Hacking risks are rising for healthcare systems of all sizes. 2015 was a banner year for data breaches and inadvertent releases of patients’ protected health information (PHI). The biggest cases involved health insurers, but healthcare systems and small practices were breached as well.
Healthcare-related data breaches are reportedly on the rise, even in light of improved compliance with HIPAA and HITECH. And that trend probably won’t reverse in 2016. Of course, no system is theft-proof, but physicians can lower the risk by safeguarding their systems and considering a cyber insurance policy. This coverage helps shield practices from cyber risks.
The keyword in such a policy is “comprehensive” because most general liability insurance policies were created before the rise of cybercrime and weren’t designed to cover liability or loss from online attacks and data breaches. The vast majority of general liability policies have specific language stating that they do not cover such losses or costs. Policies might offer free cyber-risk riders on their general liability policies for physicians, but free coverage might not be thorough or wide enough for a practice.
Is comprehensive cyber insurance worth the cost? A better question might be: what would it cost you if your EHR system were attacked?
For many practices, it’s reasonable to purchase a policy that puts all the services together in one customized package. The average cost of a data breach in a small company (less than 100 employees) was $8,700 in 2013. By comparison, average yearly premiums were $649 to $1,800, depending on the size of the practice and the amount of coverage.
Compare this to the cost of paying office support staff overtime to notify patients and inform the public, along with establishing credit monitoring services for affected individuals and hiring IT security experts.
- Ask your insurance broker to conduct a thorough risk assessment to determine your information systems’ vulnerability and what services would be needed in the event of a breach.
- Don’t assume your medical professional liability insurance (MPLI) will cover data-related losses. Even if your MPLI does include cyber liability coverage, check the depth of the coverage; it may not be sufficient to cover all costs of a breach.
- If you decide to purchase a cyber insurance policy, make sure you understand what is covered and what is not. For example, many policies require encryption systems that share or store PHI, and most don’t cover costs related to damage to a firm’s reputation or image.
Last Updated on January 18, 2016