More medical practices are purchasing - or at least considering - an insurance policy to cover the substantial costs of a data breach. Medical malpractice policies often provide basic coverage for this threat, but many practices find their risks have grown to the point where they are looking to a stand-alone cybersecurity policy to better meet their needs.
The following provides an overview of what your practice can expect from a cybersecurity policy. Keep in mind that not all policies are the same and actual coverage will be determined by a policy's terms, conditions, and exclusions.
Coverages are typically split into two types-- first-party and third-party:
First-party coverage addresses the costs and expenses your practice incurs from a data security or privacy breach event, such as:
- A physician comes to the office one morning and logs in to the computer, but the screen goes blank and a message pops up claiming to have hijacked the data and demands payment to get it back.
The "extortion threat" section of a cybersecurity policy may assist with this type of breach. Professional experts hired by the carrier will contact the cyber criminals to attempt to get the data released, including potentially paying the ransom. You should also be concerned with not only the financial impact to your practice, but also the impact on the treatment of your patients if your systems are down for any length of time due to a breach. The business interruption section of a cyber policy may provide reimbursement of lost profits during your downtime. Many standard property policies do not cover this exposure, since there was no physical damage to the equipment.
- A physician discovers her system has been hacked and worries her patients' personal health information may have been compromised.
If you discover your system has been hacked, your carrier can provide data breach response services to work with your IT staff to ascertain what happened. These forensic experts assess the nature of the hack and evaluate how much data has been compromised. This section of your coverage can assist with the costs of required patient notification. If you have records of patients from outside your home state, your insurance company should know the notification requirements for those states. You may also be required to provide those patients with credit monitoring services. Your coverage should help set up these services and cover the costs. The costs to notify patients and set up credit monitoring is approximately $8-$10 per patient record. If patient records are compromised, the data recovery and restoration section of your coverage could reimburse you to unencrypt, recover, restore, recreate, or recollect data.
- The CEO of a company sends an e-mail to the CFO instructing the movement of funds into an account. The CFO makes the transfer, only to discover that the CEO's e-mail was a spear phishing attack in which the email address was a clever fake, and those funds are long gone.
Your coverage's cybercrime section may cover the cost of the funds that were transferred. Employees who click on such phishing links could compromise your system. This section of your policy may also assist in those situations.
Third-party coverage provides protection from claims made against you by outside parties.
- It would not be unusual to have claims brought by regulatory agencies, such the U.S. Department of Health and Human services in the case of an alleged HIPAA violation involving a breach of patient records. Cybersecurity coverage for regulatory fines and penalties may allow for payment of fines on your behalf.
- If your practice accepts credit card payments and is not PCI-compliant (adhering to all the Payment Card Industry Data Security Standards), you could be subject to fines from the credit card companies. Policies with payment card industry coverage may provide payment for those fines.
- Some patients may bring claims against you for violating applicable privacy laws. The data security and privacy section of your cybersecurity policy may help in providing a defense and make payment to these claimants, if necessary. Employees of your practice could file such claims if their information was compromised.
- If you maintain a website or social media platforms, you might have a claim brought against you in the event someone believes your site or media content is defamatory or reveals private information about them. The cyber media section of a cybersecurity policy may also provide coverage in this case.
Healthcare accounted for 53 percent of reported data breaches in 2017, more than double the total of any other industry, according to Privacy Rights Clearinghouse. With healthcare data breaches on the rise, cyber liability insurance can help you recover faster in terms of financial coverage and remediation. In 2015, U.S. healthcare data breaches cost companies an average of $363 per record, the highest of any industry, according to the Ponemon Institute. Depending on the size and scope a fines and damages for a HIPAA violation related to a breach of unencrypted personal health data can run into the millions of dollars.
Ask your agent or underwriter for more details about what's included in your policy and whether it meets your needs. If you have cyber insurance, check your liability limits to determine if you need to increase your coverage.
To learn how to comply with HIPAA rules in the event of a breach, how to thwart ransomware attacks and prevent spear phishing, and more, download the free guide Your Medical Practice Is at Risk of a Data Breach from The Doctors Company. More resources are available on the company's cybersecurity page.
David J. Eismont, ARM, is senior director of business development for The Doctors Company