Cyber Insurance Coverage: Why Recordkeeping & Proactive Measures Matter

Written By Hannah Karson

We often receive questions about whether providers should purchase cyber insurance coverage. Our answer is always, emphatically: yes. No matter what recordkeeping system you use, the size of your practice, or how robust you think your security measures are, a standalone cyber insurance policy with a carrier who specializes in this coverage is an absolute must for all.

Healthcare Data Protection: A Look at Recordkeeping

We haven’t met a recordkeeping system for which we don’t recommend cyber insurance coverage. Let’s look at the three most common forms of healthcare recordkeeping and the associated exposure.

1.       Digital records or EHR/EMR: This is the kind of system you imagine when you think of a medical practice that needs cyber insurance. But spoiler alert – they all do! If your electronic health record or electronic medical record system is the victim of a cyber event, you might expect the third-party provider to cover the costs and follow established procedures to notify your patients. However, that’s not the case. The vendor isn’t legally or financially responsible for the breach of your patient data. In fact, you can still personally be held liable for cyber events that occur to third-party vendors that collect and/or store your data. The data collected by you is your responsibility no matter where it’s stored. You elected to do business with that vendor, so you have a responsibility to your patients if your data is compromised within their system. This translates to footing the bill for notifying patients, offering credit monitoring, manning a phone line to answer questions, paying for all business interruption costs, regulatory fines, and more. Best practices here are to always make sure you’re protected with a cyber policy and that your vendors also have their own cyber insurance coverage in place. Don’t assume that because you outsourced your digital records that you’re off the hook.

2.       Paper records: Most, but not all, policies cover data breaches as the result of paper files, so if you only maintain paper records, we’ll be sure to take this into account during our market search. You’ll be asked on most applications to enumerate both your paper records and your electronic records that contain private or sensitive information. This includes but is not limited to social security numbers, payment information (credit card or bank account), drivers’ license numbers, and email addresses. The big threat here is that paper records can be misplaced, damaged, or forgotten in a non-secure location, not to mention stolen by someone who doesn’t need the skills required to instigate a cyber event in the digital sphere.

3.       Paper records turned digital: If your office does not document electronically, but scans and stores those files digitally, you are still vulnerable. Threat actors may be able to gain access to your documentation if you are not disposing of the paper records properly once scanned. They may also be able to find their way into your digital storage physically or virtually. If you are maintaining both paper and electronic records, your patient data will be even more vulnerable as there are more access points for a threat actor or an accidental disclosure.

 

Cyber Threats to Healthcare Data: Trends to Watch

  • Most cyber events are the result of human error – think email phishing, sharing passwords, logging in remotely on an unsecured network. No matter how sophisticated your security is, you can’t rule out employees making a mistake. In fact, according to Forbes, 94% of organizations reported email security issues.

  • There is a misconception that hackers only attack large corporations. Most cyber events are now disproportionately happening to small and mid-size businesses. They typically have weaker security systems and protocols in place, making them an easier target.

  • Some non-cyber policies (e.g., CGL, BOP, medical malpractice insurance) include a small sublimit or coverage for parts of a cyber event, but you should not rely on this. The gold standard is a standalone cyber policy that is customized to your needs. Most non-cyber policies will not cover the event in its entirety and/or be able to respond in a timely and adequate manner when you need it most. You want to call an expert in the moment to assist with data recovery, collecting evidence, business interruption costs, navigating regulatory agencies and fines, notifying affected parties which might require manned call centers, negotiating with hackers, coordinating cryptocurrency payments, etc.

  • Even with proper backups or the compromise of data that isn’t sensitive, restoring your business’ data to internal systems can take days or even weeks. During this downtime, your business is losing revenue and could be suffering damage to its reputation.

  • Hackers are incredibly sophisticated and now know how to target your primary and backup data. They typically know how much a practice can afford to pay in a ransomware situation and will demand those amounts very purposefully. They may not be legal, but they run a highly effective business.

You know shopping for med mal insurance can be tedious, but getting cyber insurance coverage is a breeze in comparison. It’s often less than $2,000 for an individual physician practice and we need answers to only a few simple questions over the phone to shop for quotes.

Cyber insurance can be off your to-do list within a day. Your only job is to call us: contact us today.

Hannah Karson
Previous

Social Inflation in Med Mal: Hardening Trends & Rising Premiums Explained
Next

Med Mal Insurance in the Era of Telehealth