Most larger healthcare providers have robust cyber security measures in place, making it much harder to breach the system. However, doctors’ offices often don’t have the resources needed to put up a good fight.
“The bad guys look for the easiest way in, and [often], this may be through their smaller partners,” Dr. Ponemon notes. “Clinics and doctors’ offices often have special privileges, letting them inside the corporate systems. The hacker can break into the clinic’s computer and then jump into their real target from there.”
Other Risks
Although hacking gets most of the publicity and is the biggest risk in healthcare, there are other risks that are much more mundane and also likely. The second-most-cited root cause for data leakage in the Ponemon healthcare study is lost or stolen devices.
“One of the bigger exposures in this area is simple human error,” says Beth Strapp, vice president and specialty healthcare segment manager for the Chubb Group of Insurance Companies. “Something as simple as leaving a cell phone at a restaurant or having a laptop stolen out of your car can result in a business-threatening financial exposure.”
Medical Malpractice May Not Cover All Costs
Many practices think their medical malpractice liability or their general policy covers them in the event of a cyber breach. This is not always the case. A basic medical malpractice policy may cover only liability claims, but the bulk of your exposure may be first-party expenses, such as the costs to investigate the breach, notify those affected and pay for credit and/or medical records monitoring.
“There [has been] a trend over the last several years for malpractice insurers to limit full defense coverage,” says Ms. Strapp. “Often, the privacy exposure is capped at $25,000, which seldom covers the liability. This underscores the need for a dedicated CI [cyber insurance] policy in addition to your medical malpractice privacy policy.”
Look Closely at What Is (& Is Not) Covered
Purchasing CI isn’t as straightforward as purchasing some other types of insurance. The policy exclusions are key and can be technical in nature. It’s important that you completely understand what is—or perhaps more importantly, what is not—covered.
“As with any insurance policy, you have to be very careful about what is excluded,” says Mr. Overly. “Having an employee click on what they think is a benign e-mail is a big risk, but since it isn’t viewed as technology based, some policies may not cover it. If I change from a local server to cloud storage, will I need to update my CI policy?”