Cyber Insurance Requirements for Medical Practices

Cyber insurance renewals for medical practices have changed materially over the last few years. Insurers now ask detailed questions about the technical controls inside the practice — and the quality of the answers can influence cover, excess and premium.

This page summarises the questions we most often see Australian insurers ask, in plain English, so practice managers and owners can prepare accurately. It is not a substitute for advice from your broker.

Why cyber insurance matters for medical practices

A cyber incident at a medical practice rarely involves just one cost. There is the immediate technical work — investigation, containment and restoration. There is the operational cost — appointments rescheduled, billing delayed, staff overtime. There may be legal advice, notification obligations under the Notifiable Data Breaches scheme, and conversations with regulators and patients.

Cyber insurance is one way practices manage that risk. It is not a substitute for controls — most policies now explicitly require certain controls to be in place — but it can materially change the recovery experience after an incident.

Questions insurers commonly ask

The sections below cover the control areas that appear on most current cyber insurance questionnaires. Each one is something a practice manager should be able to confirm with their IT provider before responding.

Multi-factor authentication (MFA)

MFA is the single most common question on cyber insurance forms. Insurers usually want confirmation that MFA is enforced on:

• All email accounts (typically Microsoft 365 or Google Workspace)
• All remote access — VPN, remote desktop, remote management tools
• All cloud admin portals (Microsoft 365, domain registrar, hosting)
• Privileged and administrator accounts without exception
• Any third-party application that holds practice or patient data

Backups

Insurers want to see that backups exist, are protected from tampering, and have actually been tested. A backup that has never been restored is not a proven backup.

• Backups run on a defined schedule and are monitored
• At least one copy is held off-site or in a separate cloud tenancy
• Backups are protected from being deleted by a compromised account
• Microsoft 365 data is explicitly included, not assumed
• Full restore is tested at least annually

Endpoint protection

Traditional antivirus is no longer sufficient for most insurers. Endpoint Detection and Response (EDR) is now the expected baseline for business devices.

• Modern EDR on every workstation, laptop and server
• Centrally managed and monitored, not configured per device
• Alerts go to someone who can respond outside business hours
• Server operating systems are still supported by the vendor

Email security

Because email is the most common attack vector, insurers want evidence that practices have hardened their mail platform beyond the defaults.

• SPF, DKIM and DMARC configured for every sending domain
• Anti-phishing and impersonation protection enabled
• External sender warnings or banners shown to staff
• Suspicious link and attachment scanning enabled
• A simple way for staff to report phishing

Patch management

Insurers ask how quickly the practice applies security updates. Common expectations are 14 days for critical patches on operating systems and major applications, and prompt updates on internet-facing systems.

• Defined patching schedule for workstations and servers
• Critical patches applied within a defined window
• Internet-facing systems (firewalls, VPN) patched promptly
• End-of-life software and operating systems removed or replaced

Administrator access

Reducing the number of accounts with elevated privileges — and protecting the ones that remain — is a recurring theme on insurance questionnaires.

• Separate accounts for admin tasks and day-to-day use
• A documented list of who holds admin rights and why
• Removal of admin rights when staff change role or leave
• MFA enforced on every administrator account

Incident response planning

Insurers want to know that the practice has thought about what happens during an incident — and that the plan is written down and current.

• Written incident response plan with named contacts
• Defined steps for the first hour of a suspected incident
• Awareness of the Notifiable Data Breaches scheme
• Plan reviewed annually or after any incident

Security awareness training

Annual training, plus short refresher activities through the year, has become the baseline expectation. Insurers may ask whether you run simulated phishing exercises.

• All staff complete cybersecurity training annually
• New starters covered as part of onboarding
• Simulated phishing exercises run at least annually
• Records of training completion retained

Why accurate responses matter

Some practices feel pressure to answer questionnaires optimistically, especially when a renewal deadline is close. This is a poor strategy. Insurers and their forensic partners can — and do — review the actual configuration of a practice after an incident. Material misstatements can affect coverage decisions.

The better approach is to answer based on the current, verified state of the environment, and to use any gaps as a roadmap for the next 6 to 12 months. A well-managed plan to close a gap is usually a stronger position than pretending a gap does not exist.

Preparing for cyber insurance renewal

A practical preparation timeline looks like this:

1. Three months before renewal: request the renewal questionnaire from your broker and walk through it with your IT provider.
2. Two months before renewal: address the easy wins — usually MFA gaps, stale admin accounts and untested backups.
3. One month before renewal: finalise written answers, save evidence (screenshots, configuration exports) and confirm the responses with your broker.
4. After renewal: retain a copy of the questionnaire and any conditions attached to your cover.

Healthcare-specific considerations

Medical, dental and allied health practices have particular considerations that go beyond a generic small-business questionnaire:

• The practice handles health information, which is sensitive information under the Privacy Act 1988 and the Australian Privacy Principles.
• Practice management and clinical software vendors are part of the security conversation — their connections, access and update cadence matter.
• Many practices share premises, networks or staff across multiple entities. Insurance and IT scope need to match the actual operating model.
• Some practices are subject to additional sector-specific obligations (for example accreditation standards) that the insurer may also reference.

If you want help understanding where your practice currently stands against typical insurer expectations, book a Healthcare IT & Cybersecurity Alignment Review. You can also explore our healthcare IT services or read about the common IT risks we see in medical practices.