What is cyber insurance?
As a healthcare provider, the welfare of your patients is your utmost priority. Unfortunately, ePHI (electronic protected health information) is increasingly stolen by hackers. With it, they buy medical equipment and drugs to resell. Plus, they create falsified claims to defraud insurance companies.Cyber Insurance: Does Your Practice Need It? Click To Tweet
According to the U.S. Department of Health and Human Services, 21 million Americans have had lost or stolen medical records since 2009. A possible reason, according to Reuters, is that stolen medical information is worth ten times more than stolen credit card numbers.
Some physicians are turning to cyber insurance for protection. It offers to help when network security fails. Cyber insurance covers data breaches, multimedia liability—even extortion.
Do you need cyber insurance?
Currently, cyber risk is a real danger for most medical practices. A surprise data breach can be quite costly. Fines, lawsuits, and damaged reputation can add up to thousands of dollars. Furthermore, a data breach now includes any unauthorized access to ePHI, even if it’s accessed through a stolen laptop.
But, although it can cost as little as $2,500 a year, many of you are balking at the idea of getting cyber insurance. After all, you were pushed into adopting an EHR (electronic health record) system to comply with MIPS. Now you’re going to have to pay for cyber insurance when some of you didn’t want to go electronic in the first place.
To add insult to injury, addressing data security can take time and effort. It’s another hoop to jump through just to be able to do your job. Plus, you are already paying for liability insurance and other types of coverage: it hardly feels fair.
That said, in the event of a data breach, having cyber insurance could save you dearly. The HIPAA Omnibus rule states that failure to protect health information can result in a maximum fine of $1.5 million.
According to American Medical News, data breaches are a problem even for small practices:
“Although a breach at a small physician practice probably won’t cost that practice anywhere near $5 million, it could easily run into the hundreds of thousands of dollars — enough to cripple a practice running week to week financially.”
If your data breach affects 500 patients or more, fines are not the only problem. You then have to notify patients, the HHS (Department of Health and Human Services), and the media. Talk about bad publicity!
What does cyber insurance cover?
Insurance coverage varies from provider to provider. But a decent policy should cover all your cyber risks. These include compromised technology, destruction of patient health records, and patient information exposure.
According to Lauri Floresca from Woodruff, Sawyer & Company, most cyber insurance policies offer a combination of these four components:
- Errors and omissions: claims involving practice errors, including technology and professional services.
- Media liability: intellectual property, copyright infringement, libel, and slander.
- Network security: consumer data breach, destruction of data, virus transmission, and cyber extortion.
- Privacy: breach of physical records, paper files, and mobile devices.
Cyber insurance policies typically do not cover:
- Loss of future revenue.
- Improvement of internal technology systems.
- Lost value of intellectual property.
- Reputational harm.
Is there more you should know?
Yes. Lucian Constantin, IDG News Correspondent warns that cyber insurance mitigates some financial damage, but it is not a complete solution. Most insurance policies do not cover all intellectual property theft or reputational damage. They don’t usually cover business downturn caused by a security breach.
Furthermore, cyber insurance might overlap with your existing insurance package. Read the fine print to make sure that it covers all cyber exposure. Look for an insurance policy that has a multifaceted response. PR, notification, forensics, and cyber-incident response should be part of the deal.
How do you get cyber insurance?
First, determine what you would like to cover. Then, list the type of data breaches your practice could experience. For example, you probably know that you need coverage for a patient data breach. You may not know that if you advertise your practice online, or publish a blog, you may need media liability coverage as well.
Then, look for a reliable insurance company that specializes in cyber attacks. Speak to an insurance broker if you need to. You are looking for a cost-effective policy. Beware of cheap ones that are not able to provide much reimbursement.
Cyber insurance is relatively inexpensive and probably a good idea, provided you do some research and find someone who can help select the right one.
Preventative care is not only good for your patients—it makes sense for your practice too! Cyber insurance may not be a magic bullet, but it can help you worry less and get back to providing healthcare.