by Jennifer Duell Popovic of Medical Office Today.
All healthcare organizations, regardless of size, specialty or location, should be asking themselves whether they need cyber liability insurance.
Although every type of business is vulnerable to losses that can be covered by this type of coverage, healthcare organizations have even more exposure because they deal with both financial and health-related information. Healthcare organizations collect more information that other types of business, and they usually keep that information for much longer, amplifying their exposure.
“Losses related to personal information breaches are typically larger for healthcare organizations than for other types of businesses such as law offices or retailers,” says Jay Sheehan, senior vice president with Preferred Concepts LLC, an insurance program administrator and wholesale broker headquartered in New York City.
The Second Annual Benchmark Study on Patient Privacy and Data Security conducted by the Ponemon Institute and sponsored by ID Experts found that despite increased compliance with HIPAA and the HITECH Act, healthcare data breaches are on the rise – eroding patient privacy, contributing to medical identity theft and costing the healthcare industry billions annually.
What is cyber liability insurance?
Before you can determine whether you need cyber liability insurance, you first need to understand what it is and what kind of coverage it provides.
The term “cyber liability” encompasses an array of liability exposures regarding confidential information or data in various forms. In fact, “cyber liability” is a bit of a misnomer since this type of coverage often applies to information stored on paper files and not just online or computer data.
“Cyber liability insurance is really a risk information policy because it covers information that you have in your possession – it doesn’t discriminate between paper and digital – it’s all the same,” says David Hallstrom, director of Net-Protect with CNA, the country’s seventh largest commercial insurance writer and the 13th largest property and casualty company.
You might be thinking, “Surely my other insurance policies cover this,” but they usually don’t.
More often than not, information and data-related exposures are not covered by other forms of insurance such as property and casualty, business interruption or malpractice. These types of insurance were not designed to cover exposures related to information getting into the wrong hands, and they definitely exclude any claims related to social media (blogs, Twitter and Facebook, for example). Moreover, no traditional insurance policies currently provide coverage for expenses related with notifying affected individuals when their personal financial or medical information was breached while in your custody.
Below are some exposures that can be covered in a cyber liability policy:
• Information security and privacy liability for failure to protect personal information held on computer systems, Smartphones, laptops or paper files
• Costs to notify patients and other individuals that their personal information has been breached, as required by state law and HIPAA
• Other costs associates with data breaches including investigative costs to determine how the breach occurred, as well as costs related to handling any necessary public relations issues and legal fees associated with notification or litigation Personal injury lawsuits and claims that may be related to breaches, as well as the use of blogs and other types of social media such as Twitter and Facebook and email
• Electronic media coverage that specific addresses slander/libel and copyright infringement
• Costs associated with restoring your IT systems and equipment to their pre-breach status
It will happen to you
Both federal and state law requires healthcare organization to act responsibly and to protect confidential patient information. Under HIPAA, for example, organizations are required to implement certain processes to protect information and to notify affected patients of information breaches related to healthcare information.
And, while HIPAA does not extend to financial information such as credit and debit card numbers or even social security numbers, most states have legislation in place to address the security of personal financial information. Moreover, these laws, whether they address sensitive healthcare information or financial data, often have certain requirements regarding how and when organizations must notify affected individuals.
Overall, these laws create a host of potential liabilities for healthcare organizations. However, most healthcare organizations that don’t have cyber liability insurance are not fully aware of their vulnerabilities, Hallstrom says, pointing out that even the best security processes can be overcome.
In fact, breaches can occur in a variety of ways. For example, Thomas Jefferson University Hospital had 21,000 patient records compromised when a laptop was stolen in 2010. Or how about an East Coast-based imaging center that stored its patient files in an apartment in the least expensive part of town (and also the most dangerous and crime-ridden) with the expectation that those files would be perfectly and completely safe.
“We’ve had instances where physicians have had their briefcases stolen from their cars and those briefcases were full of patient files,” Hallstrom notes, adding that CNA written cyber liability policies for “healthcare organizations of all shapes and sizes from small practices to extremely large hospitals.”
The exposures aren’t limited to external threats either, Hallstrom notes. For example, a disgruntled employee could make off with hundreds of files, or a good employee could end up misplacing a Smartphone with patient records.
Despite evidence to the contrary, many healthcare organizations simply don’t believe that a data or information breach could happen to them. Yet, the Ponemon Institute’s study found that the frequency of data breaches among organizations in its study increased 32 percent from the previous year.
In fact, 96 percent of all healthcare providers involved in the study said they have had at least one data breach in the last two years. Most of these were due to employee mistakes and sloppiness – 49 percent of respondents in this study cite lost or stolen computing devices and 41 percent note unintentional employee action. Another disturbing cause is third-party error, including business associates, according to 46 percent of participants.
Moreover, widespread use of mobile devices is putting patient data at risk. Eight out of 10 healthcare organizations in the study report that they use mobile devices to collect, store, and/or transmit some form of PHI, yet 49 percent of participants admit their organizations do nothing to protect these devices.
“It’s not a matter of ‘if a breach occurs’, but ‘when a breach’ occurs,” Hallstrom contends.
Ouch! That’s expensive!
Sheehan of Preferred Concepts says many healthcare organizations underestimate how much money is involved in solving breach situations – and that miscalculation leads them to believe that they are better off not buying a policy.
“A lot of organizations don’t budget for this type of insurance and feel they don’t have the money for it, while others believe that their balance sheet can take a hit if a breach occurs,” Sheehan says. “What they don’t realize is that the cost of mitigating a breach could seriously impair their balance sheet and maybe even put them out of business.”
The estimated costs of a data breach are significant: $204 per compromised customer record in 2009, compared to $202 in 2008, according to the fifth annual U.S. Cost of a Data Breach Study. The most expensive data breach event included in this year’s study cost a company nearly $31 million to resolve; the least expensive total cost of data breach for a company included in the study was $750,000.
Conducted by PGP Corporation and the Ponemon Institute, the study tracks a wide range of cost factors including outlays for breach detection, escalation, notification and response along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions. It also found that organizations are spending more on legal defense costs, which can be attributed to increasing fears of successful class actions resulting from customer, consumer or employee data loss.
For the healthcare-specific Ponemon study, it is estimated that data breaches cost organizations in the Ponemon study an average of $2.2 million, up 10 percent from the previous year. In addition, most respondents believe their organization has suffered from time and productivity loss (81percent) followed by brand or reputation diminishment (78 percent) and loss of patient goodwill (75 percent).
Cyber liability policy premiums are determined by a variety of factors. Among the most important factors: the number of patient records you maintain and your annual revenue. In addition, the premiums are influenced by the policies, procedures and controls that you have in place to keep patient information protected and your history of losses/breaches. And, your geographic location/jurisdiction also comes into play – whether you live in a state where regulators are more active and residents are more litigious.
Many organizations cite the cost of cyber liability insurance as the main reason for not buying it. Both Sheehan and Hallstrom admit that this type of coverage was historically somewhat pricey – primarily because insurance companies did not have enough information regarding potential losses to determine appropriate pricing.
As the industry has achieved a better understand of these types of losses, pricing has come down, Hallstrom says. At the same time, coverage has become broader. “Don’t assume you can’t afford it,” he advises. “It’s worth exploring with your insurance agent.”
Questions to Ask Yourself:
1. Does my organization have personal data or any kind of confidential data that belongs to someone else in your possession?
2. What are we doing to address how this information is secured?
3. Can we handle any beaches internally or manage the process to mitigate a breach?
4. Can we afford the cost of a breach if we don’t have cyber liability coverage?
For more information on the studies referenced in this article, visit www.ponemon.org.