HIPAA Security & Risk Management
Ransomware. Data breaches. Business email compromise. Cyber insurance will not prevent any of these — but it can be the difference between surviving one and closing your doors.
In 2023, a three-physician internal medicine practice in Georgia was hit by ransomware. They had cyber insurance. The policy covered the ransom payment, the forensic investigation, the breach notification costs, and six weeks of business income loss while their systems were rebuilt. Total payout: $380,000. Total out-of-pocket cost to the practice: their $25,000 deductible.
A similar-sized practice in the same state, same year, same type of attack — no cyber insurance. They paid the ransom themselves, hired a recovery firm out of pocket, sent breach notifications to 4,200 patients, and ultimately closed within eight months.
Cyber insurance has gone from “nice to have” to essential risk management for medical practices. But it is also a complex product that many practice owners buy without fully understanding what it covers — and then discover the gaps at the worst possible moment.
This guide explains what cyber insurance actually covers, what it does not, how much it costs, and what you need to do to qualify for a policy worth having.
In This Article
- What cyber insurance actually covers
- What it does NOT cover (read this carefully)
- How much it costs for a small medical practice
- What underwriters look for (and why it matters for your premiums)
- How to choose between standalone and add-on coverage
- Questions to ask before you sign
What Cyber Insurance Actually Covers
Cyber insurance policies are typically divided into two categories: first-party coverage (costs your practice directly bears) and third-party coverage (claims made against your practice by others). Most comprehensive policies include both.
First-Party Coverage
Ransomware & extortion payments — the ransom itself, if you choose to pay, plus negotiation fees
Business interruption — lost revenue while your systems are down, typically covering a waiting period of 8–24 hours before kicking in
Forensic investigation — the cost of determining how the breach happened, what was accessed, and how many patients are affected (required for HIPAA breach response)
Data restoration — costs to recover or reconstruct data from backups or through decryption
Crisis communications — PR support and patient notification costs, including mailing, call centers, and credit monitoring services
Social engineering / funds transfer fraud — losses from business email compromise where an attacker tricks staff into wiring money to a fraudulent account (often requires specific endorsement)
Third-Party Coverage
HIPAA regulatory defense & fines — legal defense costs and OCR fines resulting from a breach (note: some policies exclude government fines — check the wording)
Patient litigation — defense costs and settlements if patients sue following a breach
Network security liability — claims from business associates or other third parties whose systems were affected by a breach that originated in your network
What Cyber Insurance Does NOT Cover
This is the section most practice owners skip — and the one that matters most when you actually need to file a claim.
✕
Pre-existing breaches — if attackers were already in your network before your policy started, the breach is typically excluded. This is why insurers ask about recent security incidents on the application.
✕
Infrastructure improvements — the policy covers recovery, not upgrades. If a breach reveals that your systems need to be modernized, those costs are yours.
✕
Intentional acts — if a staff member intentionally leaks patient data, most policies will not cover the resulting losses.
✕
Unencrypted devices (often) — many policies exclude claims resulting from lost or stolen unencrypted laptops or USB drives. If your devices are not encrypted, this is a gap you need to close before and after purchasing coverage.
✕
War and nation-state attacks — most policies exclude attacks attributed to nation-state actors or acts of war. This exclusion has become more significant as state-sponsored attacks on healthcare have increased.
✕
Misrepresentation on the application — if you answer “yes” to having MFA or backups on your application and you do not, the insurer can deny your claim entirely and rescind the policy. This is the most common cause of denied claims.
How Much Does It Cost?
Cyber insurance premiums for small medical practices have risen significantly since 2020 as claims have surged, but the market has stabilized somewhat in 2024–2025. Here is a realistic range:
| Practice Size | Coverage Limit | Annual Premium Range |
|---|
| Solo / 1–2 providers | $500K – $1M | $1,500 – $4,000/yr |
| Small group (3–10 providers) | $1M – $3M | $4,000 – $12,000/yr |
| Mid-size group (11–30 providers) | $3M – $5M | $12,000 – $35,000/yr |
Premiums vary significantly based on your security controls, claims history, specialty, and number of patient records. Practices with strong controls (MFA, EDR, immutable backups) typically pay 20–40% less than those without.
