< back to insights gallery

Health care and cybersecurity insurance: The importance of understanding your organization’s coverage

REAL ECONOMY BLOG | January 05, 2023 | Authored by RSM US LLP

Over the past decade, cybersecurity breaches in health care have become more pervasive and costly, and the nature of the attacks have changed. And while cyber insurance could be a way to protect organizations from these costly threats, there’s much to consider about this coverage.

At one time cyberattacks were external, penetrating IT firewalls and stealing information. Today hackers are now more advanced, disguising ransomware attacks that are activated from the inside by an employee accidently opening the wrong email or clicking on the wrong link, often referred to as a phishing attack.

Many health care organizations struggle to defend against such phishing attacks, since nearly any employee with an email address can be a potential fraud vector. In 2020, the proportion of attacks at health care entities perpetuated by phishing increased to 69% of total attacks, a dramatic increase from 12% in 2014, according to the U.S. Department of Health and Human Services.

Much of this threat growth comes as health care providers embrace the pandemic-era realities of virtual care and remote work, digital advances that provide improved outreach to patients, but can also expose organizational cyber vulnerabilities. And these attacks can cost organizations significantly. In 2020, a health care data breach cost $7.13 million on average, surpassing the average cost of breaches in 17 other leading industries worldwide.

cyber and health care industry

Insurance helps, but know your policy

To help mitigate the financial impact of cyberattacks, many organizations can purchase cyber liability insurance. These policies can cover expenses related to a patient data breach at a doctor’s office, for example, and cover expenses related to data security fixes, data breach notifications, cyber extortion demands and public relations.

Small businesses can benefit from cyber liability insurance and protection from cyber threats just as much as large businesses. While much of the news you hear about cyberattacks and data breaches most likely involves security lapses at large corporations, the reality is that small businesses are just as at risk, if not more vulnerable.

According to Advisor Smith’s small business survey, 42% of small businesses experienced a cyberattack in 2021, and 69% of small businesses were concerned about being attacked in the next 12 months.

As cyberattacks have increased, so has the cost of insurance premiums. The average cost of cyber insurance has risen by 80% since 2020. Insurers are becoming stricter with their policy requirements, and it’s important for an organization to understand what is in a policy and what protocols are being implemented to meet these guidelines.

As a result of policy options and complexity, many health care providers may not clearly understand what is or is not covered by their current policy. Organizations may work hard to comply with underwriting requirements and pay the premiums only to discover, often after a breach has occurred, that their policy does not cover the cyber incident due to policy exclusions related to property type or attack occurrence. Restriction of coverage can be prevented with strong controls, including multifactor authentication, endpoint detection and proper backups, but organizations must be mindful of these fortifying measures that complement policy coverage.

The takeaway

As more service delivery options become available in the health care industry, organizations need to continue strengthening their day-to-day cybersecurity protocols.

In addition, an assessment of current cyber insurance and a full understanding of coverage is essential. Organizations cannot afford to be hacked or lose patient trust.

A culture of cybersecurity, where staff members view themselves as defenders of patients and their data, will have a tremendous impact in mitigating cyber risk to the organization and to patients.

For more on this topic, download RSM’s cybersecurity special report.

Contributor: Paul Fountain, SPR ePHI National Health Care Director, RSM US LLP

Let’s Talk!

Call us at (541) 773-6633 (Oregon), (208) 373-7890 (Idaho) or fill out the form below and we’ll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

This article was written by Michael Haas, Matt Wolf and originally appeared on 2023-01-05.
2022 RSM US LLP. All rights reserved.

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

KDP is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.

For more information on how KDP LLP can assist you, please call us at:

Oregon Office:
(541) 773-6633

Idaho Office:
(208) 373-7890