liability,” as Kane stated.
One of the reasons leaders are struggling, according to Cayer, is the fact that just a few years ago, obtaining cyber insurance meant answering 15-20 questions that were, as he stated, “fairly straightforward. It wasn’t a deep dive.” Until, of course, incidents started occurring more frequently — and, subsequently, more claims were filed.
All of a sudden, insurance companies were now losing money, and had to “change course,” he recalled. Short questionnaires turned into lengthy, complex Q&A sessions, and CISOs had to endure roadshows — knowing they could still be rejected, even by previous carriers — and still run the risk of being rejected.
“We had to go through 26 different carriers to see if we could get insurance,” Cayer noted. “I had to present our cybersecurity plan and show our capabilities. It was very challenging.” Some insurance providers opted out of healthcare altogether, while others wouldn’t take on a health system unless they could split coverage with another carrier. “It changed a lot for us.”
There was more. In addition to having stricter parameters to grant coverage or renewal, some providers altered payment models by capping contributions or asking health systems to match numbers. “They’ve gotten very creative in how they approach coverage,” he said.
Kane concurred, noting that the criteria are constantly evolving. “What you did last year may not necessarily be sufficient to obtain insurance the next time around.”
One of those areas, noted Borgasano, is identity management. For example, many providers require multi-factor authentication for remote network access, but now some are considering it a must-have for on-premise endpoints and applications as well. Also, “insurance companies want to see that you have controls in place to terminate user access as part of the employee exit process,” he said. The list of requirements also includes stricter parameters in terms of password complexity and rotation schedules.
“Basic table stakes”
Most of these falls under the category of basic table stakes, according to Kane. The problem is that “some of these table stakes are very fungible,” which makes sense, given how quickly threat actors are able to adjust their strategies.
It’s important to remember that “the goal is not to eliminate risk,” he added. “That’s just not feasible. You have to function. You have to provide services in these unprecedented circumstances.” Not an easy task, but one that can be navigated with the right approach, according to the panelists, who offered the following advice.
- Know your policy. It may seem obvious, but in many cases, health systems are losing out on payments. In fact, as many as 27 percent of insurance claims aren’t paid due to oversights, said Borgasano. Therefore, “it’s really important to understand all of the different clauses in your policy and what could potentially be excluded.”
- Limit the impact. With identity being the most common target, Cayer’s team focused heavily on implementing controls around managing identity and detecting anomalies. “Let’s talk about where the risk is and what we’re doing,” he said. “If you’ve logged into too many computers within a period of time, I’m going to force MFA on you, whether you’re on prem or remote.” Putting these systems in place can “reduce lateral spread movement and limit the impact of a compromise.”
- Partner with vendors. Trying to keep pace with bad actors, noted Borgasano, simply isn’t possible. “While everyone would like to be proactive in their strategies, sometimes resources just don’t allow for that.” This is where partnerships with companies like Imprivata can make a difference. “We try to work with our clients to automate as much as we can and help them prioritize, or provide alternatives to help accomplish the same goal in a way that’s more feasible for their budget or timelines.”
- Rely on networks. One of the positives in dealing with complex challenges like cyber insurance is the fact that no one is acting alone, Kane pointed out. “Everyone is going through the same thing,” even the carriers. His solution? “Make it a dialogue. Talk with your peers and have continual conversations with your insurers.”
Along those lines, it’s important that leaders avoid framing it as a “necessary evil,” he noted. “It should be part of the leadership discussion.”
It should also be viewed as part of a comprehensive cybersecurity program. “Cyber insurance is a risk mitigation measure,” but it’s just one of many weapons in the arsenal. “It’s a subset of your larger risk management program, and it should dovetail into that. You should be continuously investing, communicating, and educating.”
As is often the case, it comes down to basic fundamentals, said Cayer. “That’s where it goes wrong. People forget about the basics. Make sure you have all of those in place.” And, above all, “don’t stop improving.”
To view the archive of this webinar — Understanding Your Cyber Insurance Needs & Keys to Obtaining Coverage — please click here.