Resources & Insights

10 Questions Hospitals Should Ask About their Cyber Insurance Policies

May 12, 2020

Michael Ferentinos,
Insurance Advisor

Imagine trying to treat and care for patients during the COVID-19 pandemic and, at the same time, getting hit by a cyberattack.

That’s exactly what happened in April at Parkview Medical Center in Pueblo, Colo., about two hours south of Denver.

Parkview says it was prepared for a cyberattack, but while it was waiting for an IT forensics team to get its computer systems back online, the hospital was forced to resort to paper records to track and treat patients.

Parkview wasn’t alone, not by a long shot. Interpol warned of “a significant increase” in ransomware attempts against organizations responding to the pandemic, including hospitals worldwide.

Cybersecurity vulnerability is, of course, nothing new in healthcare. Hospitals house reams of personal data and, unfortunately, sometimes cannot afford to spend as much as they would like on cybersecurity resources.

The COVID-19 pandemic exacerbated matters because it pushed some hospital staff to work from their home offices – outside of the firewalls of their hospital IT operations.

Another vulnerability emerged earlier this year when the FDA warned that some Bluetooth-enabled devices — including some pacemakers, glucose monitors and ultrasound machines — were susceptible to being hijacked by cyber criminals.

As any hospital risk manager knows, cyber risk is something you can insure against. What’s less understood is that enhancements in cyber insurance policies are not always available and that it’s easy to get tripped up by exclusions.

In other words, one size rarely, if ever, fits all. Here, then, are some of the questions you’ll want to ask when sifting through cyber insurance policies:

1. What types of incidents are covered? For instance, would your policy cover unintentional and non-malicious attacks?

2. Exactly how does coverage and limits apply to first and third parties? For instance, do legal costs cover your business liabilities only or are your customers covered, too?

3. Are any third-party vendors, suppliers and business associates you do business with also covered?

4. Does the policy cover any attacks on your company, including as an unintentional victim, or only those which were targeted directly at you?

5. What are the timeframes within which you are covered? Some cyberattacks are not discovered for years. Are you covered six years down the line?

6. Does the policy cover you globally? Will it include coverage for data theft or loss that occurs outside of the U.S.?

7. What kind of response time can you expect in the event of a data breach?

8. What are your responsibilities in this relationship, e.g., auditing or compliance obligations?

9. Is there coverage for reputational loss? Crisis management coverage, which will help you pay for hiring a PR firm, isn’t enough. You want an endorsement that helps you recover lost income after a cyberattack.

10. Does your policy include coverage for General Data Protection Regulation and California Consumer Privacy Act violations?

The bottom line: cyber criminals are always honing their methods. You’ll want to be sure your cyber insurance policy addresses the latest hacking threats.

Michael Ferentinos is an insurance advisor in CCIG’s Commercial Lines department. Reach him at or at 720-212-2043.

CCIG is a Denver-area insurance, employee benefits and surety brokerage with clients nationwide. We do more than make sure you have the right policy. We help you manage your long-term cost of insurance with our risk and claims management expertise and a commitment to service excellence.

Share this:
Back to Resources

Contact Us

Call us at 303-799-0110 or reach out by filling out a short form.

Get In Touch