Cyber insurance insufficient to cover all hack damages
Some type of cyber breach is nearly guaranteed to hit every health system in the country, and potential effects could include stolen patient data, disrupted operations, destruction of technology, stolen consumer information or exposure of corporate secrets, trade secrets and proprietary information.
That’s why healthcare providers need strong policies and procedures in place when attacks happen. Cyber insurance can help cushion the blow, but it’s not protection that can eliminate all the negative effects of a breach, said a lawyer who specializes in this area at last week’s HIMSS16 annual conference.
Cyber attacks are frequent because they are cheap. You can hire someone for $2 an hour to gain entry through a website, like a patient portal, said Brian Finch of Washington-based law firm Pillsbury Winthrop Shaw Pittman.
When working on solutions, providers and hospitals need to realize they will not stop all cyber-attacks, but should take precautions for when the attacks are successful.
Therefore, it is important to have executive accountability because cyber security affects patient privacy and shareholder value. “It is normal to write a representation of warranty on other IT companies,” he explained.
Many healthcare organizations are making significant investments in cyber security tools, but that is only handled in a piecemeal fashion and reactive after a breach occurs, Finch said. Instead, providers “need to look at this with a holistic perspective.”
The questions to ask when thinking about threat assessment is what does it mean for response time and what controls does a health system have, he noted.
Cyber insurance is another way to respond to threats, but Finch said is not the ultimate solution. “Everyone in this room who drives has auto insurance,” he said to attendees. “But you can’t drive around at night with no lights, no speed limit and weaving. You follow safe practices because you know it is your responsibility and want to protect yourself and don’t want your rates to go up.”
With cyber insurance most providers assume they are doing the right thing, but that is not how it works, Finch said. “They are there to reimburse you if you lose, and they may not always reimburse you,” he explained. “The market is fairly small. $4 billion to $5 billion in total cyber insurance available worldwide contrasted with $1 trillion in property insurance.”
“Think about that with $100 billion to $200 billion in annual loses in intellectual property alone on an annual basis due to cyber,” he added.