Cybersecurity Insurance for Medical Practices - the Basics

Sep 23, 2018 at 08:28 pm by Staff


.

By DAVID J. EISMONT

More medical practices are purchasing - or at least considering - an insurance policy to cover the substantial costs of a data breach. Medical malpractice policies often provide basic coverage for this threat, but many practices find their risks have grown to the point where they are looking to a stand-alone cybersecurity policy to better meet their needs.

The following provides an overview of what your practice can expect from a cybersecurity policy. Keep in mind that not all policies are the same and actual coverage will be determined by a policy's terms, conditions, and exclusions.

Coverages are typically split into two types-- first-party and third-party:

First-Party Coverage

First-party coverage addresses the costs and expenses your practice incurs from a data security or privacy breach event, such as:

The "extortion threat" section of a cybersecurity policy may assist with this type of breach. Professional experts hired by the carrier will contact the cyber criminals to attempt to get the data released, including potentially paying the ransom. You should also be concerned with not only the financial impact to your practice, but also the impact on the treatment of your patients if your systems are down for any length of time due to a breach. The business interruption section of a cyber policy may provide reimbursement of lost profits during your downtime. Many standard property policies do not cover this exposure, since there was no physical damage to the equipment.

If you discover your system has been hacked, your carrier can provide data breach response services to work with your IT staff to ascertain what happened. These forensic experts assess the nature of the hack and evaluate how much data has been compromised. This section of your coverage can assist with the costs of required patient notification. If you have records of patients from outside your home state, your insurance company should know the notification requirements for those states. You may also be required to provide those patients with credit monitoring services. Your coverage should help set up these services and cover the costs. The costs to notify patients and set up credit monitoring is approximately $8-$10 per patient record. If patient records are compromised, the data recovery and restoration section of your coverage could reimburse you to unencrypt, recover, restore, recreate, or recollect data.

Your coverage's cybercrime section may cover the cost of the funds that were transferred. Employees who click on such phishing links could compromise your system. This section of your policy may also assist in those situations.

Third-Party Coverage

Third-party coverage provides protection from claims made against you by outside parties.

Healthcare accounted for 53 percent of reported data breaches in 2017, more than double the total of any other industry, according to Privacy Rights Clearinghouse. With healthcare data breaches on the rise, cyber liability insurance can help you recover faster in terms of financial coverage and remediation. In 2015, U.S. healthcare data breaches cost companies an average of $363 per record, the highest of any industry, according to the Ponemon Institute. Depending on the size and scope a fines and damages for a HIPAA violation related to a breach of unencrypted personal health data can run into the millions of dollars.

Ask your agent or underwriter for more details about what's included in your policy and whether it meets your needs. If you have cyber insurance, check your liability limits to determine if you need to increase your coverage.

To learn how to comply with HIPAA rules in the event of a breach, how to thwart ransomware attacks and prevent spear phishing, and more, download the free guide Your Medical Practice Is at Risk of a Data Breach from The Doctors Company. More resources are available on the company's cybersecurity page.

David J. Eismont, ARM, is senior director of business development for The Doctors Company

Sections: Business/Technology