What Underwriters Look For
Cyber insurance underwriting has become significantly more rigorous since 2021. Insurers now routinely scan your external-facing systems before issuing a quote, and applications ask detailed questions about your security controls. Here is what they are looking for — and what affects your premium:
🔒 Multi-factor authentication
Required by most major insurers for email and remote access. Absence of MFA can result in coverage being declined entirely.
💾 Backup strategy
Underwriters want to know if backups are isolated from the network (immutable or offline). Connected backups that ransomware can reach are a significant risk factor.
💻 Endpoint protection
EDR (endpoint detection and response) is increasingly required. Traditional antivirus alone is often insufficient for competitive premiums.
👨🏫 Staff training
Annual security awareness training (and ideally phishing simulations) is a HIPAA requirement that underwriters also look for. Document your training programs.
📄 Patch management
Running unsupported operating systems (Windows 7, Server 2008) is a major red flag. Underwriters may exclude coverage for vulnerabilities in end-of-life systems.
📋 Incident response plan
Having a documented, tested incident response plan demonstrates maturity and is increasingly a standard underwriting question.
The practical implication: improving your security posture before applying for (or renewing) cyber insurance directly reduces your premium. Many practices find that working with an IT provider to implement the controls above pays for itself in reduced insurance costs within the first year.
Standalone Policy vs. Add-On Coverage
Many medical practices have cyber coverage as an endorsement (add-on) to their general liability or professional liability policy. This is better than nothing, but it has significant limitations.
| Standalone Policy | Add-On Endorsement |
|---|
| Coverage limits | $500K – $5M+ | Typically $10K – $100K |
| First-party coverage | Comprehensive | Often limited or absent |
| Ransomware / extortion | Included | Often excluded |
| Business interruption | Included | Rarely included |
| Incident response support | 24/7 response team | Typically none |
For most medical practices storing ePHI, a standalone cyber policy is the right choice. The gap between what an endorsement covers and what a real incident costs is simply too large.
Questions to Ask Before You Sign
Not all cyber policies are equal. Before purchasing or renewing, ask your broker these specific questions:
✓ Does this policy cover ransomware payments and extortion? Get the specific policy language, not just a “yes.”
✓ Is business income loss included? What is the waiting period before it kicks in? What is the maximum payout period?
✓ Does it cover HIPAA fines and regulatory defense? Some policies explicitly exclude government-imposed fines. Others cover legal defense but not the fine itself.
✓ What is the claims process? Does the insurer provide an incident response team, or do you need to find your own forensic firm? Pre-approved vendor panels can significantly speed up response.
✓ Are there co-insurance requirements? Some policies require you to share a percentage of the loss above the deductible. Understand your actual out-of-pocket exposure.
✓ What security controls are required to maintain coverage? If MFA is required and you remove it, your coverage may be voided. Know what you are committing to.
✓ How does the war exclusion read? After the NotPetya litigation, insurers rewrote their war exclusions significantly. Understand exactly what is excluded.
The Bottom Line
Cyber insurance is not a substitute for good security — it is a financial backstop for when security fails. A practice with strong controls and cyber insurance is in the best possible position. A practice with cyber insurance but weak security will find claims denied, premiums rising, and potentially coverage cancelled after a breach.
The right sequence is: implement the security controls first (MFA, backups, patching, EDR), then apply for insurance. You will get better coverage at a lower premium, and your application answers will be accurate — which matters enormously if you ever need to file a claim.
Atlantic Computer Systems
Want to know which security controls your practice is missing?
Our free 30-minute IT & HIPAA Security Assessment identifies the specific gaps that affect your insurability — and tells you exactly what to fix first. No obligation, no jargon.
Book Your Free Assessment →