The cyber insurance market for healthcare organizations hardened significantly in 2023 and has not relaxed. Carriers that paid hospice and home health claims following ransomware attacks have responded by tightening underwriting requirements, sub-limiting healthcare coverage, and non-renewing organizations that do not meet minimum security standards.
For a hospice agency, cyber insurance is not optional — it is the financial backstop against a ransomware incident that could otherwise be existential. But getting coverage you can actually use when you need it requires more than checking boxes on an application. It requires having the controls in place, documented and verifiable.
What Every Major Carrier Now Requires for Hospice
MFA — No Exceptions
Every major cyber insurance carrier — Chubb, Travelers, Beazley, Coalition, CNA, Tokio Marine — requires multi-factor authentication as a condition of coverage for healthcare organizations. The MFA requirement is not negotiable and applies to:
- All email accounts (Microsoft 365, Google Workspace)
- Remote access systems (VPN, RDP, EHR portals accessed from outside the office network)
- Any administrative systems with access to ePHI
For hospice agencies, the relevant external-access systems include your EHR (Netsmart myUnity, Brightree, Axxess, MatrixCare, Suncoast), your email platform, and any remote management tools your IT vendor uses.
Carriers will increasingly ask this question explicitly: "Is MFA enforced for all users on all email and remote access systems?" If the answer is no — even for a single account — it can result in a policy exclusion, sub-limit, or higher premium.
Endpoint Detection and Response (EDR)
Antivirus is insufficient for healthcare cyber insurance underwriting. Carriers understand that modern ransomware is polymorphic — it changes enough to evade signature-based antivirus. They require behavioral EDR that detects threat activity based on behavior rather than signatures.
EDR must cover all endpoints — not just office workstations. For hospice agencies with field staff on personal devices, this means MDM-managed EDR on devices that access EHR and email. Carriers are beginning to ask specifically about field device coverage, not just office endpoints.
Immutable or Offline Backups — Tested
Carriers have learned from claims experience that backups connected to the primary network are encrypted alongside production systems. They now require explicit confirmation that backups are immutable (cannot be modified or deleted) or air-gapped (stored offline, disconnected from the network), and that restoration has been tested within the past 12 months.
The test documentation matters as much as the backup itself. A backup system that has never been tested for successful restoration is, from a claims perspective, an untested claim.
Documented Incident Response Plan
A written incident response plan is increasingly requested at underwriting — not just at the time of a claim. Carriers want to know that your agency has a pre-planned, documented response to a ransomware attack that does not require improvisation at 2am.
The plan should reference your hospice-specific clinical continuity procedures — what happens to patient care during a system outage — in addition to the standard IT recovery procedures.
Security Awareness Training with Phishing Simulation
Annual security awareness training is required. Carriers increasingly ask about phishing simulation results — specifically click rates. Hospice agencies where staff click simulated phishing emails at high rates (above 20%) are considered higher-risk and may face premium consequences.
Training must include role-specific content. A hospice clinical team needs training that reflects their specific risk environment — mobile device security, phishing on smartphones, care communication security — not generic IT security training.
What Happens if You Misrepresent Your Controls
Cyber insurance applications ask directly about security controls. If your application states that MFA is enforced on all email and remote access systems, and the carrier's forensic team discovers post-claim that MFA was not enforced on billing staff accounts, you have made a material misrepresentation.
Material misrepresentation gives the carrier grounds to deny the claim and void the policy. For a hospice agency with a $400,000 ransomware incident, discovering that the policy is void due to misrepresentation is a business-ending scenario.
The right approach is to close the security gaps before applying for coverage — not to check the box and hope the claim never comes.
Hospice-Specific Endorsements to Look For
When reviewing hospice cyber insurance options, look for:
No ransomware sub-limit for healthcare: Some carriers apply a lower sub-limit for ransomware in healthcare (e.g., $500K limit on a $2M policy for ransomware specifically). Hospice agencies, given the ransomware risk profile of healthcare, need full-limit ransomware coverage.
Regulatory defense coverage: Includes coverage for OCR HIPAA investigations, state AG actions under the SHIELD Act (in New York), and CMS survey costs related to a cybersecurity incident affecting patient care.
Business interruption — with hospice care continuity provision: Coverage for lost revenue during the period when care delivery is disrupted by a cybersecurity incident. Hospice-specific policies should recognize that care interruption in hospice has direct patient safety implications that may require additional cost to manage.
Make sure your hospice qualifies for — and keeps — cyber insurance coverage. ShieldForce provides every control that carriers require, with the documentation to verify it.
Explore Hospice Cybersecurity Solutions →
Start with a free hospice cybersecurity assessment.