WannaCry provides wake-up call
As hackers become more sophisticated, these .
In 2017, there were at least 477 publicly reported health data breaches in the United States, affecting some 5.6 million patients, up from 450 health care breaches in 2016, according to Protenus, a health care cybersecurity vendor that tracks data breaches reported to the U.S. Department of Health & Human Services.
Joshua R. Cohen
“A breach is very expensive,” said Mr. Cohen, chair for the New York City Bar Association Committee on Medical Malpractice. “You have the fine to the Office for Civil Rights, which can be in the millions of dollars, and you’re going to have to ameliorate the breach, which can be hundreds of dollars per person, let alone deal with lawsuits from the patients.”
Cyberliability: What’s the risk?
Cyberliability refers to legal dangers arising from data breaches, privacy law violations, and ransomware/cyberextortion threats, as well as data loss and business interruption from computer system failures.
Of the 477 breaches in 2017 analyzed by Protenus, 37% were from hacking, 37% resulted from insider incidents, and 16% stemmed from data loss or theft. About 10% of cases resulted from unknown reasons, according to the report.
Data breaches caused by hackers and malware attacks are rising in the health care sector, said Katherine Keefe, global head of breach response services for Beazley, a national cyberliability insurer and risk management company. Beazley handled 2,615 data breaches in 2017, more than half of which were health care–related, Ms. Keefe said in an interview. The top three causes of health care breaches reported to Beazley in 2017 were accidental disclosure, hack or malware, and insider incidents, according to a recent report from that company
Beazley
Katherine Keefe
“We see an awful lot of that,” Ms. Keefe said. “There’s been a real surge in successful phishing emails and social engineering that enables criminals to identify medical practice leaders. It’s not hard to dress up an email to look like it’s coming from a specific individual. There are all kinds of increasingly sophisticated tactics to trick people into letting criminals into their systems or tricking people into forwarding money or valuable information.”
Hackers frequently use phishing emails to get employees to download a payload, the portion of malware that performs malicious actions, Mr. Cohen added. Once downloaded, payloads can do significant damage to a medical practice.
“Once you get hit with these payloads, not only can they start pulling information out of the computer system, they can also start doing things, such as turning on laptop cameras, reading emails, listening in on computer microphones,” he said. “All they need is one employee to click.”
Considering cybercoverage
To protect themselves from potential breach expenses, more medical practices are purchasing cyberliability insurance policies. A 2017 survey of 270 insurance brokers and 125 underwriters found that health care has more first-time buyers of stand-alone cyberliability insurance than does any other industry.
However, Mr. Cohen advises that practices should do their research before buying and be aware of the different types of policies, coverage limits, and insurance options.
“Be careful about what it covers,” he said. “Are they going to pay for all the amelioration for all the patients affected? Some policies will cover ‘repairing and disinfecting the system,’ but they will not likely cover all the [Office for Civil Rights] fines.”
The Doctors Company, a national medical liability insurer, provides $50,000 in cybersecurity coverage to all its insured physician members and the option to increase coverage by $1 million in additional protection, according to Crystal Brown, senior vice president of underwriting for the Doctors Company. The coverage protects against regulatory and liability claims arising from theft, loss, or accidental transmission of patient or financial information as well as the cost of data recovery. Another policy offered protects against claims arising from administrative actions pertaining to utilization, licensing, credentialing, and misconduct.
Crystal Brown
Meanwhile, national medical liability insurer ProAssurance offers health providers a basic cyberliability coverage endorsement in most states on its medical professional liability policy. The insurer also has a branded cyberprogram that allows clients to buy additional and broader coverage at a discounted premium.
“In today’s electronic environment, we are hearing about breaches occurring at both small and large health care practices,” said Melanie Tullos, vice president for ProAssurance. “Small physician practices are just as vulnerable, if not more so, to a cyberbreach and should take the necessary steps to protect patient data against an attack at all measures, including, but not limited to, purchasing cyberliability coverage.
The price of cyberliability insurance varies by risk and other factors, Ms. Tullos said. Generally, the cost of a $1 million cyberliability policy for a single physician practice is less than $1,000, whereas a group of 10 physicians can pay up to $8,000-$9,000, she said in an interview.
Beazley offers policies that cover the expenses and services associated with investigating whether a data breach has occurred, responding to breaches, and liability that may arise from the breach, said Ms. Keefe, of Beazley, which works with companies such as the Doctors Company to provide coverage and also works with state-run malpractice programs to offer a cyberliability component for a small, additional premium, she said.
Ms. Keefe stressed that cyberliability coverage can ensure that physician practices don’t run up a hefty bill in the event of a data breach by paying for separate specialists and damage control.
“One of the reasons doctors should have cyberliability coverage are the costs associated with figuring out what to do if patient records are lost or stolen,” she said. “The cost of hiring a lawyer, hiring a forensics investigator to assess the situation, the cost of notifying the patients, and taking all the steps required by HIPAA can really add up. Most practices don’t have those costs built into their annual budgets. A cyberpolicy acts as a buffer against those expenses.”