You probably know by now that cybersecurity insurance coverage is essential for your business. You likely already have a policy. So you’re all set, right? Well, you might not know that when you work in the healthcare space (or any other regulatory space), your policy won’t always cover you when you’re breached. Why not? That’s what you are paying for, isn’t it?
Yes, but your policy has no value if you are not complying with all of the laws and regulations governing your industry. If you’re in healthcare, this means HIPAA.
Your Policy Asks If You’re Compliant
When you sign a cyber liability insurance policy, you attest that your business complies with the laws regulating it. When you fail to do so, you are misrepresenting yourself, which voids your policy. What does this mean? Your policy asks if you’re compliant. If you say yes, you are compliant, and then file a claim, and you’re not, they won’t pay.
Cybersecurity Insurance Requirements and HIPAA
Being HIPAA compliant is not only a requirement of your cybersecurity insurance policy, it can also lower your premiums. This is because HIPAA compliance and cybersecurity go hand-in-hand. HIPAA compliant organizations are inherently more secure and therefore reduce your risk of being breached. Insurance carriers like this because you are less of a liability for them.
Jeff Meyers, VP of Operations for Meyers Glaros, an Indiana-based insurance firm and provider of cybersecurity insurance, “The cybersecurity threat is something that hangs over every company in America, but more recently has been impacting midsize businesses. While cybersecurity insurance is the new normal for risk-averse organizations, the monthly premiums can be tempered significantly by implementing the appropriate processes and procedures, employee training and robust security infrastructure to defend the organization.”
They see you as a business they will likely not have to payout for because, in their eyes, you probably won’t suffer a cybersecurity incident. And if you do, the scope of the incident will be limited.
Security protocols such as encryption, transmission security, user authentication, and access controls are all required by HIPAA. All of these things limit the likelihood of a breach and can lower your insurance premiums. While audit logs, also a HIPAA requirement, facilitate the quick detection of breaches. HIPAA also requires incident response plans to be in place, allowing the organization to act quickly to mitigate the effects of an incident.
How Your Firm Factors In
As your healthcare client’s trusted security advisor, they will expect you to know what they need to do to meet cybersecurity insurance requirements. If your client has not met all HIPAA security requirements, this also provides an opportunity for you. They will need you to help them meet HIPAA Security Rule requirements so that their cybersecurity insurance coverage is valid.
Some services your healthcare client may look to you to provide include end-to-end encryption of protected health information (PHI), password management, penetration testing, and implementation of a zero trust security strategy.
Have you talked to your client about HIPAA and their cybersecurity liability insurance?
