Your practice will at some point be attacked by hackers. Are you prepared for the financial fallout that will follow?
Virtually every medical practice relies on technology for some aspect of care, from electronic medical records to billing. The move to bring health care online was meant to make medical care more efficient, but it also made the industry more vulnerable to cyberattacks.
According to a report from the Herjavec Group and Cybersecurity Ventures, ransomware attacks on health care organizations quadrupled between 2017 and 2020, and more than 93% of health care organizations had some kind of data breach over the last few years. Email is a big weak spot when it comes to cybersecurity risks, and email phishing scams exploded during the COVID-19 pandemic, according to the cybersecurity firm KnowBe4. The problem is only expected to get worse, with some experts predicting that cyberattacks will increase fivefold between 2020 and 2021.
These increasing threats have led to the evolution of cyberliability coverage. Like malpractice insurance for cyberattacks, these policies can help offer protection if your practice’s data is breached or taken for ransom. Keep reading to learn what these policies cover, what they cost and why the need for cyberliability insurance is increasing.
Why health care?
Personal health information is protected by federal Health Insurance Portability and Accountability Act of 1996 and, while one might think this increases the privacy of this information, it also increases the risk health care practices face if this information is stolen.
Janel Loud-Mahany, senior vice president of underwriting and policyholder services at Copic, says health care is a prime target for cyberattacks because of the wealth of valuable patient information organizations store, such as birthdates, Social Security numbers and billing information. Copic is a medical liability insurance carrier that specializes in coverage for health care providers and organizations.
“We are seeing increased sophistication of cybercriminals, a growing base of connected devices, increased use of telehealth and human error all contributing to cybersecurity risks that are being exploited,” she says.
A growing risk
Matt Sherman, senior vice president of reinsurance and programs at Tokio Marine HCC-Cyber & Professional Lines Group, says cyberliability insurance began as a matter of privacy protection but has really evolved over the years. Privacy violations from patient records that were exposed by employee error were the main cause of loss, he explains, but now extortion through hacking is the bigger risk.
“What’s changed in the last couple of years is the proliferation of threat actors,” Sherman says. “Hacking is not new, but the business of extorting people for private information is skyrocketing in the last 36 to 48 months, and health care is at the epicenter of that issue.”
This is partly because many health care providers do not have the proper network and system protections needed against malware that infects and locks their systems containing personal patient information. The Health Insurance Portability and Accountability Act and other regulatory frameworks require notification in the event there is exposure of that information. To make matters worse, he says, advanced ransomware and the complexity of health care technology mean that many organizations are behind when it comes to protecting themselves against these threats.
“The systems that small offices are using are not up to the same level as finance and commercial businesses,” Sherman says, adding that the migration to electronic medical records has only made the problem worse.
The COVID-19 pandemic also increased the risk of cybercrime because health care providers had to scramble to transmit information and provide care in new ways, Sherman says. The rush to provide the same care without delay during lockdowns meant that many were doing their work in new ways without much security or preparation, he explains. There was also a rise in scams and hacking of personal devices used for health care work.
Lee Kim, director of privacy and security at Healthcare Information and Management Systems Society North America, agrees that the COVID-19 pandemic has increased problems with cybersecurity, mostly due to the larger perimeter health care organizations created through increased remote work and telehealth.
“Previously, most IT assets and personnel were located within the walls of the hospital,” Kim says. “Now, though, many personnel are working beyond the hospital walls, such as from their homes. Thus, we’re vulnerable since we’re dealing with a lot of fluidity.”
Disruption of IT operations and clinical information systems, destruction of data and patient safety risks — especially in regard to the functioning of medical equipment or devices — are the major concerns when it comes to cyberliability risks in health care. Even worse, breaches can occur undetected for long periods, she adds.
“Many are unaware that their health care organizations are experiencing security incidents,” Kim says. “Being willfully blind will not make the problem any less. Situational awareness and robust defenses are keys to maintaining the fortress.”
Employee negligence is a leading cause of cyberlosses, Loud-Mahany adds, with cybercriminals tricking workers into providing login or credit card information. General awareness and concern about cyberattacks is increasing across the health care industry regardless of hospital or practice size.
Different insurers also provide varying levels of insurance. In many cases, a low limit of coverage may be included as a standard part of a professional liability plan. The dollar amount of coverage may vary, and limits can be increased through add-ons to those policies. The cost to increase coverage is usually based on practice size, using the number of physicians or revenue amounts as a unit of measurement.
Cyberliability insurance plans are often embedded into medical professional liability insurance policies and can include coverage for:
While many of the damages that can occur in a cyberattack are covered by these policies, no policy is all-inclusive, Loud-Mahany says. Every policy has exclusions, and it’s important to read the entire policy to understand specific coverage restrictions. Examples of acts that might be excluded from cyberliability plans are intentional crimes and employee sabotage, she explains.
Most cyberliability plans cover a mixture of first- and third-party coverage components, Sherman says. For breach notification, health care organizations may need to hire a lawyer, a breach coach, or even a public relations team. Smaller practices might think this doesn’t cost enough or that their practice isn’t large enough for the insurance cost to be worthwhile, but the entire process is time-consuming and costly.
