Cyber insurance: Enabling the future of healthcare

With healthcare's technological revolution bringing new exposures, it's time to think outside the box when it comes to insurance. Discover the pivotal role cyber insurance has to play in this comprehensive article, originally published in Medico-Legal Magazine.

Cyber Article 14 min 29 Feb, 2024

By Rebecca Pelling, UK & International eHealth Product Manager, CFC and Will Hodson, Cyber Analyst, CFC

Originally published in Medico-Legal Magazine https://www.medicolegalmagazine.co.uk/

Over the last 30 years, healthcare has undergone nothing short of a technological revolution. Almost all medical professionals now rely on computer systems to some extent, whether that’s simply accessing health records in an electronic format or using sophisticated AI-diagnostic tools, remote patient monitoring (RPM) tools and surgical robots.

There’s no doubt that technology is bringing about significant improvements in the quality of healthcare provision, driving greater productivity and cost savings for healthcare providers on the one hand and better patient outcomes on the other. Nevertheless, the growing use of digital tools brings new exposures: most notably the burgeoning threat of cybercrime and bodily injury that arises from these cyber events .

New risks to face

The transformative impact of technology is no clearer than in RPM, a technology that gives patients the freedom to be more easily treated outside of a hospital or clinic. 

RPM is significant in reducing both patient stress levels and costs for the healthcare provider. But what if the software behind the service is targeted in a cyber attack? It's easy to think that cybercrime doesn’t impact healthcare, but the headlines say differently. Recently, the US healthcare provider Ardent Health Services fell victim to a cyber attack which closed many of its emergency rooms for five days. While earlier this year, data for over one million NHS patients was compromised in a ransomware attack. And, with cyber attacks becoming more frequent and sophisticated, these examples are just the tip of the iceberg.

How about a different type of technology failure or cyber event, like the RPM platform not completing a software update or a ransomware attack leaving the platform inoperable? The tool could produce incorrect readings or not produce readings at all, with the medical professional none the wiser and patient conditions potentially worsening as they haven’t been picked up.

In this scenario, it’s likely that, on top of the risk of bodily injury, the healthcare provider will experience additional financial and business interruption costs. This type of system failure can force patients to travel to the hospital for their care and clinicians to spend unplanned hours and money delivering that care, taking resources away from other parts of the service.

That’s not all. Faced with a cyber incident, most healthcare providers will need to hire external support to effectively remediate the incident itself, restore digital systems and recover lost data. They may also incur unexpected legal fees if they need to defend a claim following an incident. And in cases where data is stolen, they may be subjected to regulatory fines. If it’s a ransomware attack, there will usually be the cost of a ransom payment to take into account, if you choose to pay it. Altogether these form a huge financial burden for any provider to bear on its own.

Types of emerging healthcare technologies

AI

Today, there are a wide range of AI-led healthcare tools, including triaging patients, chat bots and assistive diagnosis. While these tools bring many benefits, AI is only as good as its human input. Whether it’ s the size and quality of the data set, the medical expertise of the individuals inputting data, or ongoing monitoring for errors in the A I code, it’s possible for things to go wrong. If they do, who is to blame, the technology tool or a human?

It’s important to cover bodily injury risk, to avoid confusion if a claim occurs from an ambiguous cause.

Telehealth

Accelerated by the pandemic, telehealth is only becoming more accessible and diverse in the specialities it delivers via real-time video consultations. By offering services online, telehealth entities can face risks not experienced by traditional clinics, such as a technology failure or a ransomware attack that could take video consultations offline. With most telehealth entities enabled by a separate technology provider, who takes the blame?

To make things clear, taking out blanket coverage for services provided on behalf of the main policyholder is vital, ensuring protection if a sub-contractor, such as an individual doctor, does not have adequate cover in place.

RPM

We’ve already touched on how RPM can make a difference. Digging deeper, RPM often includes wearable devices such as watches to monitor electrocardiogram data, and glucose monitors and pacemakers which constantly feed data back to the practitioner. But since RPM is heavily reliant on devices, what if a device produces an incorrect reading? This is in addition to the risk of a cyber attack, as mentioned earlier.

By getting cover for technology services and the products they use, you’ ll have protection if a device fails to perform or if a cyber event hits.

