Cyber Risks: A New Area of Liability for Medical Practices

Image Credit: Andrey_Popov/shutterstock.com

Computerization of healthcare in general, and medical records in particular, has opened additional areas of liability for medical practices that many may not be addressing. A data breach of patient records can have major financial and business impacts on the practice when they occur.

Data Intrusions Increasing

The number of data intrusions hit a record high in 2014, according to a report from Identity Theft Resource Center. It also found that the industry with the most breaches was the “medical/healthcare” category. This accounted for 42.5% of the total across all industries.¹

“Around 90% of healthcare providers reported one or more data breaches over the last year according to our survey,” says Larry Ponemon, PhD, chairman of the Ponemon Institute in Traverse City, Mich. “Forty percent said they had five or more intrusions into their computer systems.”²

Very Expensive

Dr. Ponemon

Data leakage can be a very expensive proposition. Healthcare-specific laws and regulations put added requirements on medical professionals that run the cost up. The latest iteration of the Ponemon Institute’s research into the costs of data breaches shows the average cost per medical record compromised was $398. A patient panel of just 2,500 could easily result in a $1 million loss to the practice. The mean cost over all surveyed industries was $271 per breach.³

To address these financial issues, many practices are looking into cyber insurance (CI). The actual policy will change depending on the kinds of risks you are insuring and how much you want to spend.

All Size Practices at Risk

For most physicians, there is a view that they are small and are not likely to draw the attention of a hacker. This is bad thinking for a lot of reasons.

Mr. Overly

“People think that most hackers are kids overseas who have just consumed eight caffeine drinks and will go after the big fish, leaving [them] alone,” says Michael Overly, Esq., information security attorney at Foley & Lardner LLC, in Los Angeles. “Hackers are a well-organized industry, where one e-mail virus may be sent to millions of addresses. If one of your employees clicks on this e-mail, your computer system may be compromised.”

He has seen spoofing e-mails that look as though they came from someone well known in the field. Mr. Overly says he can almost guarantee that 40% or more of the recipients wouldn’t be able to resist the temptation to open the message.

Most larger healthcare providers have robust cyber security measures in place, making it much harder to breach the system. However, doctors’ offices often don’t have the resources needed to put up a good fight.

“The bad guys look for the easiest way in, and [often], this may be through their smaller partners,” Dr. Ponemon notes. “Clinics and doctors’ offices often have special privileges, letting them inside the corporate systems. The hacker can break into the clinic’s computer and then jump into their real target from there.”

Other Risks

Although hacking gets most of the publicity and is the biggest risk in healthcare, there are other risks that are much more mundane and also likely. The second-most-cited root cause for data leakage in the Ponemon healthcare study is lost or stolen devices.

“One of the bigger exposures in this area is simple human error,” says Beth Strapp, vice president and specialty healthcare segment manager for the Chubb Group of Insurance Companies. “Something as simple as leaving a cell phone at a restaurant or having a laptop stolen out of your car can result in a business-threatening financial exposure.”

Medical Malpractice May Not Cover All Costs

Many practices think their medical malpractice liability or their general policy covers them in the event of a cyber breach. This is not always the case. A basic medical malpractice policy may cover only liability claims, but the bulk of your exposure may be first-party expenses, such as the costs to investigate the breach, notify those affected and pay for credit and/or medical records monitoring.

“There [has been] a trend over the last several years for malpractice insurers to limit full defense coverage,” says Ms. Strapp. “Often, the privacy exposure is capped at $25,000, which seldom covers the liability. This underscores the need for a dedicated CI [cyber insurance] policy in addition to your medical malpractice privacy policy.”

Look Closely at What Is (& Is Not) Covered

Purchasing CI isn’t as straightforward as purchasing some other types of insurance. The policy exclusions are key and can be technical in nature. It’s important that you completely understand what is—or perhaps more importantly, what is not—covered.

“As with any insurance policy, you have to be very careful about what is excluded,” says Mr. Overly. “Having an employee click on what they think is a benign e-mail is a big risk, but since it isn’t viewed as technology based, some policies may not cover it. If I change from a local server to cloud storage, will I need to update my CI policy?”

A good cyber policy will include payments for breach response, a major concern given HIPAA and other laws affecting healthcare providers. Among these are:

• Notification services to efficiently contact patients as required by HIPAA;
• Medical record and/or credit monitoring for affected patients;
• Forensic services to find and plug the hole, as well as establish the size and scope of the breach;
• Regulatory coverage to pay for fines from state or federal authorities; and
• Business interruption insurance to pay the costs of maintaining your practice should a breach affect your ability to access your network.

Purchasing Additional Coverage

“You may want to purchase additional coverage, and what you get depends on how much you want to spend and what your needs are,” says Ms. Strapp. “For example, you may want to be covered if someone enters your computer and asks for money to not take down your system or to help bring the system back up after vandalism.”

Cyber intrusions in healthcare are a newsworthy happening. You may want to include crisis management insurance to pay for press relations professionals to limit or repair damage to the practice’s reputation.

“The reputational impact can be enormous and is especially so in trust-based industries such as healthcare,” says Dr. Ponemon. “If an organization is sloppy in the control of data, what else are they doing that is less than stellar?”

Companies Require Certain Standards before Issuing Policy

CI is not like other kinds of insurance, because you generally have to show your computer systems are reasonably secure to begin with. If they aren’t up to the standards needed, most insurance companies will suggest consultants to help upgrade systems and procedures to the minimum required.

Ms. Strapp

In addition, insurers are usually aggressive in working with their clients to make sure their defenses are kept up to date. Many companies offer loss-control services providing access at low cost to attorneys and cyber consultants who help in risk mitigation to cyber exposures.

“Our loss-control vendors will help the practice make sure risk mitigation measures are in place,” says Ms. Strapp. “Do they have a business continuity plan? What are their plans to respond to a breach?”

A Good Broker Is Important

Finding a good broker can be a very important part of the CI process.

“Doctors are very busy doing patient care and have neither the time nor the inclination to really understand their cyber policy,” says Mr. Overly. “You should talk to an agent or broker who specializes in this type of insurance. Having this person available to make good recommendations is critical.”

Mr. Overly suggests word of mouth as a good place to start the search. The hospital where the doctors have privileges have information technology security people who are a great source of suggestions for people to talk to. Other physicians or practices are another valuable asset when searching for a CI broker. If your legal counsel has, or knows, someone who works in the information security area, get in touch with them.

[Medical/healthcare breaches] accounted for 42.5% of the total across all industries [in 2014].

“Medical professionals often tell me they got their CI coverage through some guy who had a booth at a recent event and could get them a good deal,” says Mr. Overly. “They will do thorough assessments on their patients, but not on the person who will be writing their CI policy. You want someone who can provide you with the level of protection and coverage you need, and this will take some time and effort.”

Subtle Differences

There are not yet any gold standards when it comes to CI coverage, and there can be many subtle differences across plans that need to be evaluated. It’s imperative that the purchasers be careful that the coverage in the contract is close to what they have in mind. Don’t be hesitant to ask questions until you are confident you understand what is covered and what is not.

“Look at CI not as an end to itself, but as a part of your overall approach to cyber security,” says Mr. Overly. “You can’t just buy the insurance and then relax. It has to be a part of your overall program to minimize this risk.”

References

1. The Identity Theft Resource Center. Data Breach Reports. 2014 Dec 31.
2. Ponemon Institute LLC. Fifth annual benchmark study on privacy & security of healthcare data. 2015 May.
3. Ponemon Institute/IBM. 2015 Cost of Data Breach. 2015 May.