True Story: An employee at one New England medical practice stayed after hours to search patient records for gossip on her neighbor. She found what she was looking for – evidence that the neighbor was seeking psychiatric counseling. She posted it on Facebook. As soon as the clinic discovered what happened, the employee was terminated. But, the damage had already been done. The practice was named in a lawsuit for failing to properly supervise the employee and safeguard patient medical records. Without cyber coverage, the medical clinic was on their own for legal fees and settlements.
Healthcare data breaches are complex and this story is just one example. It doesn’t matter who the perpetrator of the breach is, the responsibility for regulatory-compliant breach response almost always falls upon the original data collector. With more than half – or 63% – of healthcare cybersecurity breaches caused by criminal or malicious activity; hacking accounts for 20% and ransomware represents 10% of healthcare breach claims.
Data breaches have also brought new regulations and guidelines to healthcare, like the HIPAA and ransomware guidelines published by the Department of Health and Human Services. The rule requires HIPAA-covered entities that have suffered a ransomware attack to prove thorough a documented investigation that their data wasn’t actually acquired, but only frozen by the hacker.
These forces have contributed significantly to healthcare’s rising data breach costs. According to the Ponemon 2017 Cost of Data Breach Study, healthcare has the highest per capita data breach cost.
Having a robust healthcare cybersecurity policy, and understanding what’s covered and what’s not can help alleviate losses and put your healthcare institution into the driver’s seat post-breach.
Here are 7 things you need to know about healthcare cybersecurity coverage:
- Beware of Medical Malpractice policies. Malpractice insurance carriers will often throw in $100,000 of cyber coverage. According to Net Diligence, the average healthcare data breach costs for 2018 are between $475,000 and $1.85 million, so this may not be adequate limits to cover a cyber attack. Even if you have a cyber stand-alone policy, you should still deny the cyber coverage throw in your medical malpractice policy, as these policies are often considered to be the primary policy in the case of a breach. This would preclude you from taking advantage of the critical breach response services your more robust, stand-alone cyber coverage provides.
- Consider all third-party liabilities. Because responsibility for the breach often lies with the originator of the data, make sure your third-party business associates - a lab, medical billing or staffing company, etc. - carry their own cyber policy. Put it in your contract. This way, should they have a breach and you are held responsible, you may be able to recover costs incurred in responding to the breach.
- Be wary of sub-limits. Some cyber policies will list coverage sub-limits for crisis management, IT forensics, notification, call centers and PR response. A breach forensics investigation alone could exceed $100,000. Make sure your stand-alone policy is as robust as you think it is.
- Lost funds aren’t covered under many cyber policies. The transfer of funds as the result of a phishing or social engineering scam are often not covered by a cyber policy. For this coverage, you’ll need a crime policy, with a social engineering endorsement. Cyber polices cover data that was breached and the associated fallout, including notification and crisis management, but not lost funds.
- Is it turn-key coverage? One of the signs of a robust cyber policy is its turn-key approach to breach response, including immediate access to a breach coach, hotline and attorney that answers your questions and helps you fulfill immediate legal obligations. Some of the newer policies are not turn-key, but instead designed to be a la carte for optimal pricing. Know what you’re getting.
- Failure to encrypt data exclusion. Many cyber policies exclude breaches that originated from a non-encrypted device, like a remote laptop. Make sure all devices used for company business are encrypted and check your policy.
- War-like action exclusion. While many policies cover “cyber terrorism,” they exclude coverage for breaches that result from “war-like actions,” referring to data breaches committed against major corporations by nation state actors.
It’s no longer a luxury to have cyber breach coverage. With healthcare cybersecurity and data breach compliance a growing concern for all, now is the time to make sure you’re adequately covered. Contact your HUB agent to find out how you can procure the most robust cyber coverage for your healthcare organization.