In today's blog we discuss a recent event that underscores the critical importance of robust cyber insurance and business continuity planning. The recent CrowdStrike outage serves as a stark reminder of the vulnerabilities all organizations face in our increasingly digital world, including senior living.

The CrowdStrike Incident: A Wake-Up Call

In July 2024, a widespread tech outage affected businesses and organizations globally, including many in the healthcare and senior living sectors. This incident wasn't a cyberattack, but rather a system failure originating from a faulty update in CrowdStrike's "Falcon" cybersecurity software. The result was catastrophic for many: system crashes worldwide, with countless computers displaying the dreaded "blue screen of death" error message.

For senior living facilities, which rely heavily on technology for patient care, record-keeping, and daily operations, such an outage could have severe consequences. Imagine the potential impact on medication management systems, electronic health records, or emergency response protocols.

Understanding System Outages

A system outage, as experienced in the CrowdStrike incident, differs from a cyberattack. While a cyberattack involves malicious intent to access, alter, or destroy information, a system outage can occur due to technical failures, software bugs, or other non-malicious causes. However, the effects can be equally devastating.

Many cyber and Technology Errors and Omissions (Tech E&O) insurance policies cover losses caused by:

1. System Failure: An unintentional and unplanned interruption of computer systems.
2. Dependent System Failure: A failure of computer security to prevent a breach of systems operated by a dependent business.

For senior living facilities, this could include failures in systems managed by third-party healthcare technology providers or electronic health record systems.

The Role of Cyber Insurance in Senior Living

Given the sensitive nature of data handled by senior living facilities and the potential for significant operational disruption, cyber insurance is no longer optional—it's a necessity. Here's how cyber insurance can protect your facility:

1. Business Income Loss Coverage: If a system outage forces you to suspend operations or reduces your capacity to care for residents, this coverage can help offset the financial impact.
2. Extra Expense Coverage: This helps cover additional costs incurred to maintain operations during a system outage, such as temporary staffing or manual record-keeping measures.
   
3. Dependent Business Interruption: If your facility relies on third-party systems (like cloud-based health record systems) and they experience an outage, this coverage can help mitigate your losses.
   
4. Regulatory Coverage: With increasing scrutiny on data protection in healthcare, cyber policies can provide coverage for fines and penalties resulting from investigations by regulatory agencies.

Key Considerations for Your Cyber Insurance Policy

When reviewing your cyber insurance policy, pay attention to:

1. Waiting Period: Understand how long after an incident your coverage kicks in. This is typically specified in hours on your policy's declaration page.
   
2. Reporting Requirements: Many policies require prompt reporting of incidents. Familiarize yourself with these obligations to ensure you don't jeopardize your coverage.
   
3. Coverage Scope: Ensure your policy covers both first-party losses (your direct costs) and third-party liabilities (claims made against you by others).
   
4. Business Interruption Assessment: Regularly evaluate how a system outage could impact your operations. This helps in accurately assessing potential losses and ensuring adequate coverage.

Beyond Insurance: Strengthening Your Cyber Resilience

While insurance is crucial, it's equally important to implement strong preventive measures:

1. Regular System Backups: Maintain offline backups of critical data and systems.
2. Staff Training: Educate your team on cybersecurity best practices and how to respond to system outages.
   
3. Incident Response Plan: Develop and regularly test a comprehensive plan for responding to both cyberattacks and system outages.
   
4. Vendor Management: Carefully vet and monitor third-party service providers who have access to your systems or data.
   
5. Compliance: Stay up-to-date with healthcare data protection regulations and implement necessary safeguards.

The SEC's New Cybersecurity Disclosure Rules

For any publicly traded senior living companies, the U.S. Securities and Exchange Commission (SEC) has introduced new cybersecurity disclosure rules. These rules require prompt reporting of material cybersecurity incidents and annual disclosures about cybersecurity risk management and governance. While many senior living facilities are privately held, these regulations underscore the growing importance of cybersecurity in all sectors.

Conclusion

The CrowdStrike outage serves as a powerful reminder of the vulnerabilities inherent in our digital infrastructure. For senior living operations, where technology plays an increasingly critical role in resident care and operational efficiency, being prepared for such incidents is paramount.

As your insurance partner, we're here to help you navigate these complex risks. We can work with you to assess your current cyber insurance coverage, identify potential gaps, and develop a comprehensive risk management strategy tailored to the unique needs of your senior living facility.

Remember, in today's digital landscape, it's not a matter of if a cyber incident will occur, but when. Let's ensure your facility is prepared and protected.

Please don't hesitate to reach out if you have any questions or would like a review of your current coverage. Your residents' care and your facility's resilience are our top priorities.

Stay safe and secure!