HIT Think

How cyber insurance can better protect providers from hacking costs

Cybersecurity threats pose enormous risks for healthcare providers, including significant liability, operational disruptions, reputational damage, regulatory scrutiny, shareholder lawsuits, patient dissatisfaction and significant cleanup costs.

However, many organizations are not fully prepared for current or future threats. A 2017 study by KLAS Research and the College of Healthcare Information Management Executives (CHIME), found that only 16 percent of the providers surveyed reported that their cybersecurity program was “fully functional.” Another 41 percent reported that their security program was developed or starting to function, and 43 percent reported that their cybersecurity program was developing or not developed.

Clearly, a fully functional security program is critical to managing cybersecurity risk, yet even sophisticated cybersecurity programs are not an absolute guarantee against losses. Insuring against loss is prudent, with per capita cost of data breaches in the global healthcare industry averaging $408, and data breach costs for all industries averaging almost $8 million, according to a 2018 study by Ponemon Institute.

HDM-092618-Security-breach.png

To protect against losses, providers need a dedicated cyber insurance policy that covers a full gamut of exposures, and provides direct loss and liability protection for risks created by the use of technology and data in a healthcare organization’s day-to-day operations.

General liability policies often exclude many exposures, including recording and distribution of material information in violation of law, access or disclosure of confidential or personal information, electronic data restoration, data extortion payment (ransomware), regulatory fines and penalties, and all the first-party costs an organization may incur, such as notification, remediation services, business income loss and forensics.

Most providers will want to consider purchasing a policy that covers the following exposures.

  • Breach costs, including notification costs, computer forensic costs, crisis management and public relations, and credit monitoring costs incurred in response to a breach.
  • Hacker damage, including costs to replace or repair websites, network, computer systems, programs or data resulting from a hacker damaging, destroying, altering, corrupting or misusing such systems or data. Hacker damage may also include replacement of hardware not physically damaged but made unusable because of malware.
  • Cyber business interruption loss, including consulting costs for public relations and forensics and extra expenses incurred to mitigate a business interruption event caused by an interruption to a website, intranet, network, computer systems, programs or data that is a direct result of a third party or hacker that maliciously blocks electronic access to such systems.
  • Dependent business interruption loss, including consulting costs for public relations and forensics; extra expenses incurred to mitigate a business interruption event caused by a security event; or costs associated with a system failure at your third-party provider that is a direct result of another party or hacker maliciously blocking electronic access to such systems. Increased use of offsite resources and outsourced cloud computing opens an organization to potential breaches and regulatory compliance failures of that third-party provider.
  • Cyber extortion costs, including ransomware paid resulting from an illegal threat from a third party to damage, destroy or corrupt a website, intranet, network, computer system and any programs or data, including introducing a computer virus; or a threat to disseminate or divulge any confidential information or personally identifiable information for which an organization is legally responsible. The right insurance policy can help mitigate the effects of a ransomware incident by providing forensics, legal assistance and data recovery services to determine what really happened and to verify the perpetrator is no longer in your system.
  • Dependent business protections, including damages and claim expenses for any actual or alleged legal violation of any consumer data protection law; negligent breach of common law duty; or unintentional breach of contract or public facing privacy policy (with regard to personally identifiable Information of confidential corporate information), including unintentional breach of contract with a merchant bank or payment processor to comply with a PCI standard. Also damages and claim expenses for regulatory actions, and negligent network security in securing computer systems that result in transmission of malicious software, virus or denial of service.
  • Additional protections, including damages and claim expenses resulting from a claim for actual or alleged intellectual property infringement; emotional distress; breach of license for use of a party’s trademark or copyrighted material; invasion of privacy; defamation (libel, slander and the like), unfair practices; or negligence in advertising or business activities.
  • Reputational harm, including efforts to help plan and execute a public relations response to an attack that seeks to mitigate long-term reputation damage.

In today’s world, especially in the healthcare space, cyber events are almost inevitable. A dedicated cyber insurance policy should be written specific to each organization to provide pre-event protections, and appropriate coverages to mitigate the financial and reputational loss these events often cause. A strong cybersecurity program includes education and training, a well thought out disaster recovery plan, appropriate cyber defense, and a carefully written insurance policy backed by a financially strong insurer with a good reputation for paying claims.

This article is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisors.

For reprint and licensing requests for this article, click here.