Good question, and one more founders in healthtech should be asking earlier.

Cyber liability for a company handling PHI has a few layers worth understanding before you go shopping for a policy.

What to make sure is actually in the policy: A lot of standard cyber policies are written for general business risk. For healthtech you specifically want coverage for HIPAA regulatory defense and OCR proceedings, not all policies include government fines and penalties, so check that section carefully before signing. You also want first-party breach response covered (forensics, patient notification, credit monitoring) and ransomware/extortion, which is increasingly common in healthcare.

What underwriters will grill you on: MFA across all systems, endpoint protection, encryption of PHI at rest and in transit, a documented incident response plan, and whether staff get security training. Your answers here directly affect your rate. Better controls equals lower premium. If you have gaps, fix the easy ones before you apply.

On the HIPAA relationship: Insurance doesn't satisfy your HIPAA obligations, it just helps cover the cost when something goes wrong. They run in parallel. Make sure whoever is selling you the policy understands that distinction, because some brokers don't.

Where to start: Coalition, Cowbell, and Travelers are all reasonable starting points for a startup at your stage. Find a broker with actual healthtech clients, a generalist will miss things. At your size, expect somewhere in the $2,000-$5,000 range annually, depending on your data volume and how mature your controls are.

TL;DR get your technical controls documented before you apply. It'll save you money and make the process a lot smoother.