With cyberattacks hitting hospitals at an alarming rate in 2017 and not showing any signs of stopping as we get into Q2 of 2018, many hospitals are re-evaluating their investment in cyber insurance.
With the average cost of a data breach increasing in the United States to nearly $7 million per major data breach or ransom attack, rural and critical access hospitals need to evaluate whether they need cyber insurance and how to insure that their coverage will protect them in the event of an unfortunate cyberattack.
Today I want to briefly walk through 3 common myths that many rural hospitals have about cybersecurity and cyber insurance to get you and your administrative staff to start to seriously think about how to keep your hospital safe from cybercriminals.
Myth 1: It Won’t Happen To Us
One of the common threads nearly every cyber incident—in healthcare and out—is that they never could have dreamed having their entire hospital system down from a ransomware attack. Being in rural America, who has it out for your hospital? The disgusting truth is that cyber criminals don’t care that your hospital is helping your community and certainly are not a big company with lots of money to spare. Cybercriminals are attacking rural hospitals because they are easy targets.
In 2018, security experts believe that rural healthcare is falling in the crosshairs of cybercrime more than ever before because patient data is valuable and hospital operations are critical to rural communities. Since many hospitals haven’t maintained their security systems, lack comprehensive IT Support teams or have neglected even basic maintenance on their networks, they are easy and lucrative targets to cybercriminals looking to make quick cash—either by selling medical records or ransoming hospital systems for their unbacked up data.
The “It Won’t Happen To Us” myth transcends to how many rural healthcare systems approach cyber insurance. It’s an afterthought because how could you be worried with cybercrime if you don’t think you’d ever get attacked. The cold truth in 2018 is that if your hospital isn’t thinking and actively planning how to integrate security into a comprehensive IT Support structure, you’re probably thinking about cyber insurance only after you’ve already been attacked.
Myth 2: Our Coverage Is Enough
While many hospitals are still assuming that nothing could ever seriously impact their network security, several have taken the call for cyber insurance. And with that call, they’ve come to think that cyber insurance is the golden ticket to complete assurance and complete protection.
The problem with this thinking is that it ISN’T TRUE!
Read the fine print of your cyber insurance agreement and you’ll likely find that cyber insurance will only cover you if you are doing your due diligence to keep your network secure.
That means that if you aren’t patching your systems, monitoring your traffic, or training your team to proactively keep you HIPAA compliant, you’re likely in violation of some clause of your agreement.
You can think of your cyber insurance policy like your auto insurance. Even if you have the top of the line auto insurance out there, if you are in an accident resulting from drunk driving, your insurance company is definitely NOT going to cover you. Similarly, if you are found to have glaring security holes on your network leading to a major reportable data breach, your cyber insurance policy likely won’t cover you or fully cover you for your data breach of cyberattack.
Myth 3: Cybersecurity is not affordable
One of the biggest myths out there is that keeping your network—your patient records, your staff and your hospital—protected from cyberattacks is too expensive. If you currently have this opinion, it’s likely that the people doing your IT Support and Security are extremely inefficient at their jobs, don’t understand rural hospital security needs, or are manually protecting your network (which isn’t the safest way to protect a network anyway you look at it).
What many hospitals are finding is that a sure way to keep their hospital networks secure is by implementing hospital IT Support that actually understands how hospitals work and integrate security training and process into their normal IT Support. The problem most hospitals face—especially in rural areas—is that they have to pay EXTRA for security services. Their IT Support team either is not qualified or overworked to begin with to even remotely think about their hospital IT Security. And no one is around to even keep track that the support team is keeping up on even basic network patching and security monitoring.
Many hospitals find that if HIPAA compliance and cybersecurity are integrated completely into standard support, IT Security becomes affordable and security risks from cyberattacks get eliminated.
Just to recap, Cyberattacks are happening to Rural And Critical Access Hospitals and Cyber Insurance ISN’T the golden ticket we all might have wished for when it comes to cybersecurity.
Here are a few things to consider before signing your insurance policy.
Get An IT Security risk assessment completed.
The first step to securing your network is to set up a risk assessment and impact analysis. You need to first understand your risks before understanding where your risks lie and what your insurance policy will require. In addition, a thorough security risk assessment will help you understand what kind of coverage you will need from your insurance provider.
Prove Cyber Event In The Case You Call On Your Insurance Provider To Cover You.
In the event of a cyber incident, you will need to know specifically what your insurance provider requires for you to make a claim. For instance, you may be required to perform a forensic investigation to determine how the breach occurred (in some cases, if you were negligent in patching or keeping your network updated, the policy may not cover you).
You can think of cyber insurance in a similar way to auto insurance. Auto insurance does not give you a green light to drive drunk, just as cyber insurance does not give you the ability to overlook cyber security. Your provider will require specific levels of security to cover a cyber incident (in the event one happens).
Cybersecurity Assessments Required Before Coverage Begins.
In many cases, your insurance policy will require you to have a full annual cyber security assessment done. Typically an annual assessment will evaluate all potential risks and provide you with actionable remediation steps to securing your business.
Cybersecurity is no joke.
Are you thinking about getting a cyber insurance policy, but aren’t sure your business security is keeping you safe. Contact us today about getting a FREE ransomware vulnerability assessment.