As cyberattacks and insurance costs grow, time is right for accreditation | Viewpoint

Accreditation and certification programs can help organizations address gaps and demonstrate to other providers, partners, and insurers that they are serious about protecting healthcare data.

Is there an upper limit on the cost of cybersecurity insurance? If the past few years is any indication, the answer is a firm “no.”

According to one study of insurers, the cost of cyber insurance skyrocketed 130% in Q4 2021, and 82% expect premiums to continue to rise over the next two years. A proliferation of high-profile ransomware cases certainly plays a role, as does a lack of experiential data among insurance companies, a dearth of cybersecurity professionals, and the sheer number of access points that could be vulnerable to attack.

Healthcare organizations have been especially hard hit by both cyberattacks and the cost of cyber insurance.

For the 12th straight year, costs associated with a healthcare data breach rank the highest among industries — topping $10 million, a 42% increase since 2020. In comparison, the cost of a breach for a financial services company, the second most expensive industry, is 60% lower than in healthcare.

Hackers are somewhat shifting their focus toward smaller hospitals, specialty clinics, physician practices, and third-party vendors, which means that any healthcare facility could be vulnerable to attack.

The stakes are as high as the cost of cyber insurance, which points to the need for constant vigilance surrounding IT infrastructure, people, and processes.

Accreditation and certification programs can help organizations to review and address any gaps, document processes, and to demonstrate to other providers, partners, and insurers that they take their cyber hygiene, including the privacy and security of healthcare data, seriously.

Cyber - the wild west of insurance risk

Insurance data shows that nearly one-half of all companies opted for cybersecurity insurance in 2020, nearly double the percentage in 2016. However, premiums continue to rise while coverage limits are reduced in some industries, such as healthcare and education.

Further, while homeowners frequently bundle auto, home, life insurance, and other coverages with one company to save money, cyber risk insurance often stands apart from other insurance types that a healthcare entity also needs.

Insurance companies have decades of experience-rated data to quote and underwrite policies based on a particular set of circumstances.

An auto policy for a 16-year-old driving a red sports car in Los Angeles, for example, will cost considerably more than a policy for a 35-year-old man who drives a sedan in a rural area. When insurance companies know their cost basis, calculating rates is relatively straightforward to balance risk level with projected loss ratio.

In comparison, cyber risk policies are the Wild West of insurance — especially in healthcare, where the potential losses are particularly high. Healthcare data is prized by hackers because it contains sufficient information to create a fake identity in addition to credit card numbers and other protected information.

Hospitals are connected to hundreds, if not thousands, of healthcare software systems, medical devices, third-party systems, health information exchanges (HIEs), community providers, and others that provide a broad attack surface. Even smaller hospitals, specialty clinics, and physician practices will have a significant number of data connections or “risk vectors.”

In the first half of 2022, breaches among smaller entities have risen significantly. The reported percentage of breaches among specialty clinics jumped from 23% last year to 31% in 2022.

Similarly, breaches in the health services and supplies category (pharmacies, medical supply companies, and provider alliances) rose from 10% of all breaches in the first half of 2021 to 14% in 2022, and physician group breaches have risen five-fold to account for 12% of all breaches.

Accreditation and certification reduce the number of audits

When shopping for cyber insurance, larger hospital systems report participating in large meetings with a dozen or more insurance carriers and underwriters, as hospital officials attempt to convince at least one carrier to offer them a policy.

Insurance reps ask pointed questions about a system’s cybersecurity practices, while healthcare IT executives extol their security policies and practices, stressing increased maturity and ability to thwart cyberattacks.

Healthcare-industry standard accreditation and certification programs can eliminate much of this process between insurers and providers.

Tim Pletcher, executive director of the Michigan Health Information Network (MiHIN), is acutely aware of when cybersecurity insurance comes up for renewal and expresses confidence — thanks to accreditation from EHNAC and certification from HITRUST.

“While those (insurance) discounts have not yet actualized, I believe that will be possible down the road,” Pletcher says of third-party accreditation. “Our major health system participants do their own mini audits of our organization which create hundreds of hours of added work for us. We can take standard templates from EHNAC or HITRUST and have them cross-translate that into our own needs, relieving some of the burden off of our cybersecurity teams.”

MiHIN’s network consists of thousands of care providers exchanging information including health systems, hospitals, care providers, behavioral health clinics, FQHCs, PIHPs, health plans/payers, pharmacies, post-acute care, and hospices, so Pletcher has a unique view of the healthcare IT landscape in Michigan.

From that perspective, he expects to see groups of providers pool their cybersecurity resources and self-insure to combat increasing premiums and ever-higher attestation standards. He posits that it’s also possible that a cybersecurity company could offer cyber services to healthcare providers while insuring them against losses.

“There’s enough of a market for self-insurance and cybersecurity services that if somebody came along and bundled those two together, it could be a really powerful combination,” Pletcher says.

Adequate coverage starts with standard practices

An endpoint protection solution or a multi-factor authentication solution won’t create the confidence in a provider’s IT network that insurance companies need to make solid, data-based pricing, underwriting, and coverage decisions.

In 2021, the cyber insurance industry’s loss ratio was 73%, up from 52% in 2019, pointing to turbulence in the industry. At the same time, 75% of respondents to a global survey reported experiencing at least one cyberattack in the past year. In even more troubling news, just 3% of respondents categorized their cyber hygiene as excellent.

Another survey showed that 14% of North American companies have cyber insurance coverage that exceeds $600,000, leaving companies on the hook for potentially millions in unreimbursed costs in the event of a breach or cyberattack. It’s no wonder, then, that 20% of companies in the U.S. and across Europe went out of business following a cyber incident.

Requiring some type of industry accreditation/certification framework that meets the Public Law 116-321 of “recognized security practices” would help providers recognize and adopt standard minimum privacy and security protocols while giving insurance companies better insight into security practices.

However, not all third-party assurance mechanisms are actual certifications or accreditations as some entities hold them out to be (i.e., SOC 2 is not a certification), and those that are true certifications/accreditations are not created equal.

Having assurances that are independently validated and further issued by a third-party certification or accreditation body enforces additional levels of quality assurance within the process, adding to a higher level of reliability for the organization seeking a level of trust.

Cyber insurers and underwriters have explicitly indicated that cybersecurity assurance reports that are not independently validated and are not further credentialed by an independent certification or accreditation body are not looked at as providing higher levels of comfort relative to an organization’s good security and cyber program hygiene and maturity.

The article was written by Lee Barrett, executive director and CEO, EHNAC, the Electronic Health Network Accreditation Commission, and includes contributions by Michael Parisi, vice president of adoption, HITRUST.