Hospital Cybersecurity
Following a wave of cyberattacks, hospitals struggled to retain cyberinsurance coverage and prevent premiums from skyrocketing. They turned to their state hospital association for help. Health Business Group leveraged expertise in cybersecurity and healthcare to recommend a course of action.
Background
Ransomware and other devastating cyberattacks on hospitals had resulted in enormous payouts by cyberinsurance carriers, leading to tougher underwriting standards, non-renewal of coverage, and rapidly rising premiums
Member hospitals asked their state hospital association, which already provided IT services, to develop a plan to assist
Client request
Develop a business case for a service offering to enable members to maintain coverage and lower premiums
Combine cybersecurity expertise, knowledge of hospitals, and business planning skills to craft a plan that CEOs would understand, technical staff would endorse, and Client could implement
Develop a summary presentation for upcoming board meeting
Key issues for consulting team to address
Context for cybersecurity
Hospitals’ common and unique roles within broader cybersecurity landscape
Insurance carrier requirements and opportunities to influence
Case for collaboration
Role for statewide association v. individual hospitals v. national organizations
Insurance carrier perspectives on group initiatives
Governmental initiatives
Client core competencies in IT and security
Best practices
Roles played by other statewide and national hospital and health care entities
Examples from more advanced industries, e.g., financial services
Vendor-led initiatives
Potential offerings, e.g.,
Education and support
Technology and services
Captive insurance and pooled purchasing
Health Business Group approach
Health Business Group leveraged its partner company, Atumcell for deep cybersecurity expertise to complement its healthcare knowledge
Secondary data sources included the HBG and Atumcell knowledge base, insurance industry sourcebooks, government data and whitepapers
Primary sources included interviews with state and national hospital associations, insurance brokers and carriers, cybersecurity experts, and vendors
Laid out a series of robust offerings to address underlying cybersecurity risk while satisfying insurer requirements. Steered clear of mere “check the box” solutions
Developed CEO-level presentation for association’s board
Outlined next steps to gather member feedback, develop a formal business plan, begin implementation
Outcomes
Took advantage of C-level attention caused by cyber insurance crisis to lay out a robust, long-term approach to reduce risks
Established basis for Client to develop a new line of business with strong potential in local market and nationwide