Did you know? To date, in 2017 there have been 133 reported data breaches in the healthcare industry – on average 17,849 records breached per incident. The Ponemon Institute estimates the cost per lost or stolen healthcare record to be about $400. This does not include fines and penalties, which can further increase the cost. Do the math, healthcare breaches are expensive.
Why are physician’s offices uniquely exposed to cyber risk?
There are 3 main reasons healthcare is one of the most targeted and vulnerable industries:
-
Healthcare data value
Patient records often contain a combination of personally identifiable information (PII) and Protected Health Information (PHI), a treasure trove for a cybercriminal, which have a high value on the dark web.
-
Quick access to information
Physicians have the difficult task of balancing the protection of and quick access to large amounts of PII and PHI. In case of emergencies, you need to be able to quickly look up your patients’ records and share information without having to pass through too many safety controls. This can leave you more susceptible to cyber incidents since the human element represents the primary cause of data breaches in the healthcare industry. While 32% of the incidents are caused by an external hacker or cybercriminal, employee mistakes, misuse and malicious acts account for the majority of incidents at 68%.
-
Regulatory fines and penalties
The regulatory and compliance requirements for physicians also carry substantial fines and penalties for non-compliance in a cyber incident.
Given the triple challenge discussed above, a data breach or cyber incident can happen at any time, even for practices with cutting-edge cybersecurity technology. But enough doom and gloom – what can you do to protect your healthcare operation?
Cyber insurance as a backstop
Cyber insurance should be an essential part of your cybersecurity strategy that aligns with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. It serves as an effective and relatively affordable backstop when all else fails. The right coverage is critical to improving your practice’s ability to absorb an incident and recover quickly. Here are the top 5 ways cyber insurance can help you manage your exposures by providing coverage for:
-
Regulatory Fines and Penalties
PHI is subject to the HIPAA Privacy and Security Rules. If your patients’ healthcare information is breached, you could be fined up to $50,000 per lost or stolen record, which is in addition to the estimated cost of $400 per record discussed above. Since not all cyber policies cover fines and penalties, it is important to work with an insurance professional.
-
Privacy Liability & Direct Expenses
As a result of a data breach involving your patients’ PHI or PII, you could be sued by your patients or other third parties. In addition, privacy laws and regulations will often require you to notify victims and offer services to detect or repair the possible damage to their identity. Fines, penalties, legal defense costs for your failure to protect data and the direct expenses to notify and assist data breach victims can quickly add up.
-
Cyber Forensics Expenses
Healthcare is one of the few industries relying mostly on electronic data to provide patient services. Aware of this, cybercriminals are increasingly targeting healthcare providers with ransomware attacks, which can easily be deployed via email with infected attachments or directing an unsuspecting healthcare provider to an infected website.
One of the ways you can mitigate your losses in case of an attack is by backing up your data. However, even if you can completely restore from a backup and don’t have to pay the ransom, you must still determine what damage the malware caused on your network and confirm that no data was accessed or exposed. This requires cyber forensics to assess the scope and impact of the incident.
-
Reputational Harm
Mishandling a data breach or a cyber incident could seriously impact your reputation and result in loss of existing and future patients. Responding quickly after a cyber event is not easy, especially in a time of crisis. Working with an experienced Public Relations and Crisis Management professional can minimize the damage and help protect your reputation. But this service can be quite expensive.
-
Incident Response
Cyber insurance also helps take the confusion out of the incident response process. A good policy will provide access to and cover costs to hire a data and privacy legal expert to help quarterback the cyber incident response process. This professional can help you navigate the legal, regulatory and compliance landscape and coordinate with cyber forensics, public relations as well as members of your internal incident response team. This important feature of cyber insurance gives you a person to call the moment you experience a cyber incident or data breach.
Interested in learning more about how cyber insurance can help your practice manage cyber risk? Or do you need assistance with designing a holistic cyber resiliency strategy? Feel free to contact me at jnapp@psafinancial.com.
*http://icitech.org/wp-content/uploads/2016/01/ICIT-Brief-Hacking-Healthcare-IT-in-2016.pdf