"I think the most important thing to focus on when you're shopping for cyber insurance, or AI insurance for that matter, is what are the exclusions in a policy, and to what extent do those overlap with the scenarios that you're most worried about," Josephine Wolff said.
That advice frames a growing tension for hospitals and insurers alike: cyber insurance has shifted to cover the immediate fallout of ransomware, yet the arrival of artificial intelligence in clinical settings is creating a new, ambiguous zone of liability. As AI-driven diagnostic and clinical decision‑support tools enter medical environments, insurers and healthcare providers are actively reassessing how — and whether — existing policies respond when those systems contribute to patient care decisions or operational failures, said Wolff, a professor of cybersecurity policy at the Fletcher School at Tufts University.
Ransomware's visible effect on policy terms
Wolff told GovInfoSecurity that insurers have broadened coverage in recent years to address ransomware-related costs. Specifically, these expanded policies now more commonly include incident response, business interruption, legal expenses and regulatory reporting. Those additions have led an increasing number of healthcare organizations to seek out such policies as ransomware disrupted patient care, she said.
The shift toward covering those specific ransomware-related expenses reflects a market response to a visible category of cyber loss. But the expansion that helped hospitals manage ransomware does not resolve the novel questions that arise when machine learning systems enter clinical decision paths — an arena in which responsibility is less clearly distributed.
AI-assisted clinical tools create new liability questions
According to Wolff, the entry of AI into diagnostics and clinical decision-support raises uncertainty about how liability should be apportioned when an AI system potentially contributes to a medical decision or an operational failure. Insurers and healthcare providers are assessing those scenarios, she said, because the presence of an algorithm in the decision chain complicates traditional fault and coverage analyses.
The source frames two overlapping sources of patient risk that insurers must consider: harm stemming from AI-assisted clinical decisions and harm that arises from cyber incidents. Both can implicate insurance coverage, but neither is currently settled in policy language or standard practice, Wolff observes.
Exclusions matter — and vary dramatically across carriers
Wolff urged buyers to concentrate on exclusions. "Cyber insurance from 10 different providers are going to have very different coverage, very different exclusions," she said. The practical upshot is straightforward: two hospitals that appear to carry "cyber insurance" may face very different out-of-pocket exposure once the precise interplay of AI, clinician decision-making and a cyber incident is examined against contract language.
Her counsel — to compare exclusions and map them against the risks that keep a healthcare organization awake at night — follows from the unequal architecture of policies. Where a policy explicitly excludes AI-related liability, or draws a line between "cyber" and "medical malpractice" exposures, that exclusion will determine whether insurers are on the financial hook when an algorithm helps shape a clinical choice that results in harm.
What this means for technologists, insurers and healthcare procurement leaders
- Technologists and security teams should expect insurers and providers to treat AI-related incidents as distinct from traditional cyber events; Wolff's account suggests that conversations will focus less on generalized breach response and more on the role an AI tool played in a clinical outcome.
- Insurers and hospitals are already reassessing coverage boundaries. Wolff notes both groups are actively considering "how liability should apply" when AI systems are involved, indicating that underwriting, policy language and claims handling will evolve as those assessments proceed.
- Healthcare procurement leaders must examine differences between carriers. Given Wolff's emphasis on exclusions and variation across providers, procurement decisions will hinge on whether a chosen policy addresses the specific AI-driven scenarios a health system anticipates.
Josephine Wolff's account centers the contract language that ultimately governs who pays when technology, medicine and cyber risk collide. The market response to ransomware produced a clearer set of covered costs; AI's diffusion into clinical work exposes gaps and ambiguities that policies, regulators and purchasers will have to confront. In the words Wolff offered, attention to exclusions — and to how those exclusions overlap with concrete organizational fears — will determine whether insurance is protection or an unmet expectation when the next complex incident lands.
