A medical practice holds protected health information (PHI) — diagnoses, treatment records, insurance and payment data — that commands a premium on criminal markets precisely because, unlike a credit card, a medical record cannot be reissued. That permanence, plus the operational reality that a practice that loses access to its EHR cannot safely see patients, makes healthcare a priority ransomware target and a vertical carriers underwrite carefully.
47 controls mapped to what underwriters verify · one-time purchase · instant download
Why cyber insurance is different for healthcare practices
A medical practice holds protected health information (PHI) — diagnoses, treatment records, insurance and payment data — that commands a premium on criminal markets precisely because, unlike a credit card, a medical record cannot be reissued. That permanence, plus the operational reality that a practice that loses access to its EHR cannot safely see patients, makes healthcare a priority ransomware target and a vertical carriers underwrite carefully.
The regulatory driver is the HIPAA Security Rule, which mandates administrative, physical, and technical safeguards for electronic PHI, including access controls, audit controls, and encryption as an "addressable" specification that practices are expected to implement or document why not. The HHS Office for Civil Rights publishes breach settlements that routinely cite missing risk analyses, absent encryption, and unmanaged access — the same gaps an underwriter probes. A reportable breach of 500+ records lands a practice on the public OCR "wall of shame."
Underwriters for healthcare focus on three things: can you keep PHI confidential (encryption, MFA, access control), can you keep operating after an attack (tested, air-gapped backups and an RTO that lets you resume patient care), and can you prove you assessed your own risk (the HIPAA-required risk analysis doubles as underwriting evidence). Practices that present a completed risk analysis and encrypted, tested backups consistently see better terms than those relying on “we use a cloud EHR” as their entire answer.
The regulatory and contractual pressures underwriters expect healthcare practices to have already accounted for.
Priority controls
Drawn verbatim from the 47-control Cyber Insurance Prep Checklist — with why each one matters specifically for your vertical.
Encrypt sensitive customer data at rest (PII, PHI, payment card).
Encryption of PHI at rest is the addressable HIPAA safeguard OCR most often cites in settlements; carriers treat unencrypted PHI as a near-automatic load or decline.
Require multi-factor authentication on every email account.
A breached clinical mailbox or EHR login exposes PHI directly — MFA is the access control that turns a stolen password into a non-event.
Keep at least one air-gapped or append-only backup.
A practice cannot ethically or operationally see patients without its records; an air-gapped backup is what lets a clinic refuse a ransom and resume care.
Test backup restoration at least once in the last 12 months.
Untested backups fail when an EHR must be restored; carriers ask specifically whether a restore was tested in the last 12 months.
Limit third-party vendor remote access to approved windows, with MFA.
Billing companies, IT vendors, and specialty labs touch PHI under Business Associate Agreements; uncontrolled vendor access is both a HIPAA and underwriting failure.
Deploy Endpoint Detection & Response (EDR) on all endpoints.
EDR on clinical workstations catches ransomware before it reaches the EHR server — the loss scenario carriers fear most in healthcare.
Provide security awareness training to all employees annually.
Front-desk and clinical staff are the phishing entry point; HIPAA already requires workforce security training, so this control does double duty.
These are 7 of the 47 controls. The full checklist covers all of them — required, premium-affecting, and disqualifying — with verification and remediation steps.
Most popular
Best value
Free
By purchasing you agree to our Terms. Digital products are non-refundable once accessed. A checklist supports your application; it does not guarantee an underwriting decision.
HIPAA does not mandate insurance, but it does mandate the technical and administrative safeguards — risk analysis, access controls, encryption — that cyber underwriters score. A practice that is HIPAA-compliant is most of the way to an insurable risk profile, and the documentation overlaps almost entirely.
Encryption at rest is an "addressable" HIPAA specification, meaning you implement it or document a reasonable alternative. In practice, cyber underwriters treat unencrypted PHI as a serious gap, and OCR settlements repeatedly cite missing encryption, so it functions as a requirement for both compliance and favorable insurance terms.
Your Business Associate Agreements determine liability flow-down, but the practice often remains the covered entity reporting to OCR. Underwriters ask about vendor access controls because a breach originating at your billing company or IT provider can still become your reportable incident — controlling and logging vendor access is a weighted question.
Law Firms
View requirements ›Accounting & CPA Firms
View requirements ›Dental Practices
View requirements ›Financial Advisors & RIAs
View requirements ›Manufacturers
View requirements ›Construction Firms
View requirements ›Nonprofits
View requirements ›Real Estate Firms
View requirements ›MSPs & IT Providers
View requirements ›