Navigating Cyber Risks in Senior Living

Today’s blog highlights the CrowdStrike outage, emphasizing the need for strong cyber insurance and business continuity in senior living

The CrowdStrike Incident: A Wake-Up Call

In July 2024, a global tech outage impacted businesses, including healthcare and senior living facilities. This incident wasn’t a cyberattack, but rather a system failure originating from a faulty update in CrowdStrike’s “Falcon” cybersecurity software. The outage caused widespread system crashes, with many computers showing the infamous ‘blue screen of death.

For senior living facilities, which rely on technology for care and operations, such outages can have serious consequences. Imagine the potential impact on medication management systems, electronic health records, or emergency response protocols.

Understanding System Outages

A system outage, as experienced in the CrowdStrike incident, differs from a cyberattack. Unlike cyberattacks, system outages happen due to technical failures, software bugs, or other non-malicious causes. However, the effects can be equally devastating.

Many cyber and Technology Errors and Omissions (Tech E&O) insurance policies cover losses caused by:

1. System Failure: An unintentional and unplanned interruption of computer systems.
2. Dependent System Failure: A failure of computer security to prevent a breach of systems operated by a dependent business.

For senior living facilities, this includes failures in third-party healthcare systems or electronic health records.

The Role of Cyber Insurance in Senior Living

Because of sensitive data and potential disruptions, cyber insurance is essential for senior living facilities. Here’s how cyber insurance can protect your facility:

1. Business Income Loss Coverage helps offset financial impacts if an outage halts operations or limits resident care.
2. Extra Expense Coverage covers costs to maintain operations during an outage, like temporary staff or manual records.
3. Dependent Business Interruption covers losses if third-party systems, like cloud health records, go down.
4. Regulatory Coverage helps cover fines and penalties from healthcare data protection investigations.

Key Considerations for Your Cyber Insurance Policy

When reviewing your cyber insurance policy, pay attention to:

1. Waiting Period: Understand how long after an incident your coverage kicks in. This is typically specified in hours on your policy’s declaration page.
2. Reporting Requirements: Many policies require prompt reporting of incidents. Familiarize yourself with these obligations to ensure you don’t jeopardize your coverage.
3. Coverage Scope: Make sure your policy covers both direct losses and third-party claims.
4. Business Interruption Assessment: Regularly evaluate how a system outage could impact your operations. This helps in accurately assessing potential losses and ensuring adequate coverage.

Beyond Insurance: Strengthening Your Cyber Resilience

While insurance is crucial, it’s equally important to implement strong preventive measures:

1. Regular System Backups: Maintain offline backups of critical data and systems.
2. Staff Training: Educate your team on cybersecurity best practices and how to respond to system outages.
3. Incident Response Plan: Develop and regularly test a comprehensive plan for responding to both cyberattacks and system outages.
4. Vendor Management: Carefully vet and monitor third-party service providers who have access to your systems or data.
5. Compliance: Stay up-to-date with healthcare data protection regulations and implement necessary safeguards.

The SEC’s New Cybersecurity Disclosure Rules

For any publicly traded senior living companies, the U.S. Securities and Exchange Commission (SEC) has introduced new cybersecurity disclosure rules. These rules require prompt reporting of material cybersecurity incidents and annual disclosures about cybersecurity risk management and governance. While many senior living facilities are privately held, these regulations underscore the growing importance of cybersecurity in all sectors.

Conclusion

The CrowdStrike outage serves as a powerful reminder of the vulnerabilities inherent in our digital infrastructure. For senior living, where technology is key to care and operations, preparing for incidents is essential.

As your insurance partner, we’re here to help you navigate these complex risks. We help assess your cyber insurance, identify gaps, and create a risk management plan for your senior living facility.

Remember, in today’s digital landscape, it’s not a matter of if a cyber incident will occur, but when. Let’s ensure your facility is prepared and protected.

Please don’t hesitate to reach out if you have any questions or would like a review of your current coverage. Your residents’ care and your facility’s resilience are our top priorities.

Stay safe and secure!