Company logo for “The ALS Group” featuring a stylized blue and white lightburst graphic

6 Strategies to Mitigate Cyber Risk in the Healthcare Sector

cyber risk in the healthcare sector.jpg

The healthcare sector is without a doubt one of the most targeted industries for cyber hackers. Different industries have different types and degrees of cyber risk exposure. But hackers and malicious campaigns take aim at the healthcare sector in particular due to the private nature and black market value of the data.

Personally Identifiable Information (PII) and Personal Health Information (PHI) contain data that could easily be used to steal someone’s identity, open false accounts, perform fraudulent transactions, or gain access to bank and other private accounts.

The average cost per stolen record for a healthcare organization is as high as $363, more than twice as much as average across all industries. As more and more health information is being stored in the cloud, healthcare provider exposure levels are increasing dramatically. Add to that the fact that most providers are neither equipped to proactively defend against, nor respond to a cyber breach, and you’ve got a recipe for disaster.

Cyber attacks or other business interruption events such as lost or stolen data, a Distributed Denial of Service (DDoS), or Ransomware may seriously impact a healthcare provider’s business reputation and financial standing. In addition, regulatory fines may be in the millions of dollars. With the average number of breached records in the healthcare sector at 58,070 and the above-mentioned cost per record at $363, firms with a modest number of breached records could face costs upwards of $20 million.

Even the average cost per breach of $5.9 million to $6.5 million is enough to cripple smaller healthcare providers that are unprepared to respond or operating without proper Cyber insurance.

So what should a healthcare provider do to be prepared for a cyber breach or business interruption event?

Risk Register

A risk register will help a company’s C-suite and department heads wrap their minds around the various exposures the organization faces related to Cyber Risk. Once the risks are identified and the current mitigation strategies evaluated, plans can be developed to strengthen security and minimize risk. Additionally, a risk register enables the alignment of risks with an enterprise level risk appetite.

Strong Policies and Procedures

Your organization should have a well thought out Incident Response Plan and Disaster Recovery Plan in order to survive and recover from a cyber event. Other security policies such as data encryption, data segregation, strong password policies, two-level authentication, mobile device management and patch management will also strengthen the forward defenses against a breach.

IT Forensics

Have your IT staff or a specialized firm proactively assess your security protocols and IT policies and procedures. They will generally perform penetration testing, gauge the security awareness of your staff and assist with the development of Disaster Recovery Plans. Remember, assessments should be performed on a consistent schedule because if updates/maintenance is not performed, the security of applications and devices will become lax and easy to circumnavigate.

Employee Training

Continually educate your staff to identify cyber threats and understand what to do if they recognize a suspicious event.

Maintain Cyber Insurance

Cyber Liability coverage is still maturing, but it will protect your company’s assets when a breach occurs. Since there is little to no uniformity between policy forms offered by the carriers, the coverage should be carefully tailored to protect your organization, and reviewed by an expert who understands both the intricacies of the coverage and the cyber exposures faced by healthcare providers.

Understand Breach Notification Obligations

US-based organizations have an obligation to report cyber incidents. The obligations change depending on the state. Companies in other parts of the world have much less stringent to zero notification obligations, but that, as we’ve seen with the EU’s General Data Protection Regulation (GDPR) is changing. Understanding your obligations is an often-overlooked part of mitigating Cyber Risk.

For more on the full cost of a data breach, here’s a widely-respected independent study on the topic.

2015 Cost of a Data Breach Study | Ponemon

Being prepared to respond to an event can be the game-changer needed to ensure the organization survives a cyber breach.

If you have questions about managing your healthcare organization’s Cyber Risk, or you would like more information, please contact us.


Our areas of expertise include:

  • Enterprise Risk Management (ERM)
  • Cyber Security & Cyber Liability Insurance
  • Construction Management
  • Customized Risk Management Assessments (RMAs)

Subscribe to our articles

blog posts form
Form Submission Response

Dear [field id="name"],

Thank you for subscribing to The ALS Group articles! We are so excited to have you on board and look forward to providing you with valuable insights, risk management advice, and industry news.

As a subscriber, you will be the first to receive our latest blog posts straight to your inbox. In addition to the blog content, we have a wealth of resources on our website that we believe will be useful to you.

If you have any questions or require any risk management advice, please contact Albert Sica, Managing Principal, at [email protected] or at 732-395-4251.

Thank you,

The ALS Group

Skip to content