Two years ago, getting cyber insurance for a medical practice was a formality. You filled out a short questionnaire, paid a modest premium, and received a policy. That world no longer exists. In 2026, underwriters are denying applications outright, requiring extensive technical evidence before issuing policies, and tripling premiums for practices that can't demonstrate specific security controls.

If your practice in Northern Virginia or Washington DC is approaching a cyber liability policy renewal — or shopping for coverage for the first time — you need to understand exactly what underwriters are evaluating. Fail their checklist and you face one of three outcomes: coverage denied entirely, exclusions that make the policy nearly worthless, or premiums so high that you're paying breach-level costs just for the privilege of coverage.

67%
of healthcare organizations reported premium increases of 50% or more at their last cyber insurance renewal — Coalition Cyber Claims Report 2025

Why Cyber Insurance Requirements Have Tightened for Healthcare

Healthcare is the most expensive industry for data breaches — averaging $7.42 million per incident according to IBM's 2025 Cost of a Data Breach Report. Insurers have been paying out massive claims and they've responded by raising the bar dramatically. The math is simple: if your practice doesn't have basic security controls, you're an unacceptable risk.

Here's what changed in the underwriting process:

Critical warning: If your practice answers "yes" to a control question on the insurance application but can't demonstrate the control during a claim investigation, the insurer can deny your entire claim. This has happened to multiple healthcare organizations in 2024 and 2025. Honesty on the application — even if it raises your premium — protects you when you actually need the policy.

The 12 Controls Cyber Insurance Underwriters Now Require

Based on current application requirements from major cyber liability carriers (Coalition, Hartford, Travelers, Beazley, and CNA), these are the 12 security controls that underwriters evaluate before issuing or renewing a policy for a medical practice. Missing even two or three can result in denial or significant premium surcharges.

12 Controls Underwriters Require 12 Controls Underwriters Require Red = Most commonly missing in small medical practices 1 MFA Everywhere All users, all systems accessing ePHI 2 EDR on All Endpoints ⚠ Commonly missing 24/7 monitoring required 3 Email Filtering Anti-phishing, anti- malware, DMARC/SPF 4 Backup Strategy ⚠ Commonly missing 3-2-1 rule, tested recovery 5 Incident Response Plan ⚠ Commonly missing Written, tested annually 6 Employee Training Annual security awareness + phishing simulations 7 Privileged Access ⚠ Commonly missing Admin accounts restricted 8 Patch Management Critical patches within 30 days, documented 9 Network Segmentation ⚠ Commonly missing Separate clinical / admin 10 Encryption At rest and in transit for all ePHI 11 Vendor Risk Mgmt ⚠ Commonly missing BAAs + security reviews 12 Board/Exec Reporting ⚠ Commonly missing Quarterly cyber risk updates Most practices have this Commonly missing — prioritize these first Missing 3+ controls = likely denial or 200-300% premium increase Source: Coalition 2025 Cyber Claims Report, Marsh McLennan Cyber Insurance Market Update

Breaking Down Each Control: What Underwriters Actually Verify

1. Multi-Factor Authentication (MFA)

MFA must be enabled on every account that accesses patient data, email, VPN, or remote desktop. Underwriters specifically ask about remote access — if your staff can log into the EHR from home with just a password, that's an automatic red flag. Most carriers now require attestation that MFA is enforced (not just available) via a policy that prevents users from disabling it.

2. Endpoint Detection and Response (EDR)

Traditional antivirus is no longer sufficient. Underwriters want EDR — software that actively monitors every workstation and server for suspicious behavior, not just known malware signatures. They'll ask for your EDR vendor name and whether it includes 24/7 monitoring by a security operations center. If your answer is "Windows Defender" or "McAfee," expect a premium surcharge or denial.

3. Email Filtering and Anti-Phishing

Since 70% of healthcare breaches begin with a phishing email, carriers want evidence of advanced email filtering — beyond default spam filters. They look for: anti-phishing technology, attachment sandboxing, link rewriting, and DMARC/SPF/DKIM authentication configured on your domain. If your practice uses basic Microsoft 365 without an additional email security layer, you have a gap.

4. Backup Strategy (3-2-1 Rule)

Underwriters require a documented backup strategy following the 3-2-1 rule: 3 copies of your data, on 2 different types of media, with 1 copy stored offsite or offline. Crucially, they also want evidence that you've tested your backup recovery within the last 12 months. Untested backups are considered no backups at all. Ransomware victims who paid ransoms because their backups failed have driven this requirement.

5. Incident Response Plan

A written incident response plan that defines roles, communication procedures, containment steps, and notification timelines. Underwriters want to see that your practice has a plan for what happens in the first 72 hours of a breach — who calls whom, how you isolate affected systems, when you notify patients, and who your legal and forensics contacts are. Simply having the plan isn't enough — tabletop exercises or annual reviews demonstrate readiness.

