What physicians need to know about cyber liability insurance

As the threat of being hacked increases, more health care providers are purchasing cyber liability insurance to protect against data breaches or online attacks. However, many still are unfamiliar with what cyber insurance policies cover, how they work, and how much they cost.

What cyber insurance does

Cyber insurance covers losses and damages resulting from patient data being stolen, exposed, held for ransom, or improperly shared. It covers deliberate actions, such as hacking or ransomware, as well as accidents, such as the loss of a laptop containing unencrypted patient information or a coding error that accidentally exposes patient data.

A comprehensive policy covers paper records, as well, as so much information is still stored in physical files.

Cyber insurance helps providers deal with the consequences of a data breach, which can range from relatively minor to catastrophic, and it covers almost any loss or expense that can be attributed to the breach. Examples include:

Paying regulatory fines and penalties.

Compensating for loss of income
from downtime or patients who leave
the practice.

Hiring information technology (IT)
experts to find and fix the breach.

Hiring a call center to handle inquiries
from patients.

Hiring a public relations firm to deal
with unwelcome publicity.

Hiring attorneys to represent the practice
in any lawsuits filed by patients (as well as any damages awarded).

Paying a ransom to free hijacked data.

Coverage typically applies only to the data and not the computer hardware a practice uses, such as laptops, smartphones, tablets or servers, which often are covered under a general business insurance policy.

A complete policy includes first-party and third-party coverage, says Marcin Weryk, head of business development for Coalition, a cyber insurance firm. First-party coverage pays for damages suffered by the policyholder, such as lost revenue, business interruption, IT forensics and data restoration. Third-party coverage compensates for damages caused to others by the data breach, such as the legal costs incurred from lawsuits filed by affected patients.

Practices that haven’t bought cyber insurance often have some coverage through their malpractice or general business policies, but it’s usually limited to approximately $30,000 in damages and contains exemptions, says Brandon Clarke, co-founder of Affenix, a brokerage specializing in cyber liability insurance.

Before deciding whether to purchase additional cyber insurance, physicians should know what coverage they already have, Clarke says.

How much does it cost?

The cost of a cyber insurance policy varies, depending on the carrier, the size of the practice, and the extent and amount of the coverage, experts say. The larger the practice, the greater the risk and the more a policy will cost.

The good news is that cyber insurance is less expensive than malpractice and liability insurance. A typical five-physician primary care practice should have at least a $1 million umbrella cyber policy, Clarke says. That coverage would cost anywhere from $1,200 to $5,000 a year, he estimates.

Christine Marciano, CIPP-US, a certified information privacy professional and president of Cyber Data Risk Managers, a cyber insurance broker, recommends $1 million to $5 million in coverage for that same practice and says it would cost $1,500 to $8,000 a year. Coverage can be purchased from general insurers or companies that specialize in cyber insurance.

Some insurers will assess a practice’s cyber security practices before deciding whether to write a policy. They may recommend ways to decrease risk, such as encoding laptops and improving passwords.

A team response

When shopping for cyber insurance, practices should investigate exactly what help they will receive in case of a breach. Unlike a fire, managing a data breach often requires the help of a team of experts, not just a check to cover damages. Depending on the nature and size of the breach, that team may include lawyers, forensic accountants, IT experts, publicists and call center operators.

Besides the coverage itself, another benefit of cyber insurance is being able to turn over management of the crisis to a carrier with experience in data breaches. Most practices do not have the time or resources to handle it themselves, Clarke says. Once an insurer is notified by a policyholder of a breach, it assesses the situation and decides which corrective actions need to be taken to prevent further damage and deal with the aftermath. The insurer hires vendors and contractors to provide the necessary services.

For example, a lawyer would handle Health Insurance Portability and Accountability Act notification, IT specialists would locate and fix the breach and a PR firm would write the notification to patients whose data have been affected. The decision whether to pay ransomware is up to the practice, but the insurer typically recommends a course of action and handles any payment, if one is made.

EHRs and partners

Patient data are exchanged between practices, insurers, hospitals and labs every day. The more places data are stored, the more vulnerable they are to attack and accidental disclosure. Even a practice that is not targeted directly can be liable for data lost by a partner or vendor.

Many data breaches involve electronic health record (EHR) systems. Although the electronic records providers usually work with IT experts to find and fix the breach, it does not mean the vendors are legally or financially responsible, experts say. “Many practices expect their EHR system to handle breaches or pay for damages, and that’s not always the case,” Clarke says.

Practices should investigate what sort of cyber protection and coverage their partners and vendors have, with an eye toward working together to keep data safe, says Lee Kim, J.D., CIPP-US, director of privacy and security at HIMSS.

“It’s really a shared responsibility between you and your vendors,” she says, “and you each have a responsibility to keep it secure.”

Small does not equal safe

Health care data breaches are rampant. In a 2017 survey by the American Medical Association and Accenture, 83% of physicians reported experiencing some sort of cyberattack, although not all resulted in breaches. Cybercriminals target health care organizations because their data contain patient names, birthdates, addresses, Social Security numbers, credit card numbers, and health insurance information.

Whether the hackers use the information themselves or sell it to others on the black market, it’s used to steal identities and commit fraud. That’s why health care data is more valuable even than credit card records.

Physicians in small primary care practices who think they would not be a worthwhile target for hackers should look at the Department of Health and Human Services’ list of reported breaches of health care information.

There, among the giant health insurers, government agencies and large hospital systems, are medical practices that found out the hard way that they, too, can be targeted: an 11-doctor cardiology practice in Knoxville, Tennessee; a solo primary care physician in Weston, Florida; a solo internist in Scottsdale, Arizona, and many more.

In fact, a practice might be targeted specifically because it is small, Marciano says.

“I think it’s the smaller offices that are much more vulnerable,” she says. “They’re focused on treating patients, not on (encrypting) their laptops, and making sure they have the latest security measures.”

Kim says attacks on small practices were uncommon five years ago, but no longer.

In fact, some hackers will test and refine their methods on small practices before going on to attack larger targets, such as health care systems. Kim says she see more of a new kind of attack, which isn’t after a practice’s data or patient information, but its computing power to earn digital currency.

Attackers have hijacked practice servers to mine for cryptocurrencies, such as Bitcoin. Users might be unaware that the reason their computers are operating so slowly is that they’re running the complex calculations to reap the currency.

“Even though you’re a small practice, the motivation to attack is still there. People who say they haven’t been targeted simply haven’t been targeted yet,” Kim says.