Connected health devices are putting cybersecurity at risk, and existing insurance coverage may not be enough. But there are solutions.

In May 2017, 300,000 computers around the world were hit with the Wannacry ransomware attack which targeted the outdated Windows XP operating system. Among those infected was the United Kingdom’s National Health Services (NHS).

As their computers, MRI scanners, blood storage refrigerators, and other devices were held hostage – awaiting a ransom to be paid in Bitcoin – the NHS restricted all but emergency care. The attack did not specifically target healthcare but impacted patients across the U.K.

“Hospitals are more vulnerable than any other type of organization right now.” — Steve Morgan, Cybersecurity Ventures

Despite being aware of cyber attacks, some health clinics think they are too small to catch a criminal’s attention. However, with each patient’s data worth up to $1,000 on the black market, and the ability to target multiple clinics at once, hackers are not restricting their attacks to large health systems and insurers. Of 2016’s 450 reported breach incidents, 356 were of healthcare providers, affecting more than 27 million patient records. Half the cyber insurance claims in 2015 were filed by small and mid-sized healthcare organizations.

“Hospitals are more vulnerable than any other type of organization right now,” states Steve Morgan, founder and Editor-In-Chief at Cybersecurity Ventures. “Outdated systems, lack of experienced cyber personnel, highly valuable data, and added incentive to pay ransoms in order to regain patient data, are magnetizing hackers to the healthcare market.”

IoT Health Devices are at Risk

With the increase in connected Internet of Things (IoT) devices in healthcare – from wearable fitness trackers to connected vaccine refrigerators to pacemakers – hackers have even more entryways into a healthcare provider’s network. Beyond patient data, lives may be at risk if a hacker accesses a pacemaker. They could run down the battery or make adjustments to trigger an irregular heartbeat.

Students have already proven pacemaker hacks are possible and the FDA was so concerned about the problem that they issued a recall of of nearly half a million of the devices in 2016. Researchers fear that the vulnerabilities could open the way to anything from life-threatening ransomware demands, to hobbyist hackers causing unintended harm, or even disruptions from a software glitch or natural disaster.

Existing Insurance May Not Cover Cybersecurity

Healthcare providers have long relied on general liability and malpractice insurance for protection and may not notice gaps in their coverage when it comes to relatively-new cyber threats. Many newer policies have exclusions for cyber-related breaches.

Digital loss cases that end up in court see mixed results. Some policyholders argue their loss of data or function equates to property damage while insurers insist the property itself was not injured. Courts have decided in favour of either side of the debate, leaving ambiguity about what is covered and what is not.

Cyber Insurance Offers Some Protection, But Not Enough

The ambiguity has opened doors for cyber risk insurance, which covers liabilities resulting from cyber-related attacks and breaches. Legislation such as 2018’s EU General Data Protection Regulation (GDPR) is helping drive the demand for cyber insurance as healthcare companies and others are tasked with keeping user data safe.

This cyber insurance segment is expected to grow globally to $14 billion by 2022. As of 2017, Chubb, American International Group, and XL group controlled 40 percent of the market.

However, having a cyber insurance policy may not be enough. Many of these policies cover digital losses such as customer notification, credit monitoring, and legal fees, but skip bodily injury and property damage. If a hacked medical device causes injury, not all cyber policies would provide coverage, leaving the hospital or manufacturer on the hook for patient lawsuits. Policies that do cover such a wide range of damages are not common.

Insurers Face Challenges Calculating Cyber Risk

For insurers, estimating the loss of customer personal information is one thing, but there are no standards for calculating coverage for losses to intellectual property or injury resulting from a cyber event. The industry needs more data.

As Tom Harvey of Risk Management Solutions points out, “it took 15 years to build the data sets that underlie the complex and detailed natural catastrophe models insurers rely on today.” Insurers have not had enough time to get detailed cyber risk information, especially with threats shifting rapidly.

Guidewire’s Cyence is one platform working to improve cybersecurity risk predictions. They combine a wealth of data and machine learning to help insurance companies model cyber risk, adjusting as cyber threats shift.

Many cyber insurance policies have limits and sub-limits that may not cover a major security breach. Even $100 million in coverage may not be enough. There may be limits on business interruptions from problems at a cloud-based service provider, for example, since an outage at one service provider with few competitors can result in catastrophic losses for the insurer due to the number of businesses affected. Reinsurance companies could help mitigate this risk, allowing greater coverage for the insured.

The Future of Cybersecurity Insurance in Healthcare

“Everything we do that uses technology will be at risk of a hack.” — Sabine VanderLinden, Startupbootcamp

The growing IoT market could be worth US$7.1 trillion by 2020 – about $2.5 trillion in health devices alone by 2025 – with every person in the world likely averaging six or more connected devices.

This is expected to create a coverage gap for insurers and reinsurers to fill. By 2022, the cyber insurance market is forecast to reach $14 billion.

Insurers also have an opportunity to limit cyber losses by proactively helping prevent such attacks. Some insurers regularly test the insured’s systems for vulnerabilities, finding potential breach points before attackers do. Consultation services also help healthcare providers protect themselves, installing appropriate hardware and patches while educating medical staff on how to protect the organization from cyber threats.

“As we become more digitised, cyber security ought to be the next big thing,” suggests Sabine VanderLinden of Startupbootcamp InsurTech. “Everything we do that uses technology will be at risk of a hack.”