Cybersecurity Insurance: Mitigating Healthcare Data Breach Risks

A Case Study of the Role of Cybersecurity Insurance in Mitigating the Risk of Data Breaches in the Healthcare Industry. Abstract Acknowledgements Table of Contents Abstract2 Acknowledgements3 Table of Contents4 Chapter One: Introduction6 1.1 Introduction6 1.2 Background of the Study6 1.3 Study Problem8 1.4 Study Objectives8 1.5 Significance of the Study9 Chapter Two: Literature Review10 2.1 Introduction10 2.2 Cybersecurity in Healthcare Organizations10 2.3 Reactive vs. Proactive Cybersecurity in Healthcare13 2.4 Cybersecurity Insurance17 2.5 Cybersecurity Insurance in the Healthcare Industry23 2.6 Conclusion27 Chapter Three: Research Methodology28 3.1 Introduction28 3.2 Research Methodology and Design28 3.2.1 Methodology28 3.2.2 Study Design30 3.3 Population, Sample, and Sampling Technique32 3.3.1 Population32 3.3.2 Sample33 3.3.3 Sampling Technique34 3.4 Materials or Instrumentation35 3.5 Operational Definitions of Variables36 3.6 Data Analysis37 3.7 Assumptions38 3.8 Limitations38 3.9 Delimitations39 3.10 Ethical Assurances39 3.11 Summary40 References41 Chapter One: Introduction 1.1 Introduction This section of the dissertation provides an introduction to the study and its subsections include the general background of the study, research problem, objectives, and the significance of the study. Cybersecurity is an important issue in healthcare and cyber insurance is one of the methods companies can use to mitigate risk. The organizations in the sector need to identify the issues resulting from risks in healthcare and provide solutions to the problems. This section provides a background to the issue of cybersecurity insurance in the healthcare sector and the current study. It establishes the problem for the study and indicates the study objectives for the current research. The section includes a description of the significance of the study showing how the findings will improve cybersecurity in the industry. 1.2 Background of the Study Information systems play a major role in improving service delivery in hospitals since they are a major part of modernization in the industry. Hospitals have implemented complex systems to collect, analyze, and store consumers’ information to improve service delivery in hospitals. The current study is one of the many research projects targeting ways that healthcare companies can improve care delivery by using information systems. Additionally, the study demonstrates the measures that organizations in the sector may use to respond to potential risks and actual attacks on their information systems (Kabir et al., 2020). The role that technology plays in the modern delivery of healthcare services is a significant advancement in the sector. Through complex structures that collect and analyze data, healthcare organizations are able to provide personalized services to their patients and improve the healthcare outcomes. Professionals treating one patient may share information with each other to effectively offer quality services to individuals receiving care. Such structures allow the organizations to facilitate information sharing among individuals working in different hospital settings and among organizations contracted by hospitals. Consequently, it is important that organizations develop quality information systems with secure data storage and sharing structures to improve service delivery. Companies should invest in the creation of quality security systems and develop protocols that manage the use of consumer information in healthcare facilities. The current trends in data security indicate that hospitals need to improve the protection of their information systems since they are among the most vulnerable organizations. Financial risks in cybersecurity include liabilities for information lost to perpetrators, ransoms, and the cost of litigations. A major strategy for healthcare organizations is to rely on cybersecurity insurance to mitigate risks. The insurance protects the organizations from financial implications of the employees’ actions and behavior, internal vulnerabilities, and external factors in cybersecurity that could lead to losses. It is important that companies develop adequate measures to prevent risk and mitigate the implications that the risks have on the stakeholders. Cybersecurity insurance takes the form of premiums that companies pay to gain coverage for financial implications of data security issues in the organizations. Companies rely on such insurance procedures to mitigate the effects of internal and external factors making them vulnerable to attacks. The most effective approach to cybersecurity is to prevent the cyber-attacks in their entirety by protecting the systems (Romanosky et al., 2019). Organizations can achieve this goal through a combination of strategies including firewalls, physical barriers to hardware, and restrictions on how people access information systems. It is important that companies develop adequate measures to prevent their systems from being hacked by attackers. However, the nature of cybersecurity issues in the healthcare sector makes it impossible to rely on protection of systems alone. Companies have to take a step further to