Healthcare Cyber Insurance Must Account for AI Liability, Expert Says
Healthcare organizations need to reassess their cyber insurance policies as ransomware attacks disrupt patient care and artificial intelligence tools introduce new liability questions, according to Josephine Wolff, a cybersecurity policy professor at Tufts University's Fletcher School.
Insurers have expanded coverage in recent years to include ransomware-related costs such as incident response, business interruption, legal expenses, and regulatory reporting. Healthcare providers have responded by seeking out these policies.
But a new problem is emerging: insurers and hospitals are still figuring out how liability should apply when AI systems contribute to medical decisions or operational failures.
Exclusions Matter Most
When shopping for cyber or AI insurance, the most critical step is understanding what a policy excludes, Wolff said.
"Cyber insurance from 10 different providers are going to have very different coverage, very different exclusions," she said. "The most important thing to focus on is what are the exclusions in a policy, and to what extent do those overlap with the scenarios that you're most worried about."
Policies vary significantly across insurers. Two organizations with similar risk profiles may face vastly different coverage gaps depending on which exclusions their policies contain.
AI Raises New Questions
AI-driven diagnostic and clinical decision-support tools are entering healthcare environments faster than insurance frameworks can accommodate them. The liability questions are straightforward in theory but complex in practice: Who bears responsibility when an AI system contributes to a medical error or operational failure?
Healthcare organizations and insurers lack clear answers. That uncertainty is forcing both sides to rethink coverage decisions.
Patient harm stemming from AI-assisted clinical decisions presents a particularly thorny problem. Determining liability requires understanding how the AI system was used, whether clinicians followed its recommendations, and whether the system itself performed as intended.
Ransomware's Impact on Coverage
Ransomware attacks have already reshaped cyber insurance. Healthcare organizations now routinely include business interruption coverage and incident response costs in their policies-protections that were less common before widespread ransomware incidents began disrupting hospital operations.
That evolution shows how insurance markets respond to real-world threats. AI liability will likely follow a similar path, but only after healthcare organizations and insurers gain more experience with how these systems fail and who pays when they do.
For insurance professionals evaluating healthcare clients, understanding both the ransomware coverage landscape and emerging AI liability questions is essential. AI for Insurance and AI for Healthcare resources can help professionals stay current on these evolving risks.
Your membership also unlocks:
