The Intake

Insights for those starting, managing, and growing independent healthcare practices

Do independent practices need cybersecurity insurance?

Cybersecurity insurance is a necessity for healthcare organizations of any size.

medical practice cybersecurity insurance

At a Glance

  • Comprehensive cybersecurity insurance is essential for healthcare practices to protect against financial and legal risks from cyberattacks.
  • Cybersecurity insurance covers costs not addressed by general insurance, including data breaches, ransomware, and crisis management.
  • Independent practices must assess their specific risks and choose tailored cybersecurity policies to safeguard their operations and patient trust.

Recent cyberattacks targeting large healthcare entities like Change Healthcare, Kaiser Permanente, and Ascension, along with hundreds of smaller data breaches, have caused widespread disruption across the industry, impacting at least 80% of practices and millions of patients. Unsurprisingly, healthcare cybersecurity has fallen under intense scrutiny in 2024. 

Four months after the Change Healthcare breach, its financial impact on parent company UnitedHealth Group is ongoing. The company says it’s paid more than $6.5 billion to providers. Currently a defendant in dozens of class action lawsuits, UHG continues to face new litigation. The United States Department of Health and Human Services just recently cleared UHG to begin notifying patients according to HIPAA requirements. With 1 in 3 Americans believed to have been impacted, the cost of notification will be substantial. During congressional hearings in May, Andrew Witty, CEO of UHG, described the healthcare giant as “self-insured” and therefore solely responsible for a $22 million ransom payment it made to a ransomware group soon after the incident. 

Comprehensive cybersecurity insurance could have protected UHG from taking such a large financial hit. The situation illuminates why cybersecurity insurance is a necessity for healthcare organizations of any size. Smaller practices have fewer patients and fewer regulatory requirements than large entities, but they’re not immune to substantial financial and legal risks. Furthermore, a cyber breach leading to a large liability payout or severe reputational damage could devastate — or potentially destroy — a smaller healthcare business.

This explainer outlines the features of a cyber insurance policy and explores why it should be part of your practice’s incident response plan. It also covers essential steps that assist in selecting the best possible cybersecurity coverage for your business. 

Get the playbook

What is cybersecurity insurance?

Cybersecurity insurance protects healthcare organizations against the risks associated with a cyberattack. A cyber policy is designed to address specific factors involved in a cyber breach, which can lead to significant loss and reputational damage. Cybersecurity coverage provides financial support and resources that help healthcare organizations mitigate the impact of a cyber incident. 

Does general insurance cover cyberattacks? 

A general insurance policy may include limited cybersecurity coverage, but this typically doesn’t address the complex risks involved in a cyber breach. Some insurers offer add-on cybersecurity coverage for an additional fee to supplement the general insurance policy. However, most add-on cyber insurance coverage isn’t comprehensive enough to ensure your practice can successfully mitigate the risks of a cyberattack.

General insuranceCybersecurity insurance
Primarily covers risks such as property damage, liability, employee incidents; may include limited cybersecurity policy as an add-on or riderCovers a wide range of risks, such as data breaches, ransomware, denial-of-service attacks, malware infections, and insider threats
May not cover all types of cyber threatsProvides extensive coverage for direct and indirect costs arising from cyber incidents
Cybersecurity coverage typically lacks the depth and specificity for thorough risk managementUsually covers specialized support services such as cybersecurity experts, incident response teams, and crisis management resources
Claims processing isn’t tailored to handle cyber incidents, potentially causing complications or delaysClaims processing infrastructure designed to handle cybersecurity events

Risks of cyberattacks for independent practices 

In the aftermath of a cyberattack, your practice must mitigate the impact on patients, partners, and your own business. A comprehensive incident response plan guides you through practical steps to enhance security and speed recovery. 

However, there are costs involved in restoration, and you could also be held legally and financially responsible for a range of damages related to the cyber breach. 