mitigate risks in data security and mitigate risks. Cybersecurity insurance is a major approach for organizations in the industry as it lowers the financial implications of the risks organizations may face. 1.3 Study Problem Preventing cyber-attacks in information systems is a major strategy for companies in the healthcare industry. Organizations have taken a step further in mitigating risk by acquiring insurance for financial implications related to cybersecurity. The organizations are willing to pay premiums to have coverage for the financial implications of cyber-attacks on their information systems (Panda et al., 2021). The goal of the organizations is to reduce the losses resulting from such attacks including ransoms, litigation, and liability to the owners of data. Importantly, healthcare information systems hold protected health information that is vital in protecting consumers and improving the delivery of quality health services. It is important that companies create elaborate measures to ensure that they are protected from the financial effects of cybersecurity issues. Cybersecurity insurance is a developing trend that has offered solutions for companies in the healthcare sector. The model for data security offers essential solution for organizations handling critical data particularly in the healthcare sector. While studies demonstrate that the adoption of cybersecurity insurance in the healthcare sector is on the rise, its role in mitigating risk is unclear. 1.4 Study Objectives The general objective for the current study is to determine the role of cybersecurity insurance in mitigating the risk of data breaches in the healthcare industry. The specific objectives for the study are as follows. To investigate the extent to which healthcare organizations have adopted cybersecurity insurance to mitigate risk. To determine the role cybersecurity insurance has on mitigating risk in the healthcare sector. To examine the challenges facing the use of cybersecurity insurance as a tool for mitigating risk in the healthcare industry. 1.5 Significance of the Study The findings of the current study will shed light on a major issue in the healthcare industry. Cybersecurity poses challenges to organizations offering healthcare services and relying on modern information systems to improve care delivery. While organizations in the sector have adopted insurance as a solution to risks in cybersecurity, the impact of this strategy is unclear to scholars and policy-makers. The findings will demonstrate the benefits of cybersecurity insurance as a solution to risks in cybersecurity. The research will show the extent to which organizations benefit from insurance coverage on losses resulting from cyber-attacks. From the findings of the current study, the researcher will demonstrate insights on the future of cyber insurance for healthcare organizations. The findings will set the foundation for research on the future of the concept of insurance in mitigating cybersecurity risks in organizations. Chapter Two: Literature Review 2.1 Introduction The current chapter provides a review of literature on issues surrounding the use of cybersecurity insurance in healthcare. Companies invest differently in protecting their information systems depending on various factors of consideration. They decide on the value of information stored in the systems and risk associated with risk that could arise in cybersecurity attacks. The healthcare sector has particularly invested in complex cybersecurity strategies to protect their systems. The current review of literature provides a summary of research on cybersecurity insurance in healthcare organizations. This section provides a summary of studies in this field and makes comparisons among research study results in this area. Finally, it includes a summary of literature and details of the research gap that will guide the current study. 2.2 Cybersecurity in Healthcare Organizations Traditionally, cybersecurity attacks have been motivated by the intention to steal money and intellectual property from individuals and organizations. However, cybercriminals have shifted their focus to causing disruptions with or without the intention of seeking financial benefits from their activities. The sensitivity of data that healthcare organizations hold makes the companies a major target in the newest cyber attacks against organizations. According to Martin et al. (2017), the healthcare industry faces a significantly greater threat compared to other sectors in the new wave of attacks against information systems. The motivation for attackers is to attack the organizations with the weak security systems and those that have the critical information that is worth protecting. The protected data for patients makes the healthcare organizations vulnerable to attacks and 81% of the organizations surveyed by Martin et al. (2017) had experienced some form or attack. Their findings showed that the information for over ten million patients had been affected by an attack against healthcare organizations in the United States in 2015 alone. This makes the issue of cybersecurity a critical concern for healthcare organizations since it poses significant risks to the organizations. The rising