BY Trip Hillman, Partner, Cybersecurity Consulting Services, and Shelby Mathers, Director, Cybersecurity Consulting Services, Weaver
The health care industry is no stranger to cyberattacks. From ransomware shutting down emergency rooms to data breaches exposing millions of patient records, health care organizations have long been prime targets for cybercriminals. As the threat landscape evolves, so too must health care industry leaders think about cybersecurity, not just as a technical issue but also as a strategic imperative.
Recent events like the February 2024 ransomware attack on Change Healthcare have underscored the fragility of the
health care ecosystem. That single incident disrupted claims
processing nationwide, delayed patient care and exposed the systemic risk posed by third-party vendors. It also sent a clear message to the industry: resilience is no longer optional.
The Case for Resilience Over Reaction
Cyber resilience in health care means more than just preventing attacks. It means ensuring continuity of care, protecting patient trust and recovering quickly when things go wrong. Yet many organizations still operate with legacy systems, flat network architectures and unpatchable medical devices that make resilience difficult to achieve.
This is where cyber insurance enters the conversation as both a financial safety net and mirror, reflecting an organization’s cybersecurity posture. Increasingly, cyber insurance questionnaires are functioning as informal reviews, revealing whether an organization is truly prepared for today’s threats.
What Cyber Insurance is Telling Us
Over the past few years, cyber insurers have significantly tightened their underwriting standards. Health care organizations applying for coverage are now expected to demonstrate a baseline level of cybersecurity maturity. Common areas of scrutiny include:
- Multi-factor authentication (MFA) across all user accounts and critical systems
- Endpoint Detection and Response (EDR) solutions
- Regular backup and restore testing and immutable storage
- Incident response planning and tabletop exercises
- Cloud security monitoring and baselines for configurations
- Third-party risk management and vendor assessments
These are no longer “nice to haves.” They’re prerequisites. Additionally, misrepresenting your security posture on an insurance application can lead to denied claims or rescinded coverage.
Multiple Data Sources
The data driving these expectations can be seen outside of the underwriter’s black box. The 2025 Verizon Data Breach Investigations Report (DBIR) analyzed 22,052 security incidents of which 1,710 were linked to health care organizations. The analysis aligns with trends in requirements for insurance and in some ways serves as a crystal ball for what may be coming soon.
- Third-party risk is a major vulnerability: Organizations are increasingly impacted by breaches in their partner and supplier ecosystems. These incidents affected a wide range of service providers and underscore the need for proactive planning around third-party security failures.
- Espionage is an emerging threat: Espionage-related breaches rose sharply from 1% to 16%, suggesting either a shift in attacker tactics or changes in data reporting. Based on broader motivations and a willingness to play the “long-game,” these actors are stealthier and harder to detect than traditional cybercriminals.
- Insider threats are declining but still present: The volume of cases where insiders misused privileges has decreased. Typically associated breaches in this category have some of the longest durations of unauthorized access and are more difficult to detect. Collusion between internal and external actors is rare but still a concern.
- Human error continues to drive breaches: Mistakes such as misconfigurations and accidental disclosures remain common. While eliminating them entirely is difficult, implementing controls to detect and respond quickly is essential to minimize damage.
Where Scrutiny Is Increasing: Beyond the Questionnaire
While cyber insurance questionnaires offer a standardized view of an organization’s general security posture, insurers are increasingly going beyond the checkbox, especially in health care.
Areas of higher scrutiny
Organizations can expect follow-up questions or deeper underwriting reviews in areas such as:
- Third-party risk management: Especially after incidents like the Change Healthcare breach, insurers want to know how dependencies are assessed, monitored and segmented.
- Medical device security: Standard questionnaires rarely address segmentation or patching constraints for special medical devices connected to a network (smart IV pump, etc.), but insurers are beginning to ask.
- Incident response testing: It’s not just whether a plan exists but how often the plan is tested and whether both administrative (operational executives, IT, service providers, etc.) and clinical teams are involved.
- Cloud and hybrid environments: Insurers are asking for proof of the design for the environment and thoughtful safeguards via architectural diagrams and defined controls, especially for sensitive workloads.
- Identity and Access Management (IAM): The growing boundaries of access management and the sheer volume of various types of accounts throughout an organization may lead to tougher questions surrounding the controls in place, including where MFA has truly been applied.
Post incident scrutiny: Failed controls
There have also been cases where, following a breach, insurers have asked for evidence of controls that were represented to be in place on the original application. If those controls were misrepresented intentionally or not, it can lead to:
- Coverage denial
- Policy rescission
- Litigation over misrepresentation
This trend reinforces the need for cross-functional collaboration when completing insurance applications. Chief information security officers (CISOs), IT, compliance, legal teams and in some cases clinical teams, should all be involved to ensure accuracy and defensibility.
Health Care’s Unique Risk Profile: Still Underrepresented
Despite these evolving standards, many cyber insurance questionnaires still fail to capture the unique risks of and challenges health care environments. For example:
- Clinical networks prioritize availability over security.
- Medical devices often cannot be patched timely or segmented easily while still achieving full functionality.
- U.S. Food and Drug Administration (FDA) regulations can delay security updates.
- Research data, clinical trial information and patient data remain high-value targets.
As a result, some insurers are beginning to supplement standard questionnaires with interviews or custom assessments for health care applicants. This shift reflects a growing recognition that the sector requires a more nuanced approach to risk evaluation.
Leadership Takeaways
For health care executive team members, the message is clear: cyber insurance is no longer just a financial product. It’s a strategic signal. It tells you where your vulnerabilities may be what minimums the market expects and how your organization stacks up against peers.
To lead effectively in this environment, leaders should:
- Treat insurance applications as risk management exercises, not paperwork
- Involve CISOs, IT and compliance teams in the application process
- Prepare supplemental documentation to explain define compensating controls
- Use insurer feedback to assist in prioritizing security investments
From Compliance to Confidence
The health care industry has long operated in a compliance-driven environment. However, in today’s threat landscape, compliance alone is not enough. Resilience is the new benchmark, and cyber insurance trends are helping define what that looks like.
By paying attention to what insurers are asking (and what they’re not), health care leaders can gain valuable insights into their own maturity and take proactive steps toward a more secure, resilient future.