Cyber Risk Aggregation in Healthcare

Cyber risk aggregation arises both internally and externally in organizations, and has a multiplier effect on the scale and scope of a cyber incident. As healthcare organizations rely increasingly on data, connectivity, and outside services to support their business platforms, a single cyber incident has the potential to impact more of the organization, and a greater number of its peers, partners, and vendors (all of them likely cyber insureds), with resulting aggregated exposure to cyber insurers and reinsurers.

 

The risk to individual healthcare organizations is that they suffer larger losses than would otherwise be the case, and the risk to cyber insurers is that they suffer losses from the same incident under multiple policies without having correctly priced that risk or managed their capacity in light of that aggregation risk. Ultimately, both are a concern to risk managers looking to manage their exposures and secure stability.

 

Within the organization, aggregation can arise from a lack of segregation of data and systems—for example, centralizing too much data in one depository or allowing one individual too much access to data by not implementing access controls based on need. In both cases, a single event has the potential to affect more data than necessary for the good running of the business.

 

As healthcare has experienced an explosion of ransomware attacks in recent years, we see clearly that organizations that segregate data and systems are more likely to deny intruders access to all their resources, helping to stem the attack and get the organization back up and running faster.

 

This whitepaper will outline the new vulnerabilities for healthcare organizations and will help you learn how to manage this evolving risk.