Cybersecurity: Mitigate Against Hacking and Data Breach Risks

April 06, 2016

Our Medical Malpractice Insurance Carrier/Partner, - The Doctors’ Company published on their website:

Cybersecurity: Mitigate Against Hacking and Data Breach Risks

The website reports that Cybercrime costs the U.S. economy billions of dollars each year and causes organizations to devote substantial time and resources to keeping their information secure. This is even more important for healthcare organizations, the most frequently attacked form of business. The most common statistic that we see reported is that healthcare data breaches cost companies an average of $316 per record—the highest of any industry.* The Doctors Company's expert resources can help protect healthcare organizations and physician practices.

Recent cyberattacks on large health insurance companies further demonstrate cybersecurity risks.

On January 29, 2015, Anthem, announced it was the victim of a cyberattack that it believed happened over several weeks starting in December 2014. The Anthem breach exposed the information of up to 80 million current and former members, including names, birth dates, Social Security numbers, healthcare IDs, and addresses.

Premera Blue Cross also discovered it was also a victim of a cyberattack, with an initial attack taking place in May 2014. The hackers gained unauthorized access to the information of up to 11 million Premera customers; again, farming birth dates and Social Security numbers to addresses and bank account information—

A business that suffers a breach of unencrypted personal health information (PHI) must report the breach to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). They have the power to enforce the Health Insurance Portability and Accountability Act (HIPAA) and issue fines.

So far , the OCR has levied over $25 million in fines, with the largest single fine totaling $4.8 million.

In 2014, U.S. healthcare data breaches cost companies an average of $314 per record—the highest of any industry.

A healthcare organization’s brand and reputation are also at stake. The OCR maintains a searchable database (informally known as a “wall of shame”) that publicly lists all entities that were fined for breaches that meet the 500-record requirement.

To help safeguard your systems, know the most common ways a breach occurs.

The theft of unencrypted electronic devices or physical records is the most common method, hacking and public distribution of personal records.

(A breach in the latter category led to the largest OCR fine to date when two affiliated hospitals accidently made patient records public on the Internet.5es from this emerging area of risk.)

Reasons Healthcare Organizations should Have Cyber Liability Insurance

One of our many insurance partners in the healthcare liability insurance niche is a broker called Ultra Risk Advisors. Recently Michelle Tran who works with them wrote an article about the importance of purchasing cyber liability.

Michelle Tran points out in her article (and we concur), that medical groups will call their medical malpractice insurance agent/broker or company asking the panicked and hopeful questions:

“Do I have insurance?”

“What does my insurance cover?” “Who do I notify first –and how many?

It used to be that physician medical malpractice insurance policies were the only policies that carried the additional sub limit of providing $50,000 of defense, representation and notification reimbursements. Now, however we are seeing surgery center endoscopy lab clinical trial organization all facilities and met different types of healthcare organizations are now offering sub limits of cyber liability.

Unfortunately, cyber theft, and electronic hacking are now very likely to happen to all manners of health care groups. Ultra Risk Advisers points out some important considerations concerning Cyber liability:

#1 cyber issues are not covered under their General Liability policies – typically, these insurance events are exclusively covered by professional liability insurance policies. There is no coverage or inadequate coverage on general liability

These policies specifically exclude :” Access or Disclosure of Confidential or Personal Information, or similar endorsements).

As experienced medical malpractice insurance agents with over 2000 clients, we read about or deal with in some way the expense in the business interruption of data breach every week. Every day, if you type in keywords for an Internet search of healthcare organization breach of patient personal health information. There will be reports of medical groups surgery centers, hospitals and other healthcare companies that have experienced a breach of their secure electronic health records.

it could be a thumb drive that is lost or stolen with sensitive data for many patients.

Professional Liability Policies include some coverage: Some PL policies offer breach notification expense in the event of a breach.

Additionally, they will reimburse and provide experts for electronic data restoration, other areas included are data extortion payment, regulatory fines and penalties.

Healthcare is the most targeted industry in the U.S. when it comes to cyber-attacks, Criminal hacking is now the leading cause of healthcare data breaches.

We read many different numbers, statistics, in this Ultra Risk article, they report that The average cost of a healthcare breach is $363 per record.

According to the Office of Civil Rights, there were 253 healthcare breaches in 2015.

(in order to be reported, each of these breaches had to affect 500 individuals or more. The average selling price for a medical record is 10 to 20 times that of a U.S. Credit Card number. Recovering from a data breach can be devastating without insurance. We have read that the average data breach can cost up to $ 500,000.

A study recently showed that notifying victims that their information had been compromised and providing protective services such as credit monitoring cost an average of $366,000 for the average breach. Again, Ultra Risk, reports:

The cost of legal defense averaged $698,000 and the average settlement cost was $558,000. And six of the claims studied had regulatory costs due to HIPAA violations and settlements averaged $937,000.

Cyber liability insurance can cover more than you might think.: security and privacy liability – issues arising from the breach –; data recovery – which includes the cost to restore regulatory proceedings – fines and penalties –all personal information is protected by HIPAA; business interruption – covering the cost of lost income because the client has lost access to data and therefore prevents the business from functioning.

There are teams of experts available with most quality cyber liability policies. it is important to have access to a breach response team –to guide through the steps they need to take after a breach. Risk Management Services Some policies include risk management services. This may include pre-breach planning – help with managing and reducing their cyber risk – tools like risk self-assessments