Skip to Main Content

The Emerging Landscape of Healthcare Cyber Insurance  

Authored by Bridget Haraslic, Product Marketing Manager

Hospitals, outpatient care, clinics, and other healthcare facilities face increasingly granular cyber liability insurance coverage requirements. Unprecedented claim payouts from ransomware attacks have led to a hardened market, and cyber insurers want to reduce their risk.  

Healthcare organizations are tasked with demonstrating that they are safe to insure. Unfortunately, healthcare has the highest average cost of a data breach, 12 years in a row, so underwriters require more stringent security controls.   

Many healthcare organizations are on a path of tightening security through modernization and aligning to security frameworks, including a Zero Trust Architecture and HITRUST. They also realize that strong identity security and access governance is business essential to secure their operations. According to IDSA, thirty-one percent said IAM (Identity and Access Management) investments were a part of their cyber insurance investments, an area of growing importance in cyber security strategies, and 25% are including identity as part of vendor management efforts. 

However, acute care hospitals and post-acute care organizations often have security gaps in governing identity security. They experience dangers of accumulated access; for example, when a long-time employed nurse never gets access removed from previous roles. Hospitals also are at risk when they don’t have continuous visibility and operational oversight of non-employee access (affiliated physicians, contract clinical staff, or medical/nursing students). 

Demonstrating reduced risk to underwriters 

How do organizations demonstrate reduced risk to underwriters by delivering just enough timely access while maintaining the least privilege? SailPoint is one of 18 technology vendors participating in the NCCoE project to demonstrate several approaches to implementing zero trust architectures, designed and deployed according to the concepts and tenets documented in NIST’s Zero Trust Architecture special publication (SP 800-207).    

“Underwriting itself is really on steroids.”  
– SailPoint Cyber Insurance Webcast Speaker, Beth Burgin Waller, Esq., Chair, Cybersecurity & Data Privacy Practice, Woods Rogers PLC  

Insurers want to see the Zero Trust architecture is followed, and those healthcare organizations can demonstrate reduced identity security risk through: 

  • Secure Access Controls: Granting just enough access using roles, fine-grained entitlements, permissions, and dynamic rules. 
  • Access Automation: As new users are onboarded or roles change, access is automatically granted and updated based on security access policies. To reduce risk exposure, unused access and dormant accounts are automatically remediated. 

Want to learn more about what the cyber insurance industry typically now requires, covers, and excludes? Listen to our webcast: Connecting the Dots Between Identity Security and Cyber Insurance.