The cyber insurance market for home health agencies has fundamentally changed. Premium increases of 40–80% compounded over three years. Minimum control requirements that now mirror the 2026 HIPAA Security Rule. Ransomware sublimits that reduce payouts dramatically for agencies without the right controls. Understanding what carriers now require — and how to demonstrate it — is the difference between comprehensive coverage and false security. How Healthcare Cyber Insurance Underwriting Changed Pre-2021 applications asked whether organizations had antivirus, backup, and a firewall. Three yes answers qualified most applicants. That era ended when ransomware losses scaled beyond what original pricing models anticipated. Current questionnaires ask specific, verifiable questions about controls that predict claims:
- Is MFA enforced on all accounts — remote access and cloud email — with no bypass option? (Enforced for every user, not merely available)
- Is behavioral EDR deployed on all endpoints? (Not antivirus — continuous behavioral monitoring)
- Are backups immutable, isolated from production, and tested with documented restoration results?
- Is privileged access management implemented with administrator accounts separate from user accounts?
- Has a penetration test been conducted in the past 12 months?
- What is the documented timeline for patching critical vulnerabilities?
The Five Minimum Controls Required for Coverage Most carriers will not issue a policy — or will issue with significant sublimits — to home health agencies unable to confirm all five:
- MFA enforced on email and all remote access for every user — no exceptions
- Behavioral EDR on all Windows and Mac endpoints
- Immutable offsite backup with documented, tested restoration procedure
- Security awareness training program with completion records
- Written incident response plan including breach notification procedures
Controls That Reduce Your Premium
- Documented HIPAA risk analysis — evidence of systematic risk management
- Phishing simulation program with click-rate data — demonstrates training effectiveness
- 24/7 SOC monitoring — reduces mean time to detection, a key actuarial metric for carriers
- Network segmentation — reduces blast radius, directly reducing expected claim size
- Dark web monitoring — demonstrates proactive credential exposure detection
Policy Terms That Matter Most Ransomware Sublimit Confirm the ransomware sublimit equals the full policy limit. A $1M policy with a $250K ransomware sublimit is a $250K policy for the most likely healthcare claim type. Business Interruption Coverage Confirm whether lost revenue during an outage is covered, whether a waiting period applies before coverage activates (typically 12–24 hours), and whether third-party outages (such as a clearinghouse or EHR vendor) are included. HIPAA Regulatory Defense and Retroactive Date Coverage for OCR investigation costs and legal defense is increasingly critical as OCR enforcement against smaller covered entities accelerates. Confirm the retroactive date extends at least 3 years — ransomware groups conduct reconnaissance weeks before detonation. ShieldForce clients consistently qualify for improved cyber insurance terms because our managed service delivers the controls underwriters require — documented and verifiable for every underwriting application.
Ready to protect your home health agency? The first step takes 30 minutes and costs nothing. ShieldForce delivers purpose-built managed cybersecurity for healthcare — 24/7 SOC monitoring, behavioral EDR, advanced layered email security, immutable backup with tested restoration, MFA enforcement, and complete HIPAA documentation — starting at $35/user/month. BAA signed on day one. Fully deployed in 72 hours. No IT staff required.
→ Schedule Your Free HIPAA Risk Assessment