Back to all insights
Cyber InsuranceHIPAAHealthcareRisk Management

Cyber Insurance, HIPAA, and the New Baseline for Healthcare Security

B Byzantine Technologies · · 8 min read

When the Insurance Application Became a Security Audit

A few years ago, buying cyber insurance for a medical or dental practice was straightforward. You filled out a short application, answered a handful of general questions, and received a quote. Those days are over. Today’s cyber insurance application reads like a security audit — and for good reason. Insurers paid out heavily on healthcare ransomware claims, and they responded by tightening underwriting dramatically.

The practical effect is that cyber insurers now define a de facto security baseline for healthcare. To get a policy at a reasonable premium — and in some cases to get coverage at all — a practice must demonstrate a specific set of controls. The encouraging part of this story is that the controls insurers demand are very nearly the same controls that HIPAA expects and that good security practice recommends. The insurer is, in effect, doing your security prioritization for you.

The current HIPAA Security Rule remains in effect, and the HHS/OCR proposed updates published in early 2025 would make several of these controls more explicit. So when an insurer asks whether you have MFA, tested backups, and an incident response plan, they are asking about the same controls that regulators and auditors increasingly expect. The two frameworks have converged.

The Controls Insurers Now Expect

The specific questions vary by carrier, but the modern cyber insurance application consistently probes for the same core controls.

Multi-Factor Authentication

MFA is now table stakes. Insurers ask whether MFA protects email, remote access, administrative accounts, and increasingly the EHR itself. Many carriers will simply decline to quote a practice that lacks MFA on remote access and privileged accounts. This aligns precisely with HIPAA’s access-control expectations and with where the proposed Security Rule updates are heading.

Endpoint Detection and Response (EDR)

Traditional antivirus is no longer sufficient in the eyes of most underwriters. They want endpoint detection and response — tooling that can detect suspicious behavior, not just known malware signatures, and respond to it. Insurers ask whether EDR is deployed across all endpoints and whether it is monitored. This maps to HIPAA’s expectation of protection against malicious software and the ability to detect security incidents.

Tested, Recoverable Backups

Insurers learned that backups are the difference between a ransomware event being a costly inconvenience and a business-ending catastrophe. They ask not just whether you have backups, but whether they are tested, whether at least one copy is isolated or immutable so ransomware cannot reach it, and how quickly you can recover. This connects directly to HIPAA’s data backup and disaster recovery requirements under the contingency planning standard.

“The insurer’s application is, in effect, a prioritized security checklist written by people who have paid out millions in healthcare ransomware claims. They’ve learned which controls actually prevent losses — and those are the controls they now require.”

Patch and Vulnerability Management

Underwriters ask how quickly critical patches are applied and whether there is a defined process for managing vulnerabilities. Unpatched systems are among the most common ransomware entry points, and insurers know it. HIPAA’s risk-management requirements expect exactly this kind of ongoing remediation of identified weaknesses.

Incident Response Capability

Insurers want to know that you have a documented incident response plan, that you know who to call, and that you can contain an incident quickly. Some carriers require that you use their approved incident response vendors and notify them within a defined window. This aligns with HIPAA’s security incident procedures requirement.

Vendor and Third-Party Oversight

Increasingly, applications ask about your management of vendors who handle your data — whether you have agreements in place and whether you assess their security. This is the cyber insurance analog of HIPAA’s Business Associate Agreement requirements and the broader expectation of vendor oversight.

Why This Convergence Is Good News

It is easy to see tightening insurance requirements as a burden. The more useful framing is that insurers have done the hard work of identifying which controls actually reduce real-world losses, and they have made those controls a condition of coverage. A practice that satisfies its cyber insurer’s requirements has, almost as a byproduct, implemented the controls that HIPAA expects and that genuinely reduce breach risk.

This convergence also creates a useful forcing function. Security improvements often get deferred indefinitely because there is no hard deadline. A policy renewal is a hard deadline. The annual insurance application becomes an annual prompt to verify that MFA coverage hasn’t drifted, that backups are still being tested, that EDR is deployed everywhere, and that the incident response plan is current.

Avoiding the Attestation Trap

There is one serious risk in this environment, and every practice should understand it. Cyber insurance applications require attestations — you are signing a statement that the described controls are actually in place. If you attest that you have MFA on all remote access, and a breach investigation later reveals that one remote access path lacked MFA, the insurer may dispute or deny the claim on the grounds of material misrepresentation.

This makes accuracy on the application critical. Do not attest to controls you have not actually verified. If MFA coverage is incomplete, say so and fix it — do not paper over the gap. The attestation that gets you a policy can become the document that voids your claim if it isn’t true. Treat the application as a statement of fact that you can defend after an incident, not as a form to optimize for the lowest premium.

A Practical Approach for a Small Practice

  1. Treat the insurance application as a security roadmap. The controls it asks about are the controls worth prioritizing.
  2. Verify, don’t assume. Before attesting to a control, confirm it is actually in place across the whole environment.
  3. Close gaps before renewal. Use the renewal cycle as a deadline to fix anything that has drifted since last year.
  4. Document everything. The same documentation that supports your HIPAA compliance — risk analysis, policies, training records, BAAs — supports your insurance attestations.
  5. Keep the incident response plan current and know your carrier’s notification requirements. After an incident is the wrong time to learn that your policy required notifying the insurer within a specific window.

The Byzantine Takeaway

Cyber insurers have become an influential standard-setter for healthcare security, and the baseline they have set — MFA, EDR, tested backups, patching, incident response, and vendor oversight — maps cleanly onto HIPAA expectations and good security practice. That convergence is genuinely good news: satisfying your insurer means implementing the controls that actually reduce breach risk. The one caution is the attestation: sign only what you can defend after an incident, because an inaccurate application can turn into a denied claim. Used well, the annual renewal becomes a built-in checkpoint that keeps your security program honest.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

May 31, 2026·12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.
May 29, 2026·8 min read

Why Guest Wi-Fi Should Never Touch Your Clinical Network

A flat network is a quiet liability. Here is why network segmentation — keeping guest Wi-Fi, patient devices, IoT, and medical equipment away from clinical systems — is one of the most important architecture decisions a practice makes.
May 21, 2026·9 min read

HIPAA Security Rule 2026: What Small Medical and Dental Practices Need to Know Now

There are two layers to the HIPAA Security Rule landscape in 2026: the current enforceable rule and a proposed update from HHS. Here is a calm, practical breakdown of what's required today and what's coming.