CHICAGO – One predictable consequence of the escalating intensity of cyberattacks on healthcare organizations in recent years: Cyber insurance policies are a lot harder to get, and whole a lot more expensive even when they're inked.

"It's a very disruptive time," said Aleksandra Vold, partner BakerHostetler’s healthcare privacy and compliance practice team, describing frequency of cyberattacks large and small, and the challenges her clients face as she helps them navigate the complexities of contracts and reimbursement.

"We're in a completely different environment now," said Christopher Scott Martin, cyber practice leader at RCM&D, a Unison Risk Advisors Company, speaking at the HIMSS23 Healthcare Cybersecurity Forum on Monday,

"What it took to secure cyber insurance coverage four or five years ago," he said, was far easier and cheaper than what it takes today. 

Securing a good policy – and getting reimbursed in the event of a breach – demands that healthcare organizations be "proactive and intentional," he said. 

In other words, they have to do their homework.

Even so, the U.S. Government Accountability Office has admitted that "the extent to which cyber security insurance will continue and be generally available and affordable is uncertain."

So how can a healthcare organization best be positioned for success in a fraught era where ransomware attacks and other nefarious cyber intrusions have become a near-daily commonplace?

Joining the conversation were Erik Decker and session moderator Anahi Santiago, chief information security officers at Intermountain Health and ChristianaCare, respectively.

"I'm currently going through the renewal process and what a fun time it is," quipped Santiago, who asked the panelists about their own experiences in recent years, and whether they had any tips for filling out applications and working their brokers on the process.

Martin said it's important to work alongside brokers to help "understand and communicate your story" to prospective insurers. 

"Part of that can be done with getting outside of an application, really building a robust submission," he added.

"And that, I think, is done probably at its finest with underwriting calls, intending to develop relationships with those that are assessing your organization and understanding what our responses mean, moving past just yes/no questions and providing feedback – that's my general guidance for having navigated it successfully."

"Everybody's got a methodology that they want to apply in understanding the risk posture of the organization," said Decker. "I think the underwriters are no different than the practitioners when we're evaluating our third parties or we're evaluating our own internal organizations.

"It's a process," he added. "It's a relationship. One of the things that we do is, every year, when we do our renewal, we actually go to London and we spend time with our broker and our underwriters and we spend an entire day there. There's a presentation that I give, I prepare all that. I describe the program, I describe key things that for sure they're going to be interested in."

Insurers are hardly naïve. They're aware of the heightened risk to healthcare data in recent years. That's why they price their policies accordingly – and expect policyholders to dot every "i" and cross every "t" when it comes to compliance, due diligence and preparedness.

"There's common ways that we're getting beat left and right," said Decker. "And obviously our insurers know that. They have the data that shows that the two-factor elements, your EDR, your 24/7 SOC, your privileged access account management, your backup strategies, your tabletop testing that you're doing – these are all things that they care about.

"And so you want to be able to tell a really good, compelling story as far as where your journey has been and how well you're exercising these things," he added. "Spend the time answering the questionnaire and the questions, and put all supporting evidence in there.

"But the real conversation happens in the room," said Decker. "You're there with them in the partnership, having the ability to talk to them about and be able to describe the program. To some degree this is about trust, and it's about the ability for the insurers to trust that the program actually has this well accounted for. You don't get trust by just submitting a questionnaire with answers."

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.