HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Only 30% of Healthcare Organizations Have Taken Out Cybersecurity Insurance

A recent survey conducted by Ovum on behalf of analytics firm FICO has revealed there has been a major increase in companies taking out cybersecurity insurance, but the healthcare industry has been slow on the uptake.

In 2017 when the survey was last conducted, 50% of U.S. firms reported that they had not taken out a cybersecurity insurance policy. That percentage has fallen to 24% in 2018. While many businesses see the value in paying insurance premiums to cover the cost of mitigating cyberattacks and data breaches, that does not appear to be the case for healthcare companies.

Only 30% of healthcare organizations have taken out cybersecurity insurance policies. 70% have no cybersecurity insurance cover whatsoever, even though the industry is targeted by hackers. The financial services industry, which is also heavily targeted by hackers, has been quick to take advantage of cybersecurity cover. Only 10% of surveyed financial firms had no coverage for cyberattacks.

The survey was conducted on 500 companies in 11 countries including the U.S., Canada, India, and the UK. The figures for the United States were the exact average across all surveyed countries, which is a major improvement on last year when U.S. companies ranked bottom out of all 11 countries for cybersecurity insurance uptake.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

One of the main problems highlighted by the survey was unfair premiums which had not been accurately calculated based on the level of risk. Only a quarter of surveyed firms said their insurers had set premiums based on an accurate analysis of their company’s risk profile. A majority believed the premiums were calculated on industry averages, inaccurate analyses, or unknown factors.

The increased risk of cyberattacks and the litigation that usually follows has spurred many companies to take out policies, but in many cases the cover provided is not comprehensive cover. Only a third of U.S. companies (32%) said their policy covered all cybersecurity risks. Even though policies have been taken out, they may not pay out in the event of a breach.

“Given the number of large-scale and very public breaches in recent years, it’s not surprising that we’ve seen a big increase in US organizations investing in it over the past 12 months, but there’s still some way to go,” said Doug Clare, vice president for cybersecurity solutions at FICO. “As the insurance market matures and the litigation and fines increase we expect more firms will also go beyond basic coverage to seek insurance that is more comprehensive.”

However, that may not tell the whole story. Maxine Holt, research director at Ovum, suggested it may be a case of companies having a risk profile that that insurers are not prepared to cover comprehensively.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.