Health insurers facing growing risk of customer data theft

The U.S. health insurance industry is facing growing risks from cybersecurity threats due to the increasingly sophisticated techniques used by cybercriminals amid the expansion of remote healthcare delivery and growing digitization of insurance transactions, clinical records and billing.

Health insurers and related third parties that fail to inventory and protect sensitive customer information face increased financial, reputational, operational and regulatory risks from cyberattacks, Fitch Ratings says.

Health insurers handle large amounts of sensitive data when processing benefit claims or uploading patient information. These data are protected by federal laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Various legislation in the U.S., such as the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 and the Patient Protection and Affordable Care Act (PPACA) has promoted increased digitization of health records.

Health insurers susceptible to cyberattacks

These data make insurers a popular target for phishing, ransomware or man-in-the-middle attacks. For insurer networks, there is a risk for malware to be inserted into legitimate data with each interaction with a customer or third party. Healthcare provider networks are susceptible to breaches, with risks rising as more providers and their employees work remotely.

Additionally, personal medical tracking devices often do not have built-in security features to accompany internet access, enabling outside access to healthcare and patient records.

The pandemic-driven increase in adoption of remote healthcare services has led to improved patient access to care, which could benefit clinical outcomes and reduce insurance costs in the long term. However, this increased reliance on technology has also heightened exposure to third-party software systems and vendors.

Insurers maintain an acute focus on data security and expend significant resources in this area, acknowledging the very high value of identifiable healthcare data to cybercriminals and the growing financial and reputational repercussions of a successful intrusion.

However, their systems are certainly not impenetrable, as demonstrated by notable breaches in recent years, and remain exposed through interactions with external parties such as providers and third-party vendors that may lack the resources necessary to protect against sophisticated attacks.

Rise in insurance claims related to ransomware attacks

Cybersecurity is a considerable administrative expense and may lower returns given the growing frequency of attacks. The key to reducing risks is the identification of gaps in security areas and IT systems where risks to critical assets are highest, including hardware and software on mobile devices, laptops, workstations and servers.

Insurance claims related to ransomware attacks have risen significantly, prompting carriers to raise premiums and change terms and conditions, including increasing deductibles and providing lower coverage. Price increases for cyber coverage have accelerated over the past two years. The Council of Insurance Agents & Brokers recently indicated that renewal pricing on cyber coverage increased by an average of 18% in first-quarter 2021. All of these costs increase the administrative burden on health insurers and raises premium rates for healthcare consumers.