Cyber insurance is a classic avoidance topic for a lot of GPs and even GP owners, but it may not be anywhere near as complex and scary as it always seems.
Former FBI director Robert Mueller said famously more than a decade ago: “There are two types of companies, ones that have been hacked and ones that will be”, to which he added not long after a third category, “ones that will be again”.
You’d think that GP owners and practice managers, most of whom have their servers under their desks or in the back room (76% according to a recent piece of research here), as most other industry sectors did circa 1989 – you’re meant to be embarrassed – would be keen to keep up to date on trends in healthcare hacking and cyber insurance given the damage that can easily be done, but mostly, they aren’t.
It comes across as an expensive can of worms so it gets kicked down the road a fair bit: complex, scary, expensive, hard to map out to what you could do, easier to think “I don’t hear many of my peers saying it’s a problem yet, and we’re small bikkies anyway, they’re after the big providers and their databases, surely”.
There’s good news and bad news for GPs in this thinking.
The bad news is that hackers don’t have a priority list on who to hit or not in healthcare.
The primary reason they will get you, according to Jess Millen, who is in business development at global cyber insurance company Coalition, is that you have a weakness they can exploit, and among our 7000 or so GP practices, there’s rich pickings in the cyber security loopholes department.
“It’s not spearfishing, it’s trawling, it’s very opportunistic,” Ms Millen told last week’s Australasian Institute of Digital Health’s Primary Care Digitally Connected Summit in Sydney.
Translation: Mueller is right, it’s probably only a matter of time before you do get hacked, so you best have a quick think about how you’re set up for when it does happen.
According to the Office of the Australian Information Commission and the Sophos State of Ransomware in Healthcare 2024 report, last year the average Australian ransomware claim for healthcare providers in Australia was $355,000, the average cyber claim was $134,000 and 78% of healthcare organisations that were hacked took more than one week to recover from a ransomware attack.
Can you afford to be out of action for a week or more?
Here is the good news.
Ms Millen thinks there’s a fundamental misunderstanding in healthcare about the nature of working with a cyber insurer, based on how people generally think about, and take out traditional insurance.
Things may not be so hard or so bad as people think – of course, with the title “business development manager” she would say that, right? But read on, she nonetheless makes some sense.
Ms Millen says that most people think of cyber insurance through the lens of traditional insurance models for physical assets: property, inventory, people on premise, even cash held on premise. This model is static and reactive only.
But the cyber insurance model is all about prevention and risk management (ironic, right, if you think about our biggest problem today in healthcare – trying to pivot to prevention). It’s proactive.
In this respect her company and most other good cyber insurance companies are far more technology companies, actively assessing and monitoring your risk, advising on weaknesses and prevention, than the actual insurance for the event.
Their model is take some money and avoid the event if possible, and if not, minimise the event, so the payouts are small.
The CEO of Coalition is the immediate past senior manager of major global security tech firm Cloudflare, an alumni of Microsoft, and, and hmmmm … the CIA, if that makes you feel better.
This proactive tech-led approach can make engagement with the right cyber insurer a lot less painful than people think.
The starting point for Coalition is always a full-risk audit to understand risk, which of course will then go to cost of insurance. That’s also just smart business.
For GPs it may not be anywhere near as bad or expensive as people think.
When asked if there was an existential security risk to the GP sector in Australia from 76% of servers being onsite, often in small practices with little capital to add a cyber insurance bill to the pile of existing bills, Ms Millen said, “not necessarily” and “there’s a lot of simple things practices in this situation can do to substantively reduce risk”.
Two things she suggested were:
- Back all your patient and financial data up to a secure offsite provider, at least once per week;
- Go to the trouble of basic training for all staff members who might accidentally create access for bad actor trawlers: things like password protocol, two-factor authentication and so on.
Both these things are simple and would substantively reduce the cost of taking out cyber insurance.
Ms Millen says the main thing about working with a cyber insurer now is your insurance will always be proactive, not sitting in the background as another cost. Coalition plugs in and monitors stuff and advises clients on bad actor and technology status.
She also says that if you’re hosting your servers off-site, that needs assessment as much as that server sitting under your desk.
Someone needs to check how secure your third-party suppliers are, and not all cloud providers are secure, she points out.
It’s not how I ever thought about insurance companies, although when you think about it, it’s exactly the major emerging strategy of private health insurers now.
