A good cyber policy will include payments for breach response, a major concern given HIPAA and other laws affecting healthcare providers. Among these are:
- Notification services to efficiently contact patients as required by HIPAA;
- Medical record and/or credit monitoring for affected patients;
- Forensic services to find and plug the hole, as well as establish the size and scope of the breach;
- Regulatory coverage to pay for fines from state or federal authorities; and
- Business interruption insurance to pay the costs of maintaining your practice should a breach affect your ability to access your network.
Purchasing Additional Coverage
“You may want to purchase additional coverage, and what you get depends on how much you want to spend and what your needs are,” says Ms. Strapp. “For example, you may want to be covered if someone enters your computer and asks for money to not take down your system or to help bring the system back up after vandalism.”
Cyber intrusions in healthcare are a newsworthy happening. You may want to include crisis management insurance to pay for press relations professionals to limit or repair damage to the practice’s reputation.
“The reputational impact can be enormous and is especially so in trust-based industries such as healthcare,” says Dr. Ponemon. “If an organization is sloppy in the control of data, what else are they doing that is less than stellar?”
Companies Require Certain Standards before Issuing Policy
CI is not like other kinds of insurance, because you generally have to show your computer systems are reasonably secure to begin with. If they aren’t up to the standards needed, most insurance companies will suggest consultants to help upgrade systems and procedures to the minimum required.
In addition, insurers are usually aggressive in working with their clients to make sure their defenses are kept up to date. Many companies offer loss-control services providing access at low cost to attorneys and cyber consultants who help in risk mitigation to cyber exposures.
“Our loss-control vendors will help the practice make sure risk mitigation measures are in place,” says Ms. Strapp. “Do they have a business continuity plan? What are their plans to respond to a breach?”
A Good Broker Is Important
Finding a good broker can be a very important part of the CI process.
“Doctors are very busy doing patient care and have neither the time nor the inclination to really understand their cyber policy,” says Mr. Overly. “You should talk to an agent or broker who specializes in this type of insurance. Having this person available to make good recommendations is critical.”