Thinking outside the box

If you’re using technology to improve healthcare provision, then you’re operating in a new and emerging field with new risks and exposures. That means you need to think outside the box when it comes to insurance.

In the past, it’s usually been sufficient to focus solely on insurance cover which provides protection for traditional clinical negligence matters (medical malpractice) or traditional financial losses (professional indemnity). But to address new risks and ensure support is in place when it’s needed, it’s time to broaden the scope. Today, you also need to consider bodily injury that results from technology failure and cyber events, as well as other financial losses that can be associated with these events. That’s where cyber insurance comes in.

How cyber insurance works

The more the healthcare industry comes to rely on digital assets, the more exposed it is to the theft, loss or destruction of those digital assets as a result of cyber attacks. Fortunately, there’s a simple way providers can get the support
they need.

Cyber insurance is designed to help healthcare providers take full advantage of digital capabilities, by enabling them to effectively share their cyber risk with the insurer. We’ve already touched on the various costs caused by a cyber incident. Cyber insurance provides cover for those financial losses, enabling the provider to focus on delivering quality care to those who need it most. 

But the best cyber insurance policies go further than providing cover for financial loss. Today, cyber insurance is defined by the innovative services that come with the policy, including advanced proactive protection and incident response, designed to stop cyber attacks from happening and minimize impact when they
do occur.

Reactive and proactive services

So, how do these services make a difference? 

Incident response is like your digital fire service. In the event of a fire, speed is of the essence, with every moment the fire blazes causing more disruption and destruction. It’s the same when a cyber event hits. The cybercriminal will be working quickly to complete the attack, perhaps exfiltrating data or deploying malware. Defending an attack quickly and decisively can make a significant difference in minimizing system downtime, preventing data theft and getting the provider, such as a hospital or clinic, back up and running.

But if there’s one thing better than responding to a cyber attack effectively, it’s stopping it from happening in the first place. At a time when budgets are tight, hiring an expert team that offers proactive prevention services like threat hunting and vulnerability scanning can cost tens of thousands. But they come free as part of any good cyber insurance policy. Some cyber insurers have the ability to actively monitor their policyholders and alert them to cyber threats targeting their business, so they can avoid cyber incidents altogether.

When doing your research, always consider the services that come with a policy, and go with an insurer that offers the expertise to prevent and remediate cyber incidents quickly and effectively. This way, you’re free to focus on patient care, safe in the knowledge you have a team of experts on side when an incident occurs.

Cyber insurance in action

Operational disruption

In the US, a mid-sized hospital providing a variety of surgical procedures was hit by a malware attack, disrupting all devices and services and making patient data inaccessible. The hospital had no choice but to bring in teams of additional nurses and issue a Red Alert, diverting patients to other hospitals in the area.

Since the hospital had taken out a cyber policy with CFC, we covered the financial loss caused by system damage—including the replacement of hardware, something many cyber policies exclude—and further losses incurred due to business interruption, such as the cost of hiring additional nursing staff.

Find the full case study here.

Social engineering

After a CEO’s email account was hacked, a care home faced financial loss from a social engineering attack. The fraudster sent emails impersonating the CEO to the care home’s finance team, requesting the urgent payment of some £87,315 to accounts controlled by the fraudster. 

Fortunately, the care home had purchased cybercrime cover on their cyber policy with CFC, and were reimbursed for the losses. This claim illustrates not only how CEOs and senior executives are prime targets for cybercriminals, but it also shows that IT security doesn’t remove the need for cyber insurance, with many cyber incidents resulting from human error.

Click here for the full case study.

Getting started with cyber insurance

Modern technology innovations are key in bringing improved healthcare outcomes to people across the world. But to truly maximize the opportunity that technology presents, it is essential that the healthcare industry also mitigates its emerging risks and exposures, in the form of cyber risks and bodily injury arising from technology failure or cyber events.

CFC is a specialist insurer in emerging risks, backed by more than 25 years’ experience in cyber. With us, healthcare professionals don’t need to source multiple covers for their unique needs. We offer best-in-class healthcare and cyber cover under one roof, making it easy for providers to get the protection they need to build a healthier future for everyone.