To self-insure or not to self-insure, that is the question. Well, not entirely, but today we explore the state of the cyber liability insurance industry.
Today in health, it healthcare organizations struggle to obtain. Cyber liability insurance. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health. I set a channels dedicated to keeping health it staff, current and engaged. We want to thank our show sponsors who are investing in developing the next generation of health leaders, Gordian dynamics, Quill health house site nuance, Canon medical, and current health.
Check them out at this week. health.com/today. Alright, good article. Over here. Where did we get health it security.com. And it is health organizations struggled to obtain cyber insurance policies report shows. Healthcare ransomware attacks. Let me grab my glasses here. That's pretty small print. Healthcare ransomware attacks are not slowing down prompting and increased demand for reliable cyber insurance policies, but as healthcare cyber.of ransomware in healthcare,:ons were hit by ransomware in:
Interesting stat. I will log that for later. Results. Also revealed that healthcare was the most likely sector to pay a ransom. I'm going to talk to directs about that on the news day show. See what, see what he has to say. Just over 60% of the respondents who experienced an encryption admitted to paying the ransom compared to a cross-sector average of 46%.
With these figures in mind, it makes sense that healthcare organizations are increasingly turning to cyber insurance to protect their assets and minimizing damage. Across all surveyed sectors, 83% of organizations reported securing cyber insurance. Only 78% of healthcare organizations said they had coverage. All right. So 22% are flying without coverage or self-insured. And actually I'm hearing that conversation happened more and more.
, organizations who are going the self-insured route. Given the high rate of ransomware incidents and in healthcare, this insurance coverage gap leaves, many organizations exposed. So the full cost of attack, the report stated in addition to challenges with obtaining coverage, 51% of respondents.
Said that the level of cybersecurity needed to qualify as now higher and 45% said that the policies are now more complex. And that's what I was talking about. I'm hearing that from a lot of CISOs. And CIO is that essentially the, , it's actually helping us to become better. If you want this insurance coverage, you actually have to implement some things and procedures and training and whatnot in order to get the coverage. And that is one of the ways the market is working to make us better with regard to cybersecurity.
And I wouldn't necessarily look down my nose at that. That's a good thing. Some of the times you need that. , somebody behind you saying you have to do this. In order to get the board off the dime to put the money out there and get the leadership off the dime. , I'm not saying that's true for all organizations, but for some, sometimes you need big brother behind you saying.
, Hey, we're going to do this. All right. Let me keep going. These changes are closely linked to ransomware, which is the single largest driver for cyber insurance claims in recent years. Ransom. Attacks have increased and ransoms and payout costs have soared. As a result, some insurance providers have left the market and it is simply become unprofitable for them. That's not surprising to me. It's like, , like doing home insurance in Florida or other hurricane markets.
Those that remain are looking to reduce risk and exposure. They're also pushing up prices considerably with your organizations providing cyber coverage. That's true as well. So it's a sellers market. They call the shots and they can be selective about which clients they cover. Having strong cyber defenses will significantly improve an organization's ability to secure coverage. They need. It's a, it's a buyer's market. It's so interesting.
It's like, you have to make your house look good so that, that they will sell you something. , you know, it's like I get my house ready to sell. I'm not, but if I were getting my house ready to sell, I'd make it look good. So people could come in and buy it. Now we're essentially making our health system look good so that we can get coverage. They come in, they look around, they same, this is not the house I want.ared with the findings of the:
I can help healthcare organizations pick up the pieces after a damaging attack. It does not cover expenses associated with betterment. Or investing in better tech to address the security weaknesses. Yes. So you have to allocate some additional money as well. Rather, healthcare organizations should have these defensive measures in place already and only rely on insurance policies in the event of a cyber attack and subsequent recovery.
In fortified health security, recent reports, similar sentiments were raised. Researchers, urged healthcare organizations. So remember that cyber insurance is not a band-aid for inadequate cyber security measures. That's a great quote, too. I'm going to talk to directs about that one. Having cyber insurance doesn't take the place of a strong cyber security infrastructure. Increasingly sophisticated attacks. Continue with larger payouts.
That make obtaining cyber insurance even more difficult and more expensive. , this is an interesting report worth reading again, it was a health it security.com and title of the article healthcare organizations struggled to obtain cyber insurance policies. There were four shows. What's my, so what.
, sometimes it's good to use big brother. If you're trying to get, , you know, get your organization to move off the dime. That's one of the things I would say. , another is if your organization has the wherewithal. Self coverage. , is, is not the worst thing in the world. , you know, especially if you feel like you're making the right investments, you're doing the right things.
, again, we, we expect there to be a breach of some kind in every organization. It's not if, but when we've talked about that a lot, I hate that phrase, but, , but it's proving to be more and more accurate. So if you're planning to go the self-insured route, just keep that in mind that there probably will be a breach at some point. And what you need to do is make sure that it does not.
Lead to an event where they encrypt. And that you really limit the, , horizontal movement across your network. , that you're, you're limiting them, that you're finding them very rapidly in the system. So all the things around that in this model are so important. To, , the, to somebody who's thinking you go to the self-insured route, but even if you're not going the self-insured route, all those same things apply a cybersecurity is table stakes at this point.
And your investment in that space should be considered table stakes and not a piece of the budget that can be. , It can go down. , I mean, quite frankly, I remember we had a refresh budget. And this is a story. I tell my coaching clients because a lot of them don't have this in place. And so every time we bought a system, we bought a new server, new switch, new router.
A new desktop device. We put it on a lifecycle. , and we essentially said in three years, five years, seven years, we're going to replace this. Piece of equipment. And we put that budget together and we gave it to the CFO and between the CFO and myself, we got approval to put that budget into an area that wasn't touched. Cause every year we would go in for the.
It budget. And they would say, oh, you spent too much money. We need you to cut this and cut this. And invariably, one of the things that you cut is that refresh budget. And once you do that, You just line yourself up for a umpteen million dollar, , true up at some point. In the organization's life and to the credit of the other leaders in our organization, they all agreed.
That we went to make sure we had the best equipment at the bedside and the best equipment for cybersecurity and the best equipment for, , for, and so we were going to refresh that equipment that was going to be an important piece of our thing. We took that budget. We put it aside, we didn't play around with it, and it was never part of the budget negotiations.
, when I say that to CIO, is there like you are a miracle worker? I couldn't believe you can't believe you pulled that off. , if you haven't pulled it off yet, you should do it. It's a it's critical otherwise. Your equipment ages. And at some point somebody is walking in and going. Is that a, is that a windows XP device?
, you get the picture. It won't be windows XP, but, , But it will be bad and your nurses will be upset because they're working on ancient equipment. Anyway, that's all for today. If you know someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week. health.com.
Or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher, you get the picture. We are everywhere. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. Gordian dynamics, Quill health tau site nuance, Canon medical, and ???? current health. Check them out at this week.
health.com/today. Thanks for listening. That's all for now.