As cyber attacks on health care soar, so does the cost of cyber insurance
Health systems buffeted by labor and supply chain costs and broader economic woes have another unwieldy financial problem: the soaring costs of cyber insurance.
Why it matters: It may not be sexy — or the first thing you think about when cybercriminals wreak havoc on hospital infrastructure. But the sheer scope of the problem, and insurers' reluctance to cover losses stemming from ransomware attacks, is hitting hospitals in a very real way, Moody's Investors Services points out.
What they are saying: "The cost of insurance is rising and it's coming at the worst time for health care. There's not a lot of wiggle room," Matthew Cahill, a Moody's analyst.
- Since 2019, there have double-digit jumps in premiums, sometimes more than doubling all at once.
- A report from Property Casualty 360 last week indicates those insurance costs have finally begun stabilizing in the first quarter of 2023 for the industry.
- But individual health systems continue to report major upticks in their premiums, Omid Rahmani, an associate director with credit rating agency Fitch Ratings, told Axios.
- "Costs are decelerating. That tells a general part of the story," Rahmani said. "But one of the factors that is leading to that is that insurance is becoming unaffordable or frankly unavailable for a lot of small- to medium-sized issuers."
The big picture: When cyber insurance first emerged in the early aughts, it was often included as part of other policies.
- But as losses mounted due to the increased frequency and sophistication of the attacks, insurers had to create standalone policies, Rob Rosenzweig, a senior vice president and the National Cyber Risk practice leader at brokerage firm Risk Strategies, told Axios.
- In other words, the coverage was underpriced for the amount of risk being taken on, he said.
- That led to a reckoning from early 2019 to the end of 2022 in which carriers became a lot more discerning.
Zoom in: Insurers have been placing increased requirements for health systems to harden their defenses in order to secure coverage such as strong data backup strategies, use of tools such as multi-factor authentication, employee security training, and segmentation of networks.
- They are also creating more add-on policies, experts tell Axios.
- "Social engineering attacks, such as phishing, remain one of the most effective ways to breach a hospital system. The workforce remains the weakest link," Soumitra Bhuyan, an associate professor at Rutgers University who has studied cyber insurance trends in health care. "So many insurers treat social engineering as a separate policy extension."
- They've also been adding major restrictions to coverage including refusing to cover nation-state backed cyber attacks.
- By the end of this month, global insurance and reinsurance marketplace Lloyd's of London will require all insurance groups to exclude state-backed cyberattacks from their policies.
- "With the increased rates and limited coverage, small independent and rural hospitals are at a significant disadvantage in obtaining cybersecurity insurance," Bhuyan said.
- "The gap between those with adequate resources to protect their information systems continues to increase," Bhuyan said. "Many of these hospitals are critical access hospitals or hospitals in rural areas. They don't have enough resources to secure their IT systems and may be unable to recover if a breach happens."
The other side: Requirements from the insurance industry have helped drive the health care industry at large to have stronger defenses against attacks, Rosenzweig said.
- "The requirements carriers are focused on have driven better behaviors across the industry," he said. "Everyone has upped their game."
Be smart: If the insurance itself is getting pricey, the cost of a successful ransomware attack is still far worse, Cahill said, pointing to an Illinois system that cited one such attack as a contributing factor in the temporary closure of two of its rural hospitals in January.
- In January, the pro-Russian group Killnet took credit to taking down portions of systems of more than a dozen U.S. hospitals, including Stanford Healthcare, Duke University Hospital and Cedars-Sinai.
- Fitch Ratings said such coordinated cyberattacks aren't likely to lead to downgrades for not-for-profit health systems but that deployment of more sophisticated cyberweapons that compromise service and affects a hospital’s financial profile could.
- "That's the issue with these cyberattacks. Are there systems that are doing very well still? Yes. But in a lot of the industry, there is very little wiggle room to take on a month of manual records, diverting services, and denial of claims," Cahill said. "This is kind of what happens. And now you have a rural community that doesn't have a hospital."
The intrigue: In some cases, health systems have actually gotten their records back — and one even got an apology — from hackers after being told they were endangering patient lives.
The big picture: As the threat of ransomware attacks rise — and the payouts grow too — it raises an existential question: Are cyber threats becoming so risky as to become uninsurable?
- That was the warning of the CEO of Zurich, one of Europe's largest insurers, in December.
- There are so many technology providers that are pervasive across the entire economy — and across health care, such as EHR providers — that it's hard for insurers to truly calculate the risk and appropriate prices to ensure a sustainable and profitable market, Rosenzweig said.
What to watch: The White House last week released its first national cybersecurity strategy, which floated the idea of building a federal cyber insurance backstop to protect against massive losses to the economy in the wake of future cyber threats.
- However, the idea, which gained steam after a June 2022 report from the Government Accountability Office, would be costly and promises to be controversial.
- The Cybersecurity and Infrastructure Security Agency is working with HHS to offer hospitals assistance and third-party services.
The bottom line: This is just one of the tricky threats to the health care sector as it emerges from the pandemic and fights to avoid an attack that could theoretically them offline for weeks.
- "Forget the financial risks, for a second. The really scary consideration with health care is the criticality of it, the life and death nature of it," Rosenzweig said.
- But when it does come to dollars and cents, he said: "Without the right financial backstop in place, that could be an event that particularly for a smaller organization you can’t sustain on your balance sheet," he said.