How to implement healthcare cyber insurance

The HHS 405(d) program has new resources to help small to large healthcare organizations navigate what's important when implementing cyber insurance.
By Andrea Fox
03:43 PM

Photo: luis gomes/Pexels

Two new one-pagers from U.S. Health and Human Services aim to support healthcare organizations in taking steps to implement cyber insurance best practices today.


"Cyber insurance can help protect your organization from excessive costs that can occur in the event of a cyber attack," according to the 405(d) program in its announcement on Dec. 14.

The resources – one for smaller organizations and another for medium and large ones – explain why cyber insurance is an ongoing partnership between healthcare organizations and their insurers.

With them, health IT specialists can learn about the steps they need to take to continually improve their organizations' security, including how to think about their duty to defend and incident response planning.


The HHS 405(d) Program was created as a provision of the Cybersecurity Act of 2015, and the task group was initially convened with 150 individuals from the government and the healthcare industry.

More recently, the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services released the Cybersecurity Toolkit for Healthcare and Public Health. 

With the considerable cybersecurity challenges of the healthcare and public health sector system, government and industry seek to shore up gaps in resources and cyber capabilities. Since 2015, the conversation has moved from if a healthcare organization is attacked to when.

"We have seen a significant rise in the number and severity of cyber attacks against hospitals and health systems in the last few years," added HHS Deputy Secretary Andrea Palm.

"The more they happen and the longer they last, the more expensive and dangerous they become," she said.

John Menefee, cyber risk product manager at Travelers Bond and Specialty Insurance, told Healthcare IT News in June that insurance carriers are getting better at helping healthcare organizations protect their infrastructure before threat actors strike.


"If your organization becomes the victim of a cyber attack, cyber insurance can provide your organization with access to third-party breach specialists including forensics, independent legal counsel working on your behalf and possible reimbursement of loss of business coverage or revenue," 405(d) said in the new resource.

Andrea Fox is senior editor of Healthcare IT News.

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.