The new report, which undertakes a ‘deep dive’ into the subject matter, comes from NetDiligence, which is a provider of cyber risk readiness and response services. The report is titled “Spotlight Healthcare” and it is a data-driven analysis of cyber risk insurance claims in the healthcare sector. The report follows on from a wider NetDiligence “2017 Cyber Claims Study“.
Cyber liability insurance trends
The 2017 review was based on actual cyber liability insurance reported claims. These were used to illuminate the real costs of incidents from an insurer’s perspective, with the added aim of helping risk management professionals and insurance underwriters to understand the impact of data insecurity. The report also projects future trends.
Healthcare specific cyber risks
With the specific healthcare sector analysis, there are several points of interest. The first relates to organizational size. Here the analysis indicates that most of the recent insurance claims made related to small or mid- sized healthcare organizations. A second area of importance is with the relatively higher size of insurance related payouts for healthcare. Although healthcare claims comprised only 17 percent of claims in 2017, these claims represented 28 percent of total breach costs, to the tune of $229 million.
To give an idea of the size of data breaches, the report reveals that the average number of records exposed in a healthcare breach was 6 million. Tackling this brings with it complexities and costs. The average Total Breach Crisis Response costs (such as legal guidance, forensics, victim notification, credit monitoring and so on.) for healthcare, was three times higher than the average of all other business sectors: at $676,000 compared with $204,000.
Types of healthcare cyber risks
In relation to the costs and complexities outlined above, the most common cyber attack on healthcare came from hackers using malicious codes. This was followed by third-parties (vendors) representing the second biggest cause of loss, exposing nearly 4 million healthcare records and incurring the highest legal damages. A third area of concern called out relates to so-termed “rogue employees”. Employees who access, view or steal sensitive, protected or confidential patient information are divided into two categories: current employees and terminated employees whose user credentials were not revoked.