Violations of even the most fundamental rules can leave hospitals and health systems open to criminal risk, HIPAA-related risk, and civil suit risk. Insurance can help, but to what degree depends on many variables.
"Why are you doing this? We're a hospital. No one will want our data," was a comment Holly Meyers, RN, FACHE, then the senior vice president of quality, risk management, and insurance at Sylvania Franciscan Health frequently heard when she decided in late 2007 that carrying insurance to protect the seven-hospitals system in the event of a cyberattack or a data breach was a responsible choice.
"At the time, no one had really heard of any hospitals having security breaches, but we felt things had changed, or were about to," says Meyers, who left Sylvania Franciscan Health recently. "We were looking at what we had, at all the personally identifiable patient and employee information. We knew that if there was ever a cyberattack, we couldn't handle it all by ourselves."
Ross Koppel, PhD, FACMI
But it wasn't an easy or intuitive task. "Back then, no one knew back then what 'adequate coverage' meant" for cybersecurity insurance, she says. She and her team ended up deciding on an $8 to $10 million policy which included access to a team of specialists in law, public relations, cybersecurity, and computer forensics. The policy cost around $100,000, Meyers says.
Meyers had purchasing discretion, but her team met with an internal quality and risk management panel yearly to discuss their activities, current policies, and products they purchased. "Our system CEO sat in on the meetings, too," she says. "It wasn't about getting permission, just explaining what our [security and insurance] portfolio looked like."
"The risks here are massive," says Ross Koppel, PhD, FACMI, adjunct professor of Sociology at the University of Pennsylvania and affiliate professor of medicine who specializes in research on how health information technology influences society.
"There's the criminal risk. The HIPAA-related risk. There is civil suit risk as patients have data exposed. Even in highly secure situations, such as in military intelligence, he has seen professionals compromise security by violating the most fundamental rules such as writing passwords on sticky notes and keeping them near the computer.
Health records, which contain social security numbers, dates of birth, and insurance information, are a prime target for data thieves. The stereotypical data breach is caused by a hacker lurking on the Dark Web, but often, the threat is much closer to home.
"There's the nasty hospital employee looking for their neighbors' chart, or that of a celebrity who came to the hospital for treatment,"
For Sylvania Franciscan Health, the decision to buy cybersecurity insurance turned out to be a good one. While the policy went unused for almost eight years, the hospital experienced a breach in December 2013. Meyers describes the incident as "a brute-force attack of foreign origin." She and her team never knew for sure whether any data was stolen, but they were required to notify those affected. Approximately 405,000 patient and employee records were affected.
The insurance Meyers and her team had purchased covered most costs above the retention associated with the hack, including notification costs, public relations costs, and ongoing identity protection for patients and employees who may have had their information stolen.
Austin Morris, Jr.
"I feel like my organization and I received exactly what we paid for…. And you can't always say that about the things you buy," Meyers says.
Cybersecurity Insurance Basics
"When it comes to security breaches, no one is bullet-proof," says Austin Morris, Jr., president of Morris Risk Management, a Philadelphia-based risk management consultancy. He says any cybersecurity policy should have, at minimum:
The most basic part of the coverage. This will protect the hospital against claims for damages due to loss, theft, or unauthorized disclosure of information.
The event causing the loss, theft, or disclosure of data doesn't have to be a malicious breach of patient data—any time private data (including employee information) leaves the hospital's care, custody, or control, the policy is triggered. "If you have any suspicion that data may be lost or taken, call the insurer, and they will start calling and pulling levers, bringing in specialists to clean this up," says Morris.
Regulatory fines and penalties coverage
This another basic benefit. If a breach occurs, the hospital can expect regulatory fines around HIPAA, the HITECH act, and state regulators. "Regulators are often trying to send a message," says Morris. "They've been toughening the penalties for violations recently, trying to make sure that hospitals, medical centers and healthcare professionals are working toward better standards of security, better protocols, and better training."
While these fines might be designed to deter errors, they can also easily bankrupt a hospital.
Business interruption coverage
This would be invoked of the hospital were unable to participate in normal business due to damaged databases or loss of network use.
Other expenses for which hospitals typically consider insurance coverage include
- Legal costs,
- Costs related to a class action lawsuit,
- Costs related to forensics and investigation,
- PR costs,
- System monitoring costs,
- Credit monitoring
- Identity theft repair for victims of the breach,
- Staffing budget for the hospital call center to handle increased inquiries in the aftermath of the breach.
Coverage Benchmarks for Healthcare Organizations
Annual revenue: $100 million
Aggregate limit: Between $1 and $4 million
Retention: $25,000 to $100,000
Annual revenue: $500 to $600 million Aggregate limit: $5 to $10 million
Annual revenue: $1 billion
While most hospital operating expenses are structured and planned expenditures, cyberattacks are sudden events, with unpredictable expenses. Skimping on cybersecurity insurance is never a smart gamble, says Morris. "If [you are] willing to take that risk, with no loss control, you will possibly be putting hospital out of business—unless you have deep pockets."
Most cyberinsurance carriers keep security vendors on call. A hospital attempting to recruit a team of specialists to respond to a breach would likely be challenged to secure the necessary resources. Morris says, "If something goes wrong and you have [a breach] without insurance, you will have to pay out of pocket. Do you have millions of dollars to pay for [cybersecurity] expenses?"
He also points out that any delay in notifying victims or rectifying the situation can cause harm to a hospital's reputation. "I would want to know I have professionals on call to help my team handle this within minutes of learning there was an event. Figuring out what I'm buying or waiting two weeks to figure it out is not optimal."
Ultimately, choices around cybersecurity insurance are a question of preparation and taking responsibility, says Morris. "You want people on call who can help you shut this down, and who will do the right thing for your employees and patients."
Lena J. Weiner is an associate editor at HealthLeaders Media.