Examples of risks associated with a cyberattack include:

Data protection and recovery

Practices could be liable for failing to back up data or for responding slowly or inadequately to a cyber breach.

Notifications 

If a cyber breach involves unsecured protected health information, the HIPAA Breach Notification Rule requires practices to notify affected individuals and government officials. Depending on your practice size and the type of breach, notification costs can be significant.

If a practice is found non-compliant with regulatory requirements, it may incur a substantial fee or penalty. Failing to comply with payment card industry standards can also result in fines and penalties.

Additionally, legal fees can escalate if affected patients and other stakeholders file lawsuits against the practice. 

Cybersecurity improvements

Improving security after a cyber breach can include post-incident forensics to determine the origin of the breach, software or hardware upgrades, access control enhancements, and other measures.

Loss of revenue and reputational damage

Cyberattacks can lead to revenue loss and may also erode patient trust, affect retention, and damage your practice’s reputation, potentially causing a significant financial impact. 

What does cybersecurity liability insurance cover?

A cybersecurity policy can cover a broad spectrum of direct and indirect consequences a practice may experience after a cyber incident. 

There are 2 primary types of cybersecurity insurance:

First-party cybersecurity insurance

First-party cybersecurity insurance covers liabilities directly incurred by practice, such as:

  • Recovery and restoration of lost or compromised data
  • Forensic services to investigate the breach 
  • Notification services
  • Legal costs 
  • Crisis management and PR
  • Cyber extortion (ransom payments)
  • Income loss

First-party insurance usually includes media injury coverage for the dissemination of damaging information resulting from a cyberattack. Examples include the sharing of sensitive information on public platforms, defamation, or misinformation caused by data manipulation.

Third-party cybersecurity insurance

Third-party cybersecurity insurance covers costs that impact patients and third-party businesses. These include legal expenses for defending against third-party claims or lawsuits, and compensation payments made to third parties for losses or damage caused by the cyber breach.

How do I choose the right cybersecurity policy for my practice?

A cybersecurity policy that meets your practice's specific needs is crucial to safeguarding your business against cyber threats. Different insurers offer policies with various coverage limits and add-on options. Determining what type of coverage your practice does (or doesn’t) need is crucial to ensure you’re getting the best value at the best price.

A cybersecurity policy that meets your practice's specific needs is crucial to safeguarding your business against cyber threats.

The following 5 steps can help you understand your practice’s cyber insurance needs so you can effectively assess policy options.

1. Assess your practice’s risk level

A risk level assessment reveals where your practice is most vulnerable to liability. Understanding your risk level in detail helps determine exactly what your practice needs in a cybersecurity policy. 

A risk assessment typically involves:

  • Evaluation of patient data: Conduct a quantitative inventory of all patient data the practice handles, including personal identification information, medical records, and financial details.
  • Cybersecurity audit: Examine your practice’s existing cybersecurity protocols and evaluate the effectiveness of firewalls, encryption standards, access controls, and employee education.
  • Vulnerability assessment: Assess your practice’s “attack surface” to pinpoint security gaps, such as outdated software, insufficient employee training, or weak password protocols.
  • Review of previous cyber events: Review the details of any prior incidents to identify security weaknesses, response effectiveness, and operational impacts. Evaluate experience with coverage or processing of any insurance claims related to a cyber event. 
  • Cost estimates: Where possible, estimate the maximum loss your practice could incur from these risks, if uninsured.

If your practice has never experienced a cyberattack, research incidents that happened to other practices. Look for events affecting businesses similar to your practice in size, specialty, location, and other factors. If possible, review information about insurance coverage at the time of the event, the post-event response, and the overall financial impact on the practice.

2. Obtain multiple quotes

Request quotes from multiple insurance providers to compare coverage options and pricing. Each quote should include a detailed breakdown of coverage, limits, and premiums.

When reviewing each quote, confirm that policy limits will adequately cover losses related to a major cyberattack. Compare limits against premiums to ensure the amount of protection is acceptable for the price, and check deductibles to determine out-of-pocket expenses.

