Cyber insurance for the healthcare industry

Cyber insurance by the numbers

Based on an analysis of Chubb’s prior decade of claims experience, the healthcare industry made up 38% of all claims reported during that period. Further, the trend of incidents impacting the industry has continued into 2018 as the number of Chubb healthcare cyber-related incidents grew 13% over the past two years.
 

Internal threats rising

In terms of the make-up or “triggers” of cyber claims for the healthcare industry, Chubb’s experience in many ways debunks the belief that external bad actors hacking into an insured’s system are the predominate threat. In fact, just 9% of healthcare breaches have resulted from Hacks, which is the lowest of any industry we track.

On the other hand, Human Errors and Rogue Employees have accounted for a combined 58% of all incidents. This experience suggests that while perimeter controls used to protect the organisation from malicious intrusion remain critical, other areas like employee training and internal access controls are equally important.
 

Ransomware on the rise

Security Research firm Cybersecurity Ventures estimates global ransomware damage costs to be US $5 billion in 2017, with projections for damages to exceed US $11.5 billion annually by 2019.

From the perspective of incidents handled by Chubb, the healthcare industry accounted for 33% of all ransomware attacks noticed, which is the most of any industry. These attacks have become increasingly destructive, and can have a significant impact on insureds in terms of the immediate costs incurred to mitigate and recover from the incident, as well as the lost income during the period of interruption.

Source: Chubb’s global claims data (10 years of data as of December 2017)

Key exposures & coverage

Key exposures

The following are some of the privacy and network security exposures faced by the healthcare industry:
 

• Data Breach - the theft of Personally Identifiable Information or Personal Health Information.
• Business Interruption - lost income and extra expenses arising out of malicious attacks or employee errors.
• Social Engineering - phishing emails or fake phone calls leading to the release of credentials or other sensitive information.
• Rogue Employees - malicious or even curious actors with access to patient data.
• Supply Chain - disruptions to your vendors like payment processors or Electronic Health Record portals.

Key coverages available

Cyber incidents can trigger immediate, direct costs as well as resulting liabilities. Some key elements of cover include:
 

• 24/7 Incident Response Expenses including Legal, IT Forensics, Public Relations and other Crisis Management experts available around the clock to assist in investigating and remediating cyber incidents.
• Business Interruption Loss due to a cyber-attack, network security failure, human errors, or programming errors.
• Data Asset Loss and restoration including decontamination and recovery for corrupted data.
• Network Extortion incidents like ransomware demands, where insurable by law.
• Liability arising from failure to maintain confidentiality of data or failure to prevent unauthorised access to your network.
• Regulatory investigations and resulting fines/penalties, where insurable by law.

A cyber claim scenario

What Chubb has paid

A hospital's computer system was the subject of a ransomware attack. While the attacker sought only $500, the attack essentially shut down the medical facility. The hospital incurred significant expenses attempting to restore the data from backup systems, and payroll, billing and imaging systems were inoperable during the period of restoration. With its systems completely corrupted, the hospital resorted to paper mode to chart and monitor patients. As a result of the attack, more than $700,000 was paid for forensics, data recovery, business interruption and crisis management costs.