How much coverage do you need? Cost?
Dr. McAneny has increased her cybersecurity coverage every year. “It’s expensive, but I think it’s worth it. But you can never buy enough protection due to the coverage limits.”
She worries that the costs could exceed the limits if a ransomware attack disrupts her practice for days, weeks, or longer, or if the Office for Civil Rights fines her practice $10,000 per patient chart – the practice has 100,000 health records. “That can run several millions of dollars and ruin a practice,” she says.
Health systems and hospitals need massive amounts of coverage, which often runs from $20 million to $30 million, says Mr. Shah. However, practices insured through MagMutual have lower coverage limits that range from $1 million to $5 million, he says.
“A large practice does not necessarily need more than $1,000,000 in coverage if they have limited loss in this area and strong internal processes and controls. Most large practices also have a dedicated information security director, which reduces their risk, so they may be comfortable with $1,000,000 in coverage,” says Mr. Shah.
Premiums are based on the number of patient health records per practice, which translates into higher premiums for larger practices.
Other factors that come into play include the underlying coverage, risk controls the practice has implemented, and its claims history, says Mr. Shah.
However, the cost for cyber liability insurance has increased, and practices can expect to pay higher premiums and deductibles. For example, a practice that paid $10,000 in premiums for a new policy last year will have to pay $20,000 this year, says Dan Hanson, senior vice president of management liability and client experience at Marsh & McLennon Agency, a risk management firm that sells cyber insurance policies.
“We saw 71% of our self-insured clients experience higher deductibles over last year due to increased claim activity and the lack of capacity in the market. The carriers are saying they will set limits, but you are going to pay a lot more, and you are going to participate more in losses through the higher deductibles,” says Mr. Hanson.
Are you eligible?
Cyber insurance companies have a vested interest in avoiding claims. With increasing cyberattacks and larger payouts, many insurers are requiring practices to implement some defensive measures before they insure them. Some insurers, such as Coalition, say they may still insure small practices for comprehensive coverage, but it may impact the pricing or what’s covered, says Mr. Carr.
Here are some of the security measures that cyber insurers are looking for:
- Multifactorial authentication (MFA) requires an extra layer of security to access the system. For example, when logging into your organization’s EHR platform, instead of just using a username and password to access the platform, MFA would require you to input an additional unique login credential before you can access the EHR. A secondary login credential may include security questions, a one-time PIN, or biometrics.
- Removing a terminated employee’s login credentials quickly from the computer system. “One of the most damaging and expensive types of attacks are by disgruntled employees who still have their login credentials and take revenge by logging back into the system and planting malware,” says Mr. Shah.
- Automatic system updates (patches). “Phishing email compromises usually result from a failure to fix vulnerabilities. When a system needs to restart, it should be set to automatically update any potential security loopholes within programs or products,” says Mr. Carr. The firewall settings should also be updated.
- Prior hacking incidents: Are the attackers out of your system? Once criminals hack into the system, your practice is vulnerable to repeat attacks. “If a cyberattack is not completely addressed, threat actors will maintain access to or a presence on the compromised network. In general, we will work with the insured to ensure that the initial point of compromise has been addressed and that any threat actor presence in the network has been removed,” says Mr. Carr.
When doctors compare cybersecurity policies, experts recommend avoiding companies that may offer lower prices but lack a proven track record of handling claims and do not offer resources that can detect a threat, such as ongoing network monitoring and employee training with simulated exercises.
“Practices tend to think, ‘It won’t happen to me.’ Every practice needs to take this seriously,” says Dr. McAneny.
A version of this article first appeared on Medscape.com.