In a May 8, 2018 MGMA Stat poll, healthcare leaders were asked if their organization had cyberinsurance. More than half of the respondents indicated that their organization has this coverage, which is often part of their malpractice insurance coverage.
Cybersecurity is a concern for every healthcare organization, regardless of size, so cyberinsurance can help reduce the financial impact of a data breach, along with providing other benefits. As Paul I. Berkley, FACMPE, MGMA member noted in a recent MGMA Member Community conversation about cyberinsurance, “Cyber coverage is offered by a number of major carriers. It protects against a wide variety of issues to include HIPAA violations, ransom attacks, or other related issues. The price for us seems to be reasonable.”
According to a 2017 Accenture survey, 26% of U.S. consumers have had their personal medical information exposed during a data breach. Furthermore, of those whose information was exposed, 50% stated that they were subject to medical identity theft, and were required to pay an average of $2,500 in out-of-pocket costs per incident.
For providers, cybersecurity will continue to be an issue in the years to come. In fact, according to a CynergisTek report, healthcare cybersecurity attacks – security incidents stemming from hackers – increased 320% from 2015 to 2016.
Now more than ever, patients are relying on their providers to keep their data secure, so it’s important to be proactive Is your organization taking steps to deal with cybersecurity risks and do you have cyber insurance to cover potential losses?
As you evaluate potential cybersecurity risks and assess cyberinsurance options, consider taking these steps:
- Review your IT capabilities and how information is stored.
- It is critical for providers to understand what’s covered in their policy and what’s not. Speak with your insurance broker about your insurance options. Nearly all cyberinsurance policies cover the costs of notifying those affected and the cost of a lawyer to serve as the data breach coach for a specific event. However, some policies do not cover the costs of preparing notifications for regulators or the penalties that those regulators impose, while others do not cover lost revenue or staff time.
- Evaluate your incident response plan and make sure your staff is familiar with it. Also, consider how patients will receive care if your computer system is inoperable.
- Benchmark coverage data. Coverage purchased by comparable organizations should be available from your insurance broker or carrier. You carrier should also have breach calculators to estimate the potential cost of a breach based on the number of records compromised.
- As cyber threats evolve, it’s important to stay in contact with your broker to understand how these threats may affect your cyber-insurance policy.
- Shop around. In the cyberinsurance conversation, Richard Hansen, MS, CMPE, MGMA member, suggested, “Obtain 3 quotes and compare them … I used an IT firm to help me evaluate the coverage and which companies to consider. The number of IT breaches in healthcare has increased. A modest breach could cost $1.5 to $3 million depending on the number of patients you have. Unfortunately, it's coverage I feel every group should have in this day and age.”
- Your malpractice insurance carrier could be an option. As Jennifer White, CMPE, MGMA member, wrote in the cyberinsurance conversation, “Another vendor to look at for a quote is your malpractice carrier – they can be very competitive and depending on the size of your practice they may be able to include the cost in your renewal.”
Perhaps most importantly, as practice administrator Trudi Noppenberger, MBA, MGMA member, stated in the cyberinsurance conversation, it’s important for practices to have peace of mind. “I definitely recommend any practice buying cyberinsurance. It's just like all your other insurances – you hope to never use it, but if you have to, you have it in place. It is inexpensive, and well worth it as part of your security blanket.”
Pamela Ballou-Nelson, RN, MSPH, PhD, CMPE
Principal Consultant
MGMA Consulting