Do independent practices need cybersecurity insurance?

Recent cyberattacks targeting large healthcare entities like Change Healthcare, Kaiser Permanente, and Ascension, along with hundreds of smaller data breaches, have caused widespread disruption across the industry, impacting at least 80% of practices and millions of patients. Unsurprisingly, healthcare cybersecurity has fallen under intense scrutiny in 2024. 

Four months after the Change Healthcare breach, its financial impact on parent company UnitedHealth Group is ongoing. The company says it’s paid more than $6.5 billion to providers. Currently a defendant in dozens of class action lawsuits, UHG continues to face new litigation. The United States Department of Health and Human Services just recently cleared UHG to begin notifying patients according to HIPAA requirements. With 1 in 3 Americans believed to have been impacted, the cost of notification will be substantial. During congressional hearings in May, Andrew Witty, CEO of UHG, described the healthcare giant as “self-insured” and therefore solely responsible for a $22 million ransom payment it made to a ransomware group soon after the incident. 

Comprehensive cybersecurity insurance could have protected UHG from taking such a large financial hit. The situation illuminates why cybersecurity insurance is a necessity for healthcare organizations of any size. Smaller practices have fewer patients and fewer regulatory requirements than large entities, but they’re not immune to substantial financial and legal risks. Furthermore, a cyber breach leading to a large liability payout or severe reputational damage could devastate — or potentially destroy — a smaller healthcare business.

This explainer outlines the features of a cyber insurance policy and explores why it should be part of your practice’s incident response plan. It also covers essential steps that assist in selecting the best possible cybersecurity coverage for your business. 

Cybersecurity insurance protects healthcare organizations against the risks associated with a cyberattack. A cyber policy is designed to address specific factors involved in a cyber breach, which can lead to significant loss and reputational damage. Cybersecurity coverage provides financial support and resources that help healthcare organizations mitigate the impact of a cyber incident. 

A general insurance policy may include limited cybersecurity coverage, but this typically doesn’t address the complex risks involved in a cyber breach. Some insurers offer add-on cybersecurity coverage for an additional fee to supplement the general insurance policy. However, most add-on cyber insurance coverage isn’t comprehensive enough to ensure your practice can successfully mitigate the risks of a cyberattack.

In the aftermath of a cyberattack, your practice must mitigate the impact on patients, partners, and your own business. A comprehensive incident response plan guides you through practical steps to enhance security and speed recovery. 

However, there are costs involved in restoration, and you could also be held legally and financially responsible for a range of damages related to the cyber breach. 

Examples of risks associated with a cyberattack include:

Practices could be liable for failing to back up data or for responding slowly or inadequately to a cyber breach.

If a cyber breach involves unsecured protected health information, the HIPAA Breach Notification Rule requires practices to notify affected individuals and government officials. Depending on your practice size and the type of breach, notification costs can be significant.

If a practice is found non-compliant with regulatory requirements, it may incur a substantial fee or penalty. Failing to comply with payment card industry standards can also result in fines and penalties.

Additionally, legal fees can escalate if affected patients and other stakeholders file lawsuits against the practice. 

Improving security after a cyber breach can include post-incident forensics to determine the origin of the breach, software or hardware upgrades, access control enhancements, and other measures.

Cyberattacks can lead to revenue loss and may also erode patient trust, affect retention, and damage your practice’s reputation, potentially causing a significant financial impact. 

A cybersecurity policy can cover a broad spectrum of direct and indirect consequences a practice may experience after a cyber incident. 

There are 2 primary types of cybersecurity insurance:

First-party cybersecurity insurance covers liabilities directly incurred by practice, such as:

First-party insurance usually includes media injury coverage for the dissemination of damaging information resulting from a cyberattack. Examples include the sharing of sensitive information on public platforms, defamation, or misinformation caused by data manipulation.

Third-party cybersecurity insurance covers costs that impact patients and third-party businesses. These include legal expenses for defending against third-party claims or lawsuits, and compensation payments made to third parties for losses or damage caused by the cyber breach.

