Cyber Liability Coverage: Nuts & Bolts

- Ashley Umbach

If your practice uses computers, you need cyber liability insurance. This article will help you decide how much coverage you need, understand the types of coverage that might be included, and determine whether you are comfortable with the exclusions.

Most data breaches occur in the healthcare industry, where data can be compromised orally, electronically, or by misplacing paper. Hackers pay up to 20 times more for a medical record than a stolen credit card, and it’s easy to see why. Thieves can purchase items with a credit card, but they can wreak havoc with PHI stolen from a medical record, by opening multiple credit cards and bank accounts, or using insurance information to undergo expensive procedures or purchase medical items.
Each year the Ponemon Institute conducts a study of the latest data breaches across 16 industries. The 2016 study revealed that while the cost of the average data breach per record was $221, the cost of a healthcare data breach was $402 per patient record. That’s because healthcare data breaches are heavily regulated, and the 1 in 5 practices that experience a breach spend huge amounts of time and money trying to fix the problem – and still lose patients.

One way to establish whether you have adequate coverage is to calculate the number of patient records in your practice and multiply that by $402. If your practice has a designated HIPAA Security Officer, has performed a security risk analysis, has signed BAAs** with the appropriate people and companies, and everyone at all locations receives HIPAA training upon hire and yearly thereafter, a lower amount may make sense for you.

To assess whether the details of the policy coverage and exclusions fit your practice, you should understand what happens when there is a data breach. HIPAA regulations require you to notify the public via media when a breach affects more than 500 patients. You’ll want professional help to handle the situation, including effective public relations, expert technical advice to identify the source of the breach and repair it, if possible, and credit monitoring for patients whose records were compromised. These breaches generally result in increased scrutiny by the federal agency that enforces the rules, and fines of up to $1.5 million may be imposed, so you should check whether the policy covers fines and penalties.

Sometimes hackers will erase data completely, or hold it hostage in return for payment (ransomware). When medical information is missing, you may have to cancel some patients or close the office completely to deal with the problem. Therefore, many policies cover cyber extortion and the cost of recovering data that has been damaged or destroyed. You can also get coverage for business interruption and loss of income resulting from the breach. If credit card information is stolen, you may incur liability under PCI-DSS standards, and patients may sue you over this breach. Look for PCI-DSS coverage, as well as coverage for claims made against you because of the breach.

It’s important to fill out the insurance application carefully and accurately. At least one healthcare provider attested that it had practices in place to reduce the likelihood of a breach, yet failed to follow through on those practices. For example, the provider didn’t encrypt its medical data and did not ensure that a software vendor had its own cyber insurance. The insurer challenged coverage under the policy based on the provider’s failure to maintain basic security practices on its own behalf and to check its vendors’ security practices and insurance.

** BAA stands for Business Associate Agreement. HIPAA requires your practice to have a signed BAA with any third parties who perform services for you that require the use of or access to protected health information. This includes any contractors, service providers or vendors who may have access to protected health information, and it can include lawyers, accountants and IT providers. This is a huge topic for another day.