The Importance of Higher Limits on Cyber Insurance
We recently read an article from Medical Economics, emphasizing the prime reason small practices need higher limits on Cyber Insurance. Please feel free to review the information we found beneficial, and share it with your small business clients.
Sohan Dua, M.D., received the bad news in a phone call one morning in February 2017: his practice had been hacked.
The Electronic Health Record (EHR) system shared by Dua and his wife, Kiran Dua, M.D., had been breached and hackers were holding their patient data for ransom. That attack sent the couple, who practice in Northridge, CA, on a protracted and painful experience that cost their separate practices time, money and service interruption.
Dua, a Nephrologist, never thought he and his wife, a Primary Care physician, would join the ranks of healthcare providers and organizations that have suffered crippling cyber attacks. Luckily, their losses were at least partially covered by the combined $100,000 cyber coverage they had through their medical malpractice insurance carrier. The insurance carrier also provided the Duas with a team of experts to help in the recovery from the attack.
However, even with that assistance, the Duas’ practices were forced to shut down for several months while they dealt with the attack. “We still don’t know how much money we lost,” Dua said. “We lost patients, too.”
The growing threat of being hacked has more Primary Care physicians buying Cyber Insurance. But what those policies cover, how they work, and how much they cost are mysteries to many healthcare providers, most of whom are only familiar with malpractice and business insurance.
What Cyber Insurance Does
Cyber Insurance covers losses and damages resulting from patient data being stolen, exposed, held for ransom, or improperly shared. It covers deliberate actions, such as hacking or ransomware, as well as accidents, such as a lost laptop containing unencrypted patient information or a coding error that accidentally exposes patient data.
A comprehensive policy will cover paper records as well, since large amounts of information are still stored in physical files. Cyber Insurance helps providers deal with the consequences of data breaches, which can range from relatively minor to catastrophic. The assistance provided can include:
- Paying regulatory fines and penalties
- Compensating for loss of income from downtime or lost patients
- Hiring IT experts to find and fix the breach
- Hiring a call center to handle inquiries from patients
- Hiring a public relations firm to deal with unwelcome publicity
- Hiring attorneys to represent the practice in any lawsuits filed by patients (as well as any damages awarded)
- Paying ransom to free hijacked data.
In short, it covers almost any loss or expense that can be attributed to the data breach.
For example, the Duas’ coverage helped them when they were forced to write off tens of thousands of dollars in uncollected billing due to unrecovered patient payment records, a loss that Dua estimates at $40,000 to $50,000.
A complete policy includes first-party and third-party coverage. First-party coverage pays for damages suffered by the policy holder, such as lost revenue, business interruption, IT forensics and data restoration. Third-party coverage compensates for damages caused to others by the data breach, such as the legal costs incurred from lawsuits filed by affected patients.
Practices that haven’t bought Cyber Insurance often have some coverage through their malpractice or general business policies, but it’s usually limited to about $100,000 or less in damages and contains exemptions.
How Much Does It Cost?
The cost of a Cyber Insurance policy varies, depending on the carrier, the size of the practice, and the extent and amount of the coverage, experts say. The larger the practice, the greater the risk and the more it can expect to pay.
The good news is that Cyber Insurance is less expensive than malpractice and liability insurance. A typical five-physician Primary Care practice should have at least a $1 million umbrella cyber policy.That coverage could cost anywhere from $1,200 to $5,000 a year.
A Team Response
When shopping for Cyber Insurance, practices should investigate exactly what help they will receive in case of a breach. Unlike a fire, managing a data breach often requires the help of a team of experts, not just a check to cover damages. Depending on the nature and size of the breach, that team can include lawyers, forensic accountants, IT experts, publicists and call center operators, among others.
Besides the coverage itself, the real benefit of Cyber Insurance is being able to turn over management of the crisis to a carrier with experience in data breaches. Once an insurer is notified by a policyholder of a breach, the situation is assessed and a decision is made on the corrective actions that need to be taken to prevent further damage and deal with the aftermath. The insurer hires vendors and contractors to provide the necessary services.
For example, a lawyer will handle HIPAA notification, while IT specialists locate and fix the breach and a PR firm writes the notification to patients whose data has been affected. The decision whether to pay ransomware is up to the practice, but the insurer typically recommends a course of action and handles any payment, if one is made.
In the Dua’s case, their insurance provider, The Doctors Company, employed a computer forensics company to determine the extent of the breach and a law firm that specializes in privacy issues to determine if HIPAA notification was required. “They were a lot of help,” Dua said. “We did not know how to handle everything that needed to be done.”
Electronic Health Records And Partners
Patient data is exchanged between practices, insurers, hospitals, and labs every day. The more places data is stored, the more vulnerable it is to attack and accidental disclosure. Even a practice that is not targeted directly can be liable for data lost by a partner or vendor. For example, in April, the state of New Jersey levied a fine of nearly $418,000 against Virtua Medical Group, a physician network, after a vendor error left the records of more than 1,650 patients visible online.
Many data breaches are going to involve EHR systems, and while the electronic records providers usually work with IT experts to find and fix the breach, it does not mean the vendors are legally or financially responsible, experts say. Many practices expect their EHR system to handle breaches or pay for damages and that’s not always the case.
Small Does Not Equal Safe
Healthcare data breaches are rampant. In a 2017 survey by the AMA and Accenture, 83 percent of physicians reported experiencing some sort of cyber attack, though not all resulted in breaches. Cyber criminals target healthcare organizations because their data contains patient names, birth dates, addresses, social security numbers, credit card numbers, and health insurance information.
Whether the hackers use the information themselves or sell it to others on the black market, stolen identification and fraudulent activity is committed. That is why healthcare data is more valuable than even credit card records.
Physicians in small Primary Care practices who think they would not be a worthwhile target for hackers should look at the U.S. Department of Health and Human Services (HHS) list of reported breaches of healthcare information.
Among the giant health insurers, government agencies, and large hospital systems, are medical practices that found out the hard way that they, too, can be targeted: a multiple physician Cardiology practice in Knoxville, TN.; a solo Primary Care physician in Weston, FL.; a solo Internist in Scottsdale, AZ.; and many more.
In fact, a practice might be targeted specifically because it is small. Attacks on small practices were uncommon five years ago, but that is no longer the case. Some hackers will test and refine their methods on small practices before going on to attack larger targets, such as healthcare systems. A new kind of attack is occurring, an attack which isn’t after a practice’s data or patient information, but rather the computing power to earn digital currency. Attackers have hijacked practice servers for pseudocurrencies, like Bitcoin. Users might be unaware that the reason their computers are operating so slowly is that they’re running the complex calculations to reap the currency. This goes to show that the motivation to attack small businesses will always be there. For those that say they haven’t been targeted, they simply haven’t been targeted yet.
If you need further information about Cyber Insurance, click here.