Sohan Dua, MD, got the bad news in a phone call one morning in February 2017: His practice had been hacked.
The EHR system shared by Dua and his wife, Kiran Dua, MD, had been breached and hackers were holding their patient data for ransom. That attack sent the couple, who practice in Northridge, Calif., on a months-long ordeal that cost their separate practices time, money, and service interruption.
Dua, a nephrologist, never thought he and his wife, a primary care physician, would join the ranks of healthcare providers and organizations that have suffered crippling cyber attacks. Luckily, their losses were at least partially covered by the combined $100,000 cyber coverage they had through their medical malpractice insurance. The insurer also provided them with experts to help recover from the attack.
However, even with that assistance, their practices were forced to shut down for several months while they dealt with the attack. “We still don’t know how much money we lost,” Dua says. “We lost patients, too.”
The growing threat of being hacked has more primary care physicians buying cyber insurance, according to experts. But what those policies cover, how they work, and how much they cost are mysteries to many healthcare providers, most of whom are only familiar with malpractice and business insurance.
What cyber insurance does
Cyber insurance covers losses and damages resulting from patient data being stolen, exposed, held for ransom, or improperly shared. It covers deliberate actions, such as hacking or ransomware, as well as accidents, such as a lost laptop containing unencrypted patient information or a coding error that accidentally exposes patient data.
A comprehensive policy will cover paper records as well, since so much information is still stored in physical files.
Cyber insurance helps providers deal with the consequences of data breaches, which can range from relatively minor to catastrophic. The assistance provided can include:
- paying regulatory fines and penalties;
- compensating for loss of income from downtime or lost patients;
- hiring IT experts to find and fix the breach;
- hiring a call center to handle inquiries from patients;
- hiring a public relations firm to deal with unwelcome publicity;
- hiring attorneys to represent the practice in any lawsuits filed by patients (as well as any damages awarded); and
- paying ransom to free hijacked data.
In short, it covers almost any loss or expense that can be attributed to the data breach.
For example, the Duas’ coverage helped them when they were forced to write off tens of thousands of dollars in uncollected billing due to unrecovered patient payment records, a loss that Dua estimates at $40,000 to $50,000.
Coverage typically applies only to the data itself and not the computer hardware a practice uses, such as laptops, smartphones, tablets, or servers, which often are covered under a general business insurance policy.
A complete policy includes first-party and third-party coverage, says Marcin Weryk, vice president of XL Catlin, a seller of cyber insurance. First-party coverage pays for damages suffered by the policy holder, such as lost revenue, business interruption, IT forensics and data restoration. Third-party coverage compensates for damages caused to others by the data breach, such as the legal costs incurred from lawsuits filed by affected patients.
Practices that haven’t bought cyber insurance often have some coverage through their malpractice or general business policies, but it’s usually limited to about $30,000 in damages and contains exemptions, says Brandon Clarke, co-founder of Affenix, a brokerage specializing in cyber insurance.
Before deciding whether to purchase additional cyber insurance, physicians should know what coverage they already have, Clarke says. Though the Duas have separate practices, they were able to combine their separate $50,000 cyber insurance coverage in their malpractice policies to help compensate for the joint attack.
How much does it cost?
The cost of a cyber insurance policy varies, depending on the carrier, the size of the practice, and the extent and amount of the coverage, experts say. The larger the practice, the greater the risk and the more it can expect to pay.
The good news is that cyber insurance is less expensive than malpractice and liability insurance. A typical five-physician primary care practice should have at least a $1 million umbrella cyber policy, Clarke says. That coverage would cost anywhere from $1,200 to $5,000 a year, he estimates.
Christine Marciano, a certified information privacy professional (CIPP-US) and president of Cyber Data Risk Managers, a cyber insurance broker, recommends $1 million to $5 million in coverage for that same practice and says it would cost $1,500 to $8,000 a year. Coverage can be purchased from general insurers or companies that specialize in cyber insurance.
Some insurers will assess a practice’s cyber security practices before deciding whether to write a policy and recommend ways to decrease risk, such as encoding laptops and improving passwords.
A team response
When shopping for cyber insurance, practices should investigate exactly what help they will receive in case of a breach. Unlike a fire, managing a data breach often requires the help of a team of experts, not just a check to cover damages. Depending on the nature and size of the breach, that team can include lawyers, forensic accountants, IT experts, publicists and call center operators, among others.
