Cyberattacks are a pressing threat to hospital operations, patient health data, and, most importantly, patient lives. Cybersecurity insurance has become a key component of resilience for the healthcare sector, yet lower-resourced hospitals face gaps in coverage, and caps (i.e., maximum limits) on losses leave the entire sector vulnerable to catastrophic, large-scale cyberattacks.
A new report published as part of the CLTC White Paper Series, Economics of Cyber Policies for Critical Care: Models for Improving the Resilience of the Healthcare Sector, examines a range of issues related to cyber insurance coverage in U.S. health systems, including whether premiums and loss caps vary based on hospital size and resource level; whether insurance coverage has driven cyber investment and maturity in hospitals; and the cost and efficacy of cyber insurance policies often proposed by industry and policymakers.
The report, authored by Aden Klein, a legislative and policy analyst for healthcare supply-chain company Premier Inc., was published as part of the Center for Long-Term Cybersecurity’s 2025 Public Interest Cybersecurity Research Call for Papers and was presented in June at the 2025 Cyber Civil Defense Summit.
“As federal and state lawmakers consider how to better secure hospitals and critical medical services against cyber threats and malicious actors, they have an opportunity to shape policies that would close cyber insurance gaps and bolster the overall cyber maturity of the healthcare sector,” Klein writes in the report. “However, existing research has not yet established the most effective policy models to close gaps in coverage or fully examined whether cyber insurance actually drives improvement in overall cyber maturity in hospitals.“
For his study, Klein surveyed ten U.S. health systems — representing 116 hospitals and hundreds of clinics and facilities — on a standard set of questions, including whether they had cyber insurance coverage, how much they pay in annual premiums, and whether their hospitals had adopted any of a set of cyber best practices in order to obtain coverage.
Responses to the survey indicated that small and rural hospitals pay the highest cyber insurance premiums per bed by a significant margin, and confirmed that typical loss caps could cover the average cyberattack but are well below the costs of a sector-wide incident. The survey results also indicated that most health systems have adopted best practices or invested in better cyber hygiene in order to obtain cyber insurance.
“Based on these findings, policymakers should consider using a cyber insurance backstop — a mechanism through which the federal government limits insured losses above a certain threshold — to incentivize increased up-front cyber investment by health systems while simultaneously building resilience against large-scale cyber disruptions,” Klein writes.
The report examines the potential benefits (and challenges) of two commonly proposed backstops: federally subsidized coverage for uninsured hospitals, and an extension of terrorism insurance covering catastrophic cyberattacks. Klein notes that both of these solutions raise issues related to cost-effectiveness and “limited ability to actually close market gaps in coverage.”
However, the report points to the promise of pooled insurance programs, through which healthcare organizations of all sizes can collectivize their risk by and enter into a shared agreement with insurers. Such an arrangement would “assess population risk and redistribute some of the cost of insuring high-risk entities to low-risk entities,” Klein writes, while a “government backstop could incentivize large health systems to participate in such a pool and bolster sector resilience while also bringing down premiums and making coverage more accessible for small hospitals.”
Organizations that seek to participate in such a program — i.e., a cyber insurance pool with a government backstop — could be required to demonstrate strong cybersecurity practices, thereby strengthening the security of the sector as a whole. Such a program “would make cyber insurance more affordable, freeing up capital for health systems and hospitals to invest in cybersecurity,” Klein writes.
“Cyber insurance coverage has provided a mechanism to drive hospital investments in better cyber hygiene and controls,” Klein concludes. “Ultimately, policymakers can ensure that healthcare providers find collaborative advantages in the face of a rising tide of cyber threats — but only if incentives are realigned to free up budget dollars for up-front investment and reward risk-sharing models that make resilience more affordable.”
Economics of Cyber Policies for Critical Care: Models for Improving the Resilience of the Healthcare Sector
