Healthcare Cyber Insurance is pretty much mandatory. Proliferation of medical information created, maintained and transmitted by and between healthcare providers and organizations of all types, is increasing.
Healthcare Cyber Insurance costs, compared to penalties, which can be substantial, are well worth it. Penalties assessed by the government, and damages won by patients tend to be very substantial and expensive! The HIPAA Privacy and Security Rules require covered entities and business associates to protect the privacy and security of protected health information (PHI). Reports in 2015 put the average cost of a breach in a healthcare organization’s data at as much as $363 per record. Hence the “mandatory” nature of healthcare cyber insurance to defray the costs of dealing with data breaches.
But like any insurance policy, you, the insured, must keep up your end!
Healthcare Cyber Insurance should address specific risks
A reasonably comprehensive healthcare cyber insurance policy should address several common risks:
- Costs associated with notifying affected individuals and responding to government regulators,
- Crisis Management and Public relations costs,
- Legal fees for litigation by affected individuals,
- Costs of dealing with cyber attacks such as viruses, denial of service attacks, and copyright or trademark infringement.
As recently as a few years ago, premiums for this coverage may have seemed quite high, but the market has begun to mature, and policy holders are finding premiums are stabilizing. So what are the pitfalls of purchasing healthcare cyber insurance?
Healthcare Cyber Insurance purchasing pitfalls to avoid
When purchasing healthcare cyber insurance, the first major pitfall to avoid is low limits on coverage. The healthcare cyber insurance limits to purchase depend on the exposure of the organization. Even a small healthcare organization could face significant costs for a breach or unauthorized disclosure of PHI. Larger organizations should be thinking about coverage in the millions of dollars. Coverage limits of not less than $1m per claim and $3m aggregate are probably fine for most small entities. Talk to your insurance broker about adequate limits for your organization.
The second pitfall, when purchasing healthcare cyber insurance to avoid is not filling out the application and answering the questions correctly and honestly. Insurance underwriters assess a potential insured’s risk based on the representations made in the insurance application. If the information provided ultimately is determined to be false, the carrier can limit the coverage when a claim is submitted or even rescind the coverage entirely if they can prove that there was a willful attempt to conceal the insured’s real situation.
Most people understand they have to tell their auto insurance company the correct make, model and year of their vehicle if they want coverage when they have a claim. Companies providing healthcare cyber insurance also want accurate information about the risks their prospective insureds face, and how those risks are being managed.
A recent court case shows how this can have real world consequences.
Healthcare Cyber Insurance application misrepresentation
Cottage Health System in Santa Barbara, made a claim to its healthcare cyber insurance carrier, Columbia Casualty, after the health system suffered a breach of 32,500 medical records in late 2013. The Insurance paid $4.1 million, but then sued for a return of the payment, plus its costs and attorney’s fees because Cottage supposedly did not “follow minimum required practices”. (Columbia Casualty Co. v. Cottage Health System). The actual breach was due to inaccurate settings Cottage used in its File Transfer Protocol (FTP) server, which allowed ePHI on the server to be found by Google searches.
The questions Cottage Health System was required to answer included things like:
- Do you replace factory default settings to ensure your information security systems are securely configured, and
- Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?
A court decided in favor of the Columbia Casualty, although the case has been referred for arbitration, based on language in the insurance contract.
Healthcare Cyber Insurance and HIPAA Risk Assessment
Well, a HIPAA Risk Assessment sure couldn’t hurt! Covered entities are required to update their risk assessments annually for changes in software and hardware that may affect their ability to protect the privacy and security of the PHI they create, maintain and store. It turns out, it may also protect you from losing your healthcare cyber insurance coverage just when you need it most!