6. Employee Security Training

Annual security awareness training with phishing simulations is now table stakes. Carriers ask how often training occurs, what topics are covered, and whether you measure click rates on simulated phishing campaigns. A practice where 30% of staff click phishing links is a very different risk than one at 5%.

7. Privileged Access Management

Not everyone in your practice needs admin access to everything. Underwriters want to see that administrative accounts are strictly limited — ideally to 2–3 people — and that day-to-day staff use standard user accounts. They also ask whether privileged accounts have additional controls like separate MFA, session monitoring, or just-in-time access elevation.

8. Patch Management

A documented patch management process that applies critical security patches within 30 days of release. Underwriters know that unpatched systems are one of the top three entry points for attackers. They want evidence of a systematic approach — not ad-hoc updates whenever someone remembers.

9. Network Segmentation

Your clinical network (EHR, imaging, medical devices) should be separated from your administrative network (email, billing, internet browsing). If a staff member's workstation is compromised through a phishing email, network segmentation prevents the attacker from immediately accessing patient records. Most small practices run a flat network with everything on the same subnet — that's exactly what underwriters are looking to disqualify.

10. Encryption

All ePHI must be encrypted at rest (on hard drives, in databases) and in transit (email, web portals, file transfers). Under the 2026 HIPAA Security Rule, this is now mandatory regardless of practice size. Underwriters align their requirements with HIPAA — if encryption isn't in place, you're doubly exposed: uninsurable and non-compliant.

11. Vendor Risk Management

Every third party that accesses your patient data is a potential breach vector. Carriers ask whether you maintain a vendor inventory, have Business Associate Agreements in place, and review vendor security postures before granting access. The 2025 Change Healthcare breach — which affected thousands of practices through a single vendor — made this a top-tier underwriting concern.

12. Board/Executive Reporting

Even in small practices, someone at the ownership or leadership level must be regularly informed about cybersecurity risk. Underwriters want evidence of quarterly or semi-annual reporting to practice owners or a governing board. This demonstrates that cybersecurity isn't just an IT issue — it's a business risk being actively managed at the highest level.

How to document these controls: Keep a "cyber insurance evidence folder" with screenshots of MFA configurations, EDR dashboards, backup test results, training completion records, and your written incident response plan. When renewal time comes, you can respond to the application quickly and accurately.

What Happens If You Fail the Underwriting Assessment?

Practices that can't demonstrate these 12 controls face three possible outcomes:

  1. Outright denial. The carrier refuses to issue or renew your policy. You're uninsured.
  2. Restrictive exclusions. The policy is issued but excludes the most likely scenarios — ransomware, social engineering fraud, or breaches originating from unpatched systems. When the most likely claim is excluded, your policy is effectively worthless.
  3. Premium increases of 200–300%. Your $8,000/year policy becomes $24,000 or more. At that point, you're spending close to what comprehensive managed security would cost — but getting only insurance, not actual protection.
$24K+
Annual premium for practices with poor security posture — vs. $6–8K for practices with all 12 controls in place

How to Prepare for Your Next Renewal

Whether your cyber insurance renews in 3 months or 12, start preparing now. Underwriters are giving less grace period and fewer provisional acceptances than in prior years.

  1. Audit your current controls against the 12-point list above. Be honest — identify what's actually in place versus what you think is in place.
  2. Prioritize the orange items from the infographic above — EDR, backups, incident response plan, privileged access, network segmentation, vendor management, and executive reporting. These are most commonly missing and most likely to cause denial.
  3. Document everything. Screenshots, reports, completion certificates, written policies. Underwriters accept evidence, not verbal assurances.
  4. Work with a HIPAA-aligned IT provider who understands both the insurance requirements and the regulatory requirements. The overlap is nearly 100% — the same controls that satisfy underwriters also satisfy OCR auditors.
  5. Request your current carrier's application early. Review questions in advance rather than rushing through them at renewal time.

Pro tip: Ask your insurance broker which carriers are most favorable to medical practices in Northern Virginia. Some carriers specialize in healthcare and offer lower premiums when you can demonstrate HIPAA-aligned security programs. Beazley, Coalition, and Hartford all have healthcare-specific underwriting teams.

The Connection Between HIPAA Compliance and Insurability

Here's the truth that most practices miss: HIPAA compliance and cyber insurability require the same controls. MFA, encryption, risk assessments, incident response plans, vendor management, employee training — they're on both checklists. Investing in compliance isn't just about avoiding OCR fines. It simultaneously makes your practice insurable at reasonable premiums.

A managed compliance and security program at $5,000 per month costs far less than the combined expense of inflated premiums ($24K+), potential breach costs ($7.42M average), and OCR penalties (up to $1.5M per violation category). It's the single investment that solves multiple risk categories at once.

For medical practices across Northern Virginia and Washington DC, JPert provides HIPAA-aligned managed IT and cybersecurity that directly addresses all 12 underwriting requirements. Every control in the infographic above is included in our service — and we maintain the documentation underwriters expect to see at renewal.