What you should know about healthcare cyber liability

July 12th, 2016 | Published Under Practice Transformation by Jennifer Mensch

Thank you to COPIC Financial Service Group for providing the content for this blog post.

According to Symantec’s 2016 “Internet Security Threat Report,” the healthcare sector had 39% of all data breaches in 2015. The report also shows 429 million identities were exposed in 2015, a 23% increase over 2014, with hundreds of millions more identities possibly exposed in incidents that were not reported.

The Ponemon Institute’s May 2016 “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data” surveyed 91 healthcare organizations and 84 business associates. The study found “many organizations and their associates lack the money and resources to manage data breaches caused by evolving cyber threats, preventable mistakes, and other dangers.” Based on the results of this study, Ponemon estimates “data breaches could be costing the healthcare industry $6.2 billion.” Having some form of cyber liability/data breach insurance is a low-cost and highly recommended way of mitigating financial loss while also gaining access to a wealth of data breach resources.

Why are medical practices a target for cyber crime?

Healthcare entities have access to (and are expected to protect) valuable, confidential and personal information, including medical records (electronic and paper), billing information (credit cards, bank information, etc.), insurance information, and Social Security numbers. Compromised identities can be sold for as little as $50 each and cost a business at least $240 per year/per identity to address the legal, public relations, advertising, IT forensic, credit monitoring and postage expenses.

How are healthcare providers exposed?

  • Most breaches are caused by simple negligence
  • Loss/theft of mobile devices or electronic files causes 68% of breaches each year
  • Improper disposal of patient records
  • Rogue employees
  • Sensitive data is not encrypted
  • Increased use of electronic databases that store vast amounts of information
  • Outsourcing IT

What are the specific risks?

  • Hackers, attackers and intruders: These are people who seek to exploit weaknesses in software and computer systems for their personal gain. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to malicious activity (stealing or altering an individual’s information).
  • Malicious code: This is the term used to describe any code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system. This type of risk includes: 
    • Viruses: This type of code requires that you actually do something before it infects your system, such as open an email attachment or go to a particular Web page.
    • Worms: This code propagates systems without user interventions. They typically start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers.
    • Trojan horses: Trojans hide in otherwise harmless programs on a computer, and much like the Greek story, release themselves when you’re not expecting it and cause a lot of damage. For example, a program that claims to speed up your computer system but actually sends confidential information to a remote intruder is a popular type of Trojan.
  • Lost laptops and mobile devices: Laptops contain a vast amount of personal information on their hard drives and in temporary files. A laptop in the wrong hands can expose countless passwords and enable access to financial accounts.

What is cyber liability insurance?

Cyber liability and data breach insurance protects your business from cyber risks relating to information technology infrastructure activities, including breaches of your customers’ personal information (in both paper and electronic files). While certain professional and general liability policies offer some cyber liability coverage, it is important to make sure you have the proper level of coverage for your particular situation and your third-party (patient) exposures.

Typically, policies provide coverage in all of the following key areas:

  • Multimedia
  • Security and privacy
  • Privacy regulatory defense and penalties
  • Privacy breach response costs, customer notification expenses, and customer support and credit monitoring expenses
  • Network asset protection
  • Cyber extortion (think Bitcoin-for-system-access schemes)
  • Cyber terrorism
  • Cyber crime
  • Prior Acts Coverage - this is an important coverage component as some breaches are not discovered for years after identities have been compromised.

Cyber liability insurance cost is based on your current number of healthcare providers, and not typically rated on total number of people with access to the personal information or number of patient health records.