Huntress on Data Protection & Cyber Insurance in Healthcare

In 2023 alone, there were around 133 million healthcare data breaches. Unfortunately, healthcare is traditionally a very complicated system to secure, something threat actors are actively exploiting. This leaves both healthcare organisations and cyber insurers playing a cat-and-mouse game.

Chris Henderson runs threat operations and internal security at Huntress, a company which is supporting the security programmes for Internal and External IT teams. 

“It is my team's task to observe the activity of threat actors and ensure our clients are defended against modern tradecraft,” he says.

Chris tells us more about cyber insurance and its impact on healthcare.

The role of cyber insurance in healthcare

Cyber insurance is unique compared to any other kind of insurance, says Chris. 

“Fires aren’t actively trying to find better ways to burn your house down. In cyber insurance, you’re working against an adversary capable of developing and pivoting faster than a policy might expire,” Chris explains. “So, cyber insurers are building more insight into how they model risk during the underwriting process.” 

Cyber insurers are looking to threat intelligence from past breaches, incident response firms and open-source or closed-source intelligence, to determine updated risk models and identify the most effective controls. 

This is creating a new wave of requirements, because they have to and that means healthcare organisations have to evolve in order to get coverage.

Cyber insurers are emphasising help desk verification and strong authentication, using tools like multi-factor authentication (MFA). These are reshaping the requirements from cyber insurers.

“Cyber insurers are looking to ensure that your IT help desk has written procedures/policies to dictate that the person calling to reset a password, set up MFA and so on, is who they say they are,” Chris continues.

These requirements are a direct response to the increased number of breaches we are seeing that start by social engineering an IT team in order to gain administrative credentials. 

As this trend evolves, Chris expects stricter insurance requirements, or maybe new coverage types for emerging cyber threats?

“Today, some are requiring external proof, perhaps a vulnerability scan for their own assessment during the underwriting process. We may start to see insurers eventually requiring third party audits before securing a policy,” Chris says. “I could also see cyber insurance underwriting moving to a maximum 6-month or even quarterly policy, in order to keep up with the pace of risk modelling and the speed of threat evolution.”

Increasing regulatory pressure for better data protection and compliance in healthcare

“As healthcare consolidates, risk consolidates,” says Chris. 

Regulatory pressure is going to build around acquisition speed and the diligence of post-acquisition governance and security. 

“I think we need to realise that doctors and nurses are running around literally saving lives,” Chris emphasises. “This really isn’t a population that has the luxury of taking time to pay more attention to cybersecurity.” 

Healthcare organisations will need to put more focus on platforms and personnel to fortify their defences.

It stands that cyber insurance premiums will continue to increase because the risk models simply can’t outpace the threat actors. 

“We’re playing catch up at all times and risk profiles, models and more are almost never in balance with the reality of the threat landscape. In those millions of healthcare data breaches last year, the cost clocked in at an average of around US$10.9m,” says Chris. 

These are originating from creative measures like phishing or leveraging legitimate tools like remote monitoring and management. With numbers like these, Chris says the healthcare sector can expect premiums to continue to rise. 

“Cyber insurance won’t negate the damages done when an attack occurs, but it can supply things like an incident response provider, legal counsel or even ransomware negotiation,” he explains.

The bottom line is that for healthcare organisations seeking cyber insurance, the risk assessment portion of the underwriting process is only the start of highlighting potential negative financial outcomes. 

“Healthcare organisations should look at cyber insurance as absolutely necessary - but do what they can to get ahead of the process through looking critically at the cost to implement controls, their risk level, compliance factors and of course, how consolidation is affecting their security.”

This is a case where an ounce of prevention is definitely worth a pound of cure.

******

Make sure you check out the latest industry news and insights at Healthcare Digital and also sign up to our global conference series - Tech & AI LIVE 2024

******

Healthcare Digital is a BizClik brand