Sherman says his organization manages more than 2,000 breach events each year and most of those are in the health care industry. Smaller practices might think they have less risk than larger organizations, but he says they are actually the most vulnerable because they are using generic email accounts like Gmail or they lack protection software.
“This leaves health care practices exposed, and the first time you realize this shouldn’t be an actual breach,” Sherman says. Practices then have to figure out how to restore their operations and get back to business as soon as possible.
In cases of extortion, hackers can gain access to an entire system, forcing doctors to lose access to their entire network, Sherman says. You may have to pay a ransom or figure out other ways to restore the system and even look into forensics to recover files.
Even phishing scams have become more sophisticated, Sherman says. Scammers don’t rely on pleas for cash from some overseas stranded royal anymore. Instead, hackers can mimic an organization’s aesthetic and email address to pose as a vendor or provider.
“We all get spam. These hackers are sending out tens of thousands of spoofed emails at a time in hopes that a few make money,” Sherman says. “Add to that the fact that doctors are vulnerable and inclined to make ransom payments.”
Public perception is a big part of this vulnerability, too, Sherman explains. Privacy is a big concern in health care, and patients who feel as though their privacy has been compromised may be hesitant to continue working with an organization.
One big question when it comes to cyberliability insurance is coverage of bodily harm. This could happen when medical operations are hacked and medical devices are affected. Coverage for a device that malfunctions or doesn’t work because of a cybercrime and results in bodily harm to a patient varies by policy, Sherman says. Insurers debate where cyberliability insurance ends and medical malpractice coverage begins.
“Bodily injury is a very gray area,” Sherman says. “We don’t intend to cover anything a medical professional policy would already cover. That’s the evolution of it.”
Other nuances of coverage depend on the policy, too. Sherman says some policies are starting to exclude things like major cyberevents that cause dependent business interruptions. For example, if a state’s power grid were hacked, shutting down power in large areas, a cyberliability policy may exclude problems related to that larger systemic event — even though these disruptions could cost billions in losses.
What’s the cost?
Costs are a huge factor in cybersecurity and liability plans. While these policies may seem like a big investment on top of other security measures, Loud-Mahany says a 2020 report by IBM/Ponemon Institute revealed that health care has the highest industry cost for data breaches containing personally identifiable customer information. She says analysis of these breaches shows that stolen patient records can cost health care providers about $429 per patient —roughly triple the loss from stolen data in other industries.
“Like other types of insurance, people should look at the resources available to them that help prevent issues from occurring and tools that support efforts to identify and address risks proactively,” Loud-Mahany says. “One of the biggest impacts a cyberissue can have is reputational damage. Good coverage will hopefully mitigate the effects a cyberissue has on your business and a big part of this is having a support team ready to help walk you through the necessary actions that should be taken.”
As the risk and frequency of cybercrimes against health care organizations increase, Loud-Mahany says premium costs are increasing as well.
“In order to increase limits, we’re seeing increased control requirements to prevent and limit the possibility of cyberattacks,” she says.
Many cyberliability policies are sold through other insurance companies as part of a larger medical liability plan, Sherman says. Limits are usually set relatively low, at about $50,000 to $100,000 worth of coverage. The insurance company may then offer additional coverage for an extra fee as a benefit to existing customers, he says. For this reason, health care organizations usually get more bang for the buck when cyberliability coverage is combined with malpractice insurance. But is it enough?
The average security breach may cost a practice between $15,000 and $20,000 to resolve, according to Sherman. In that case, $50,000 to $100,000 in coverage would be enough. An extortion event, on the other hand, can cost hundreds of thousands of dollars. For this reason, some practices may elect to increase their protection — even up to $1 million.
A million-dollar policy used to cost about $1,000 for the year, but increased loss activity in the last few years has driven costs up. Now, Sherman says, a million-dollar policy will cost a smaller practice or hospital about $2,000 per year in annual premiums. A solo physician can expect to pay about $1,000 per year in cyberliability premiums, he says, while larger hospitals can pay up to $10,000 per year.
Reducing the risks
A key aspect of cyberliability management is education. Just as health insurers are increasingly interested in preventive health care, professional liability insurers who offer cyberliability insurance have an interest in making sure clients have the necessary safeguards in place.
“So many doctors are trained in a very specific profession and don’t know the real danger about how it might affect their practice,” Sherman says. “There is very basic cyberhygiene that all professionals should be practicing.”
Loud-Mahany says Copic offers several tips to help clients prevent ransomware and other security breaches:
Use two-factor authentication for a secure application access.
Implement online data backups.
Deploy spam filtering and email configuration.
Install next-generation anti-virus software that provides behavior-based protection.
Offer employees anti-phishing training.
In the end, insurance is just a piece of what should be a larger risk mitigation strategy, Sherman says. Practices should also be using protections like two-factor authentication and cloud-based backup software on a regular basis. Tokio Marine HCC offers its clients resources on risk management strategies. Sherman says education focuses on spelling out what could happen, what it could cost a practice, what to do if a practice has been hacked, questions to ask breach consultants and how to change passwords.
“Educating the client base will make a policy more profitable than increasing insurance premiums,”