DIAM Security Partners
HIPAA · Cyber Get in touch
ServicesControlsPracticeFor brokersBriefs Get in touch
← Briefs
A practical brief Published

Cyber liability underwriting requirements for small healthcare practices

A practical brief for brokers and the 5–50 employee medical, dental, imaging, PT, or specialty practices they advise.

Foreword

Three pressures are converging on small healthcare practices in 2026. Cyber underwriters are tightening the controls they require before binding coverage. The HIPAA Security Rule is on the cusp of its first substantive update since 2013, and the direction of travel is clear. AI-era attackers now operate at speeds and scales a five-person front desk cannot outrun. The controls that satisfy one of these pressures are largely the same controls that satisfy the other two, so implementing them once is the single most efficient step available to the practice and the best underwriting posture available to the broker.

This brief lays out the eight specific technical controls underwriters are asking about in 2026, what implemented actually looks like inside a practice of this scale, why the AI threat landscape has raised the bar since the last renewal cycle, and why claims still get denied even after coverage is bound. Brokers and practice owners both should finish it able to name which controls their client (or their own practice) can truthfully attest to today, and which controls require 60 to 90 days of work before the next application.

In one page

  • Coverage now turns on eight verifiable technical controls, not a broad attestation. A mismatch between what the practice attests to and what the claims adjuster finds post-loss is the single most common reason coverage is voided.
  • AI has compressed attack timelines to minutes and commoditized phishing and voice-cloning. Average eCrime breakout time is now 29 minutes, and autonomous attack agents are already targeting healthcare. The controls on underwriter applications have become the last line of defense.
  • Business email compromise (BEC) and business-associate compromise now drive the non-ransomware loss pattern. BEC and funds-transfer fraud together drove 58% of all cyber claims in 2025, and the Change Healthcare attack (193 million PHI records, $1.3–$1.6 billion in direct response costs from a single Business Associate (BA) compromise) is the sector’s reference ceiling.
  • Texas compounds the exposure. The Texas Data Privacy and Security Act (TDPSA) carries statutory penalties up to $7,500 per violation under exclusive Attorney General enforcement, and Senate Bill 1188 requires electronic protected health information (ePHI) to remain on U.S. soil. The same controls evidence both.
  • The HIPAA Security Rule update pending in 2026 would make the same controls legally mandatory. Implementing them once satisfies underwriter, regulator, and real-world attacker.
  • Claims most often fail for reasons the practice could have controlled. Misattestation at application, missed notification windows, and multi-factor authentication (MFA) turned off mid-policy-period account for most of the denied claims we see.
  • Documentary proof is replacing verbal attestation. Carriers now ask for MFA enforcement screenshots, endpoint detection and response (EDR) coverage reports, backup restore-test logs, the incident response plan, the risk analysis, the BA inventory, and the wire-verification procedure. A checked box no longer survives first loss.
  • Closing the gap is a six-to-eight-week engagement for a typical 10–20 person practice. Implementation runs $15,000–$35,000 against an average healthcare breach cost of $7.42 million, and cyber rates are in their eleventh consecutive quarter of decrease.

The 2026 environment

A few data points frame the conversation.

  • Healthcare breach costs have led every industry for fourteen consecutive years. The 2025 IBM Cost of a Data Breach Report puts the average healthcare breach at $7.42 million, with a mean containment time of 279 days.
  • Small practices are not flying under the radar. In the first nine months of 2025, Comparitech tracked 293 ransomware attacks on direct-care providers at an average ransom demand of $514,000, and Verizon’s 2025 DBIR found ransomware present in 88% of SMB breaches against 39% at large organizations.
  • The Change Healthcare attack of February 2024 compromised the protected health information (PHI) of approximately 193 million individuals and cost parent UnitedHealth Group between $1.3 billion and $1.6 billion in direct response costs. Initial access was a single compromised Citrix account without MFA at a Business Associate.
  • Denials concentrate at the application stage and at the controls line. Marsh McLennan’s 2024 analysis found 41% of cyber applications denied on first submission, and Coalition reported 82% of denied claims involved organizations without MFA. Coalition’s 2026 report adds that initial ransom demands rose 47% year-over-year while 86% of businesses hit in 2025 refused to pay, and that BEC and funds-transfer fraud together now account for 58% of all cyber claims.

The controls a practice attests to on the application are the controls the claims adjuster will verify if a loss occurs. If the attestation does not match reality, the claim is denied after the premium has been paid and the breach absorbed.

The eight controls underwriters are asking about

Drawn from current applications by Beazley, Coalition, Chubb, Travelers, and Hartford, and from the public advisory guidance of Aon, Marsh McLennan, and CISA. The wording varies by carrier; the questions are consistent. The full brief documents each control with the specific question underwriters ask, why it matters, what implemented looks like inside a practice of this scale, and where practices of this size most commonly fall short.

  1. Multi-Factor AuthenticationIdentity & access
  2. Endpoint Detection and ResponseEndpoint security
  3. Immutable and Tested BackupsResilience
  4. Written and Tested Incident Response PlanPreparedness
  5. Email Security and Awareness TrainingHuman layer
  6. Timely Patch ManagementVulnerability management
  7. Written Security Risk AnalysisGovernance & compliance
  8. Business Associate Oversight and Funds-Transfer IntegrityFunds-transfer integrity

The full brief (18 pages, April 2026) covers each control with the question underwriters ask, why it matters, what implementation looks like inside a small practice, and where practices of this size commonly fall short. It also walks through why claims still get denied after coverage binds, what has changed in Texas specifically, the HIPAA Security Rule update pending in 2026, and the practical sequence a practice should follow before its next application or renewal. Request a copy to keep reading.