just how will that affect health care costs for employers?
by rick richardson
technology this week
health systems – having already been hit by labor and supply chain costs and broader economic woes – have another unwieldy financial problem: the soaring costs of cyber insurance.
moody’s investors service notes that, while it’s not sexy, the sheer size of cyber-crimes and insurers’ reluctance to cover losses brought on by ransomware attacks are seriously impacting hospitals.
more tech this week: chatgpt: what it is. why you need to know. | russia-linked ransomware back with a vengeance | amazon aws: the mainframe killer? | amazon launching its first internet satellites | russian solarwinds hackers at it again | nasa finds a $10 quintillion asteroid | firms must balance benefits, risks of emerging technology | microsoft and google go to war
exclusively for pro members. log in here or 2022世界杯足球排名 today.
“the timing of the insurance price increase is bad for health care. there isn’t much room for error, ” said matthew cahill, a moody’s analyst. there have been double-digit increases in premiums over the past four years, often more than tripling in a single year. according to a recent analysis from property casualty 360, the industry’s insurance costs have finally started to stabilize in the first quarter of 2023.
in an interview, omid rahmani, an associate director at the credit rating company fitch ratings, stated: “costs are decelerating. that tells part of the story. but cyber insurance is becoming unaffordable or unavailable for a lot of small- to medium-sized issuers.”
early in the century, when cyber insurance first appeared, it was frequently incorporated into other policies. according to rob rosenzweig, senior vice president and head of the national cyber risk group at risk strategies, when losses grew due to the assaults’ growing frequency and sophistication, insurers were forced to develop stand-alone policies. in other words, the coverage was not priced appropriately for the level of risk assumed.
insurance companies have been increasing the standards that health systems need to meet to strengthen their defenses and secure coverage. the new standards include strict data backup policies, the usage of tools like multi-factor authentication, personnel security training, and network segmentation.
“social engineering attacks, such as phishing, remain one of the most effective ways to breach a hospital system. the workforce remains the weakest link,” said soumitra bhuyan, a professor at rutgers university and expert on health care’s evolving cyber insurance landscape. social engineering is often treated as a separate policy extension by insurers.
other limitations have also been added to the coverage, such as excluding cyberattacks supported by nation-states. this is being required because of a new requirement by lloyds of london. lloyds now requires all insurance groups participating in its international insurance and reinsurance marketplace to exclude state-sponsored cyberattacks from their policies.
“with the increased rates and limited coverage, small independent and rural hospitals are at a significant disadvantage in obtaining cybersecurity insurance,” bhuyan said.
“the gap between those with adequate resources to protect their information systems continues to increase,” bhuyan said. “many of these hospitals are critical access hospitals or hospitals in rural areas. they don’t have enough resources to secure their it systems and may be unable to recover if a breach happens.”
moody’s cahill said that even though cyber insurance is becoming more expensive, the cost of a successful ransomware attack is still far worse. he pointed to an illinois system that listed one such attack as a contributing reason for the temporary shutdown of two of its rural hospitals in january as evidence.
in january, the pro-russian group killnet took credit for taking down portions of systems of more than a dozen u.s. hospitals, including stanford healthcare, duke university hospital and cedars-sinai.
according to fitch ratings, these cyberattacks are unlikely to result in downgrades for not-for-profit health institutions, but using more advanced cyber weapons that damage a hospital’s financial profile and compromise service could.
while some health systems are doing well, for a majority, there is still very little wiggle room to operate a month or two on manual records, divert services, and deny claims. and if the attack results in a closure, rural communities will face critical costs. they simply can’t afford not to have emergency services.