The healthcare sector had more than 1,700 cyber security incidents between November 1, 2023, and October 31, 2024 – up from 1,378 security incidents the year before. Those incidents affected many different types of healthcare providers, including radiology services, medical transportation firms and pharmacies. So far this year there have been three notable healthcare data breaches, making it clear that healthcare remains a primary target for cyber and ransomware attacks.

 

Cyber security coverage

Healthcare entities can face various types of cyberattacks (e.g., including phishing, ransomware and malware) which can steal information or disrupt operations. To mitigate these risks, businesses should adopt comprehensive cybersecurity measures, including employee training, incident response plans and purchasing a cyber insurance policy.

This coverage can help protect healthcare entities against a wide range of risks and typically offers protection against a range of perils associated with data breaches and cyberattacks. This includes financial support for data recovery, legal expenses and liability claims resulting from breaches.

Additionally, policies often provide resources for risk management, incident response planning and access to cybersecurity experts to help mitigate future threats.

Network segmentation and patient safety

At the heart of the healthcare industry is patient safety. While a data breach can expose patient data, a ransomware attack that shuts down systems has the potential to not only delay critical care, but result in missed medication, incorrect dosage and even loss of life.

That’s why network segmentation is so important. Separating patient data, general network and medical device management systems can help prevent breaches and minimize damage. Let’s look at an example. The 2023 HCA Healthcare breach affected patient data across 20 states with interconnected systems. Had these networks not been tied together, access could have been slowed, limited or eliminated altogether.

With today’s AI-driven automation, real-time visibility and policy enforcement mechanisms, the process of network segmentation is no longer considered too difficult to implement. And with the proposed 2025 update to HIPAA security requirements, we expect it will ultimately become a standard approach to enhancing network security.

Third party breaches

The number of third-party breaches in the health care industry has continued to increase year-over-year, exposing entities to a rising number of liability claims. Therefore, it’s important to require any third party to carry a cyber liability policy. This can help provide coverage for losses related but not limited to data breaches, ransomware attacks, phishing, social engineering, dependent business interruption, etc. It’s also essential to define what information the third party will be handling, including protected health information (PHI) and personally identifiable information (PII).

 

Liability coverage

In addition to cybersecurity insurance products, healthcare entities should also consider a suite of specialty liability insurance policies to ensure comprehensive risk protection. Whether it’s directors and officers (D&O) insurance, crime insurance, errors and omissions (E&O) insurance or general liability insurance, these coverages can provide essential safeguards beyond the scope of cyber events.

For example, E&O coverage may help mitigate potential losses related to liability from technology failures, billing errors or computer system malfunctions — issues that can disrupt patient care or lead to regulatory scrutiny. D&O insurance can protect leadership against lawsuits stemming from decisions made in the course of managing technology investments or responding to cyber incidents.

As healthcare organizations become increasingly digital, having a layered insurance strategy is critical to protecting both operational integrity and organizational leadership.

 

HIPAA security rules to be updated

The Health Insurance Portability and Accountability Act (HIPAA) includes security rules designed to keep electronic protected health information (ePHI) safe. While HIPAA has seen several updates since its inception in 1996, the 2025 update is expected to include new, mandatory technical controls to help strengthen healthcare cybersecurity. These include:

  • Encryption for all ePHI
  • Multi-factor authentication (MFA) across all systems
  • Comprehensive technology asset inventory and network mapping
  • Automated monitoring and alerting systems

The 2025 update remains under review – the call for public comment ended in March – but we expect the new rules will help to further reduce the risk of cyber security gaps.

 

We help you win

It's important to work with your wholesaler to find the cyber security and liability coverage that’s right for your client. Amwins has the expertise, proprietary products and risk evaluation resources to place the necessary coverage for your clients’ evolving cyber risks.

We understand the nuances of cyber security and liability exposures and how they affect business. Amwins has outstanding market access and A-rated coverage for your clients’ global cyber needs and can help you navigate available policies to find the perfect match.

You can learn more about our cyber insurance products and resources here.