Well-known insurers that offer cybersecurity policies:

Chubb

Designed specifically for small businesses, Chubb’s Digitech/Cyber Enterprise Risk Management policies are comprehensive and highly customizable. The company has been in the cyber insurance business since 1998, so it has extensive experience managing cybersecurity claims and providing loss-mitigation services.

Travelers

Travelers’ CyberRisk insurance offers flexible coverage that can be customized for businesses of all sizes. In addition to liability coverage, Travelers provides “pre-breach” services through a partnership with HCL Technologies, a global cybersecurity leader.

AXA XL

CyberRiskConnect by AXA XL provides expanded coverage under broad terms designed to protect against emerging cyber risks. These customizable policies include preventive services such as privacy awareness training and incident response planning support.

AIG

Like Chubb, AIG has extensive claims experience, having provided cyber insurance since 1999. AIG’s CyberEdge coverage includes an enhanced cyber risk assessment and digital tools that help clients prioritize and improve cybersecurity investments.

3. Be sure to review policy exclusions

Coverage exclusions can significantly increase your out-of-pocket costs. To avoid being caught off-guard by an uncovered event, carefully review each policy to understand what is not covered. For example, some policies have exclusions for physical damage, human error, insider attacks, or acts of war. 

4. Consider add-on coverage

Add-on coverage provides extra protection for specific risks. Add-ons can fill coverage gaps due to a standard exclusion or cover a less common risk related to your specialty, patient base, or unique practice profile. For example, if a basic policy doesn’t cover certain risks, such as data extortion or media liability, purchasing an add-on policy can ensure your practice is fully protected.

Other types of add-on coverage include: 

  • Social engineering: Damage due to deception or manipulation of employees by cyber criminals
  • Cryptojacking: Attacks involving the mining of cryptocurrencies via a victim's computer
  • Identity restoration: Services to mitigate identity theft
  • Prior acts: Breaches that occurred prior to purchasing the policy

Don’t worry if your budget won’t accommodate multiple add-ons. While add-ons can increase protection, many of them are designed for larger organizations. Use your risk assessment to prioritize the most relevant coverage, and seek add-on options that clearly address your practice’s needs. 

GET STRATEGIES
Some practices lose up to $7,500 a month on no-shows and last-minute cancellations. Protect yours.
Download now

After selecting a cybersecurity policy, be sure to have a legal expert review the contract. This helps to clarify any ambiguous language, ensures the policy complies with regulations, and may identify any hidden gaps that could leave your practice unprotected.

Cyber insurance: Part of a proactive strategy

Cyberattacks on healthcare organizations have the industry on high alert. However, learning from the 2024 cyber incidents can empower independent practices. Taking a proactive approach to cybersecurity means planning ahead — and that includes having a robust cybersecurity policy in place before you need it. Investing the time and resources into finding and purchasing the right policy can significantly boost your practice’s resilience in the event of a cyberattack.

For more helpful information about cybersecurity for independent healthcare practices, read our Cybersecurity in Healthcare Guide. You also may wish to use this free risk assessment tool created by the Office of the National Coordinator for Health Information Technology (ONC).

Tebra makes practice management software that streamlines workflows while keeping sensitive data safe and secure and ensuring HIPAA compliance. Schedule a free demo of our ONC-certified platform to learn more. 

Download now

You Might Also Be Interested In

Learn how to create a seamless patient experience that increases loyalty and reduces churn, while providing personalized care that drives practice growth in Tebra’s free guide to optimizing your practice. 

Subscribe to The Intake:
A weekly check-up for your independent practice

Amantha May, freelance healthcare writer

Amantha May is a freelance healthcare writer specializing in health tech, primary care, and health equity. She has written for a large range of clients, including medical equipment manufacturers, large health systems, digital health entrepreneurs, and private practices.

Get expert tips, guides, and valuable insights for your healthcare practice