The Importance of Cyber Insurance and Having a Plan
By: Daniel J. Contaldi, President and COO at IT Health Partners, LLC
We are overwhelmed with daily reminders of data breaches related to cyber threats. In 2020, 70% of ransomware attacks targeted small healthcare facilities with fewer than 500 employees. Healthcare records are the most valuable data to resell on the black market which is why cyber criminals focus on this vertical. What makes them successful in these attacks are outdated computer systems and firewalls, older anti-virus systems, poor password management and the most important factor is the lack of an effective cyber training curriculum for their staff. The human and social aspect of cybersecurity is the most important since frequent training can and will reduce your threats.
Cyber insurance is vital to any organization as it transfers risk. It is important to note that cyber insurance companies have increased their minimum requirements for clients to include updated and secure computer systems, as this is a shared risk, and everyone needs to do their part in reducing exposure. Investing in technology, training and cyber insurance will not guarantee a breach will never occur, but it will significantly reduce the impact on your practice, keep you operationalized and decrease the likelihood of your practice becoming another statistic or having your name in the news.
Cybersecurity is truly a layered approach of technology and training. An important part to any organization is having a written and frequently tested incident response and recovery plan. You need to be prepared to call on your insurance provider, documented steps on how to restore data that is offsite and encrypted will get your practice in order quickly, deciding who will be orchestrating the plan, and finally having a postmortem meeting to understand what worked and what needs improvement. This is an ongoing effort that will protect your practice and reputation.
Are your current insurance company and IT partners advising you on these efforts? If neither are asking you these questions or challenging you with these necessary investments, you may want to reconsider who you are doing business with. Your insurance company should provide you with a clear understanding of what your policy covers as many will require an initial deductible which you will need to be prepared to pay. Does your policy cover court or attorney fees, overtime pay for your staff or additional fees for your IT partner to assist in an unplanned and uncovered event, etc.? You need to know what to expect if an incident occurs and what additional out of pocket expenses you need to be prepared to pay.
Preventing a data breach is not a small task and your success is dependent upon the partners you select and ensuring they are also looking out for your interests.