A cybersecurity policy that meets your practice's specific needs is crucial to safeguarding your business against cyber threats. Different insurers offer policies with various coverage limits and add-on options. Determining what type of coverage your practice does (or doesn’t) need is crucial to ensure you’re getting the best value at the best price.

The following 5 steps can help you understand your practice’s cyber insurance needs so you can effectively assess policy options.

A risk level assessment reveals where your practice is most vulnerable to liability. Understanding your risk level in detail helps determine exactly what your practice needs in a cybersecurity policy. 

A risk assessment typically involves:

If your practice has never experienced a cyberattack, research incidents that happened to other practices. Look for events affecting businesses similar to your practice in size, specialty, location, and other factors. If possible, review information about insurance coverage at the time of the event, the post-event response, and the overall financial impact on the practice.

Request quotes from multiple insurance providers to compare coverage options and pricing. Each quote should include a detailed breakdown of coverage, limits, and premiums.

When reviewing each quote, confirm that policy limits will adequately cover losses related to a major cyberattack. Compare limits against premiums to ensure the amount of protection is acceptable for the price, and check deductibles to determine out-of-pocket expenses.

Well-known insurers that offer cybersecurity policies:

Designed specifically for small businesses, Chubb’s Digitech/Cyber Enterprise Risk Management policies are comprehensive and highly customizable. The company has been in the cyber insurance business since 1998, so it has extensive experience managing cybersecurity claims and providing loss-mitigation services.

Travelers’ CyberRisk insurance offers flexible coverage that can be customized for businesses of all sizes. In addition to liability coverage, Travelers provides “pre-breach” services through a partnership with HCL Technologies, a global cybersecurity leader.

CyberRiskConnect by AXA XL provides expanded coverage under broad terms designed to protect against emerging cyber risks. These customizable policies include preventive services such as privacy awareness training and incident response planning support.

Like Chubb, AIG has extensive claims experience, having provided cyber insurance since 1999. AIG’s CyberEdge coverage includes an enhanced cyber risk assessment and digital tools that help clients prioritize and improve cybersecurity investments.

Coverage exclusions can significantly increase your out-of-pocket costs. To avoid being caught off-guard by an uncovered event, carefully review each policy to understand what is not covered. For example, some policies have exclusions for physical damage, human error, insider attacks, or acts of war. 

Add-on coverage provides extra protection for specific risks. Add-ons can fill coverage gaps due to a standard exclusion or cover a less common risk related to your specialty, patient base, or unique practice profile. For example, if a basic policy doesn’t cover certain risks, such as data extortion or media liability, purchasing an add-on policy can ensure your practice is fully protected.

Other types of add-on coverage include: 

Don’t worry if your budget won’t accommodate multiple add-ons. While add-ons can increase protection, many of them are designed for larger organizations. Use your risk assessment to prioritize the most relevant coverage, and seek add-on options that clearly address your practice’s needs. 

After selecting a cybersecurity policy, be sure to have a legal expert review the contract. This helps to clarify any ambiguous language, ensures the policy complies with regulations, and may identify any hidden gaps that could leave your practice unprotected.

Cyberattacks on healthcare organizations have the industry on high alert. However, learning from the 2024 cyber incidents can empower independent practices. Taking a proactive approach to cybersecurity means planning ahead — and that includes having a robust cybersecurity policy in place before you need it. Investing the time and resources into finding and purchasing the right policy can significantly boost your practice’s resilience in the event of a cyberattack.

For more helpful information about cybersecurity for independent healthcare practices, read our Cybersecurity in Healthcare Guide. You also may wish to use this free risk assessment tool created by the Office of the National Coordinator for Health Information Technology (ONC).

Tebra makes practice management software that streamlines workflows while keeping sensitive data safe and secure and ensuring HIPAA compliance. Schedule a free demo of our ONC-certified platform to learn more.