Sohan Dua, MD, got the bad news in a phone call one morning in February 2017: His practice had been hacked.
The EHR system shared by Dua and his wife, Kiran Dua, MD, had been breached and hackers were holding their patient data for ransom. That attack sent the couple, who practice in Northridge, Calif., on a months-long ordeal that cost their separate practices time, money, and service interruption.
Dua, a nephrologist, never thought he and his wife, a primary care physician, would join the ranks of healthcare providers and organizations that have suffered crippling cyber attacks. Luckily, their losses were at least partially covered by the combined $100,000 cyber coverage they had through their medical malpractice insurance. The insurer also provided them with experts to help recover from the attack.
Even with that assistance, however, their practices were forced to shut down for several months while they dealt with the attack. “We still don’t know how much money we lost,” Dua says. “We lost patients, too.”
The growing threat of being hacked has more primary care physicians buying cyber insurance, according to experts. But what those policies cover, how they work, and how much they cost are mysteries to many healthcare providers, most of whom are only familiar with malpractice and business insurance.
What cyber insurance does
Cyber insurance covers losses and damages resulting from patient data being stolen, exposed, held for ransom, or improperly shared. It covers deliberate actions, such as hacking or ransomware, as well as accidents, such as a lost laptop containing unencrypted patient information or a coding error that accidentally exposes patient data.
A comprehensive policy will cover paper records as well, since so much information is still stored in physical files.
Cyber insurance helps providers deal with the consequences of data breaches, which can range from relatively minor to catastrophic. The assistance provided can include:
- paying regulatory fines and penalties;
- compensating for loss of income from downtime or lost patients;
- hiring IT experts to find and fix the breach;
- hiring a call center to handle inquiries from patients;
- hiring a public relations firm to deal with unwelcome publicity;
- hiring attorneys to represent the practice in any lawsuits filed by patients (as well as any damages awarded); and
- paying ransom to free hijacked data.
In short, it covers almost any loss or expense that can be attributed to the data breach.
For example, the Duas’ coverage helped them when they were forced to write off uncollected bills due to patient payment records that weren’t recovered, a loss that Dua estimates at $40,000 to $50,000.
Coverage typically applies only to the data itself and not the computer hardware a practice uses, such as laptops, smartphones, tablets, or servers, which often are covered under a general business insurance policy.
A complete policy includes first-party and third-party coverage, says Marcin Weryk, vice president of XL Catlin, a cyber insurance vendor. First-party coverage pays for damages suffered by the policy holder, such as lost revenue, business interruption, IT forensics and data restoration.
Third-party coverage compensates for damages caused to others by the data breach, such as the legal costs incurred from lawsuits filed by affected patients.
Practices that haven’t bought cyber insurance often have some coverage through their malpractice or general business policies, but it’s usually limited to about $30,000 in damages and contains exemptions, says Brandon Clarke, co-founder of Affenix, a brokerage specializing in cyber insurance.
Before deciding whether to purchase additional cyber insurance, physicians should know what coverage they already have, Clarke says. Though the Duas have separate practices, they were able to combine their separate $50,000 cyber insurance coverage in their malpractice policies to help compensate for the joint attack.
How much does it cost?
The cost of a cyber insurance policy varies, depending on the carrier, the size of the practice, and the extent and amount of the coverage, experts say. The larger the practice, the greater the risk and the more it can expect to pay.
The good news is that cyber insurance is less expensive than malpractice and liability coverage. A typical five-physician primary care practice should have at least a $1 million umbrella cyber policy, Clarke says. That coverage would cost anywhere from $1,200 to $5,000 a year, he estimates.
Christine Marciano, a certified information privacy professional (CIPP-US) and president of Cyber Data Risk Managers, a cyber insurance broker, recommends $1 million to $5 million in coverage for that same practice and says it would cost $1,500 to $8,000 a year. Coverage can be purchased from general insurers or companies that specialize in cyber insurance.
Some insurers will assess a practice’s cyber security practices before deciding whether to write a policy and recommend ways to decrease risk, such as encoding laptops and improving passwords.
A team response
When shopping for cyber insurance, practices should investigate exactly what help they will receive in case of a breach. Unlike a fire, managing a data breach often requires the help of a team of experts, not just a check to cover damages. Depending on the nature and size of the breach, that team can include lawyers, forensic accountants, IT experts, publicists and call center operators, among others.
Besides the coverage itself, the real benefit of cyber insurance is being able to turn over management of the crisis to a carrier with experience in data breaches. Most practices do not have the time or resources to handle it themselves, says Clarke.
Once an insurer learns of a breach, it assesses the situation and decides which corrective actions need to be taken to prevent further damage and deal with the aftermath.
The insurer hires vendors and contractors to provide the necessary services. For example, a lawyer will handle HIPAA notification, while IT specialists locate and fix the breach and a PR firm writes the notification to patients whose data has been affected.
The decision whether to pay ransomware is up to the practice, but the insurer typically recommends a course of action and handles any payment, if one is made. For example, XL Catlin has vendors with Bitcoin wallets, since that is the cryptocurrency usually demanded by ransomware hackers, Weryk says.
EHRs and partners
Patient data is exchanged between practices, insurers, hospitals, and labs every day. The more places data is stored, the more vulnerable it is to attack and accidental disclosure. Even a practice not targeted directly can be liable for data lost by a partner or vendor.
For example, in April, the state of New Jersey levied a fine of nearly $418,000 against Virtua Medical Group, a physician network, after a vendor error left the records of more than 1,650 patients visible online.
Many data breaches are going to involve EHR systems, and while the system vendors usually work with IT experts to find and fix the breach, it does not mean the vendors are legally or financially responsible, experts say. “Many practices expect their EHR system to handle breaches or pay for damages and that’s not always the case,” Clarke says.
Practices should investigate what sort of cyber protection and coverage their partners and vendors have, with an eye toward working together to keep data safe, says Lee Kim, JD, CIPP-US, director of privacy and security at the Healthcare Information and Management Systems Society.
“It’s really a shared responsibility between you and your vendors,” she says, “and you each have a responsibility to keep it secure.”