Cybersecurity Insurance Basics for Healthcare Organizations
Violations of even the most fundamental rules can leave hospitals and health systems open to criminal risk, HIPAA-related risk, and civil suit risk. Insurance can help, but to what degree depends on many variables.
"Why are you doing this? We're a hospital. No one will want our data," was a comment Holly Meyers, RN, FACHE, then the senior vice president of quality, risk management, and insurance at Sylvania Franciscan Health frequently heard when she decided in late 2007 that carrying insurance to protect the seven-hospitals system in the event of a cyberattack or a data breach was a responsible choice.
"At the time, no one had really heard of any hospitals having security breaches, but we felt things had changed, or were about to," says Meyers, who left Sylvania Franciscan Health recently. "We were looking at what we had, at all the personally identifiable patient and employee information. We knew that if there was ever a cyberattack, we couldn't handle it all by ourselves."
Ross Koppel, PhD, FACMI
But it wasn't an easy or intuitive task. "Back then, no one knew back then what 'adequate coverage' meant" for cybersecurity insurance, she says. She and her team ended up deciding on an $8 to $10 million policy which included access to a team of specialists in law, public relations, cybersecurity, and computer forensics. The policy cost around $100,000, Meyers says.
Meyers had purchasing discretion, but her team met with an internal quality and risk management panel yearly to discuss their activities, current policies, and products they purchased. "Our system CEO sat in on the meetings, too," she says. "It wasn't about getting permission, just explaining what our [security and insurance] portfolio looked like."
"The risks here are massive," says Ross Koppel, PhD, FACMI, adjunct professor of Sociology at the University of Pennsylvania and affiliate professor of medicine who specializes in research on how health information technology influences society.
"There's the criminal risk. The HIPAA-related risk. There is civil suit risk as patients have data exposed. Even in highly secure situations, such as in military intelligence, he has seen professionals compromise security by violating the most fundamental rules such as writing passwords on sticky notes and keeping them near the computer.
Health records, which contain social security numbers, dates of birth, and insurance information, are a prime target for data thieves. The stereotypical data breach is caused by a hacker lurking on the Dark Web, but often, the threat is much closer to home.
"There's the nasty hospital employee looking for their neighbors' chart, or that of a celebrity who came to the hospital for treatment,"