Cybersecurity Insurance for Medical Practices—The Basics

Rachel Patrizzo, VP, Cyber, TDC Specialty Underwriters

More medical practices are purchasing—or at least considering—an insurance policy to cover the substantial costs of a cyber event. Medical malpractice policies can provide basic coverage for this threat, but many practices find their vulnerabilities have grown to the point where they are looking for a standalone cybersecurity policy to better meet their needs.

The following provides an overview of what your practice can expect from a cybersecurity policy. Keep in mind that not all policies are the same and actual coverage will be determined by a policy’s terms, conditions, and exclusions.

Coverages are typically split into two types: first party and third party.

First-Party Coverage

First-party coverage addresses the costs and expenses your practice incurs from a data security or privacy breach event, such as:

  • A physician comes to the office one morning and logs in to the computer, but the screen goes blank and a message pops up claiming to have hijacked the data and demands payment to get it back.

    The “extortion threat” section of a cybersecurity policy may assist with this type of breach. Professional experts hired by the carrier will contact the cyber criminals to attempt to get the data released, including potentially paying the ransom. You should also be concerned with not only the financial impact to your practice, but also the impact on the treatment of your patients if your systems are down for any length of time due to a breach. The business interruption section of a cyber policy may provide reimbursement of lost profits during your downtime. Many standard property policies do not cover this exposure since there was no physical damage to the equipment.
  • A physician discovers her system has been hacked and worries her patients’ personal health information may have been compromised.

    If you discover your system has been hacked, your carrier can provide data breach response services to work with your IT staff to ascertain what happened. These forensic experts assess the nature of the hack and evaluate how much data has been compromised. This section of your coverage can assist with the costs of required patient notification. If you have records of patients from outside your home state, your insurance company should know the notification requirements for those states. You may also be required to provide those patients with credit monitoring services. Your coverage should help set up these services and cover the costs. The cost to notify patients and set up credit monitoring can be up to $35 per patient record. If patient records are compromised, the data recovery and restoration section of your coverage could reimburse you to unencrypt, recover, restore, re-create, or recollect data.
  • The CEO of a company sends an email to the CFO instructing the movement of funds into an account. The CFO makes the transfer, only to discover that the CEO’s email was a spear phishing attack in which the email address was a clever fake, and those funds are long gone.

    Your coverage’s cybercrime section may cover the cost of the funds that were transferred. Employees who click on such phishing links could compromise your system. This section of your policy may also assist in those situations.

Third-Party Coverage

Third-party coverage provides protection from claims made against you by outside parties.

  • It would not be unusual to have claims brought by regulatory agencies, such as the U.S. Department of Health and Human Services in the case of an alleged HIPAA violation involving a breach of patient records. Cybersecurity coverage for regulatory fines and penalties may allow for payment of fines on your behalf.
  • If your practice accepts credit card payments and is not PCI-compliant (adhering to all the Payment Card Industry Data Security Standards), you could be subject to fines from the credit card companies. Policies with payment card industry coverage may provide payment for those fines.
  • Some patients may bring claims against you for violating applicable privacy laws. The data security and privacy section of your cybersecurity policy may help in providing a defense and make payment to these claimants, if necessary. Employees of your practice could file such claims if their information was compromised.
  • If you maintain a website or social media platforms, you might have a claim brought against you in the event someone believes your site or media content is defamatory or reveals private information about them. The cyber-media section of a cybersecurity policy may also provide coverage in this case.

Healthcare data breaches in 2019 nearly tripled over 2018 when 15 million patient records were affected, according to Fierce Healthcare. With healthcare data breaches on the rise, cyber liability insurance can help you recover faster in terms of financial coverage and remediation. In 2020, healthcare data breaches remain the costliest of any industry sector to resolve, averaging $175 per record. Healthcare data breaches also take longer than other industry segments to detect and contain at 329 days, according to the Ponemon Institute. Depending on the size and scope, fines and damages for a HIPAA violation related to a breach of unencrypted personal health data can run into the millions of dollars.

Ask your agent or underwriter for more details about what’s included in your policy and whether it meets your needs. If you have cyber insurance, check your liability limits to determine if you need to increase your coverage.

To learn how to comply with HIPAA rules in the event of a breach, how to thwart ransomware attacks and prevent spear phishing, and more, download the free guide Cybersecurity and Data Breaches.

The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.