level of attention focussed on cybersecurity risk has led to the development of diverse approached to cope with the problem. Managers of organizations and professionals in the industry have developed diverse approaches to cope with the problem of cyber security in various sectors. Xu & Hua (2019) demonstrated that the goal of managers is to make the most meaningful and efficient investments to protect the organizational systems. In particular, companies want to secure their systems if there is a high potential risk resulting from a cybersecurity attack. The nature of the information and the potential effect of information loss affects the value of investment in research on cybersecurity and the protection of the systems holding information. This is the case in the healthcare sector where information loss could lead to devastating financial implications and damages on the brand of the organization. It is important that healthcare managers balance between the investment in cybersecurity and the protection of information systems. Healthcare information has become a vital tool for offering quality care in the hospital settings. Organizations collect, store, and transfer the patients’ health records to improve the care outcomes of their clients. With information systems, the healthcare providers use the medical history of their clients to develop personalized care and improve the outcomes of service delivery. Therefore, it is fundamental that healthcare providers use medical information to provide modernized care to their patients as opposed to the traditional healthcare delivery approaches. An organization should develop quality healthcare delivery procedures that protect the lives of the patients while facilitating confidentiality of the information they store about their health (Lemnitzer, 2021). Companies in the industry are motivated to invest in information security systems since they need clients’ information to facilitate the delivery of care to their patients. The government’s role in mediating the cybersecurity issues is an important factor affecting the storage of information for their clients. The global, national, and state level regulators in healthcare have an impact on how organizations manage their information systems. The companies in the industry have to ensure that they update their information systems to match the requirements of the regulation agencies. In particular, the federal regulations for information security have a significant impact on protecting the systems. Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines protected healthcare information and details the responsibility of healthcare providers in ensuring the safety of patient’s information. HIPAA recognizes that it is fundamental that hospitals and staff rely on the consumers’ medical history to facilitate the delivery of care. Therefore, the regulations set national standards of information safety for all organizations and individuals involved in the collection, storage, use, and transfer of protected information. Additionally, the rules indicate the responsibilities of parties in the event of data security issues in the healthcare sector. To ensure that the organizations abide with the national regulations of security, it is necessary to have sufficient risk mitigation strategies. It is important to consider the necessity of cyber security systems to healthcare providers in the United States and globally. The nature of the information that organizations collect and how they use such information is a vital concept for cybersecurity in the industry. The companies need to use personal and protected information to facilitate the care of their patients. To improve healthcare outcomes, it is important that the hospitals demonstrate they are capable of protecting the personal information for their healthcare consumers. They need to show that they have made sufficient efforts in protecting the information of consumers and set sufficient mitigation measures (Lemnitzer, 2021). Therefore, the issue of cybersecurity is fundamental to the bottom-line of the company’s portability and generation of revenue. The companies cannot make profits if they are unable to convince the consumers of their services that they can sufficiently protect their information systems. Cybersecurity plays a major role in gaining the trust of consumers and protecting the information systems of the companies in healthcare (Kamerer & McDermott, 2020). It is the responsibility of the hospitals to maintain a positive brand image in relation to protecting information systems and the sensitive data for their consumers. 2.3 Reactive vs. Proactive Cybersecurity in Healthcare The cost of cybersecurity issues varies depending on the nature of the attack on the information system and these costs are rising. According to Bhuyan et al. (2020), healthcare organizations have been forced to adapt to the challenges relating to attacks on their information systems by employing proactive measures. These solutions include implementing active strategies that protect the organizations from the costs of future attacks against their systems and lowering the potential implications on the organization. In contrast, Bhuyan et al. (2020) defined reac