Besides the coverage itself, the real benefit of cyber insurance is being able to turn over management of the crisis to a carrier with experience in data breaches. Most practices do not have the time or resources to handle it themselves, says Clarke. Once an insurer is notified by a policyholder of a breach, it assesses the situation and decides which corrective actions need to be taken to prevent further damage and deal with the aftermath. The insurer hires vendors and contractors to provide the necessary services.
For example, a lawyer will handle HIPAA notification, while IT specialists locate and fi x the breach and a PR firm writes the notification to patients whose data has been affected. The decision whether to pay ransomware is up to the practice, but the insurer typically recommends a course of action and handles any payment, if one is made.
For example, XL Catlin has vendors with Bitcoin wallets, since that is the cryptocurrency usually demanded by ransomware hackers, Weryk says. In the Duas’ case, their insurance provider, The Doctors Company, employed a computer forensics company to determine the extent of the breach and a law firm that specializes in privacy issues to determine if HIPAA notification was required. “They were a lot of help,” Dua says. “We did not know how to handle everything that needed to be done.”
EHRS AND PARTNERS
Patient data is exchanged between practices, insurers, hospitals, and labs every day. The more places data is stored, the more vulnerable it is to attack and accidental disclosure. Even a practice that is not targeted directly can be liable for data lost by a partner or vendor. For example, in April, the state of New Jersey levied a fine of nearly $418,000 against Virtua Medical Group, a physician network, after a vendor error left the records of more than 1,650 patients visible online.
Many data breaches are going to involve EHR systems, and while the electronic records providers usually work with IT experts to find and fix the breach, it does not mean the vendors are legally or financially responsible, experts say. “Many practices expect their EHR system to handle breaches or pay for damages and that’s not always the case,” Clarke says.
Practices should investigate what sort of cyber protection and coverage their partners and vendors have, with an eye toward working together to keep data safe, says Lee Kim, JD, CIPP-US, director of privacy and security at the Healthcare Information and Management Systems Society. “It’s really a shared responsibility between you and your vendors,” she says, “and you each have a responsibility to keep it secure.”
Small does not equal safe
Healthcare data breaches are rampant. In a 2017 survey by the AMA and Accenture, 83 percent of physicians reported experiencing some sort of cyber attack, though not all resulted in breaches. Cyber criminals target healthcare organizations because their data contain patient names, birthdates, addresses, social security numbers, credit card numbers, and health insurance information.
Whether the hackers use the information themselves or sell it to others on the black market, that’s all that’s needed to steal identities and commit fraud. That’s why healthcare data is more valuable even than credit card records.
Physicians in small primary care practices who think they would not be a worthwhile target for hackers should look at the U.S. Department of Health and Human Services (HHS) list of reported breaches of healthcare information.
There, among the giant health insurers, government agencies, and large hospital systems, are medical practices that found out the hard way that they, too, can be targeted: an 11-doctor cardiology practice in Knoxville, Tenn.; a solo primary care physician in Weston, Fla.; a solo internist in Scottsdale, Ariz.; and many more.
In fact, a practice might be targeted specifically because it is small, says Christine Marciano, a certified information privacy professional (CIPP-US) and president of Cyber Data Risk Managers, a cyber insurance broker in the United States and Australia.
“I think it’s the smaller offices that are much more vulnerable,” she says. “They’re focused on treating patients, not on (encrypting) their laptops, and making sure they have the latest security measures.” Lee Kim, JD, CIPP-US, director of privacy and security at the Healthcare Information and Management Systems Society, says attacks on small practices were uncommon five years ago, but no longer.
In fact, some hackers will test and refine their methods on small practices before going on to attack larger targets, such as healthcare systems. She is seeing more of a new kind of attack, which isn’t after a practice’s data or patient information, but its computing power to earn digital currency.
Attackers have hijacked practice servers to mine for pseudocurrencies, like Bitcoin. Users might be unaware that the reason their computers are operating so slowly is that they’re running the complex calculations to reap the currency.
“Even though you’re a small practice, the motivation to attack is still there. People who say they haven’t been targeted simply haven’t been targeted yet,” Kim says.