Throughout the healthcare market, sensitive data that is stored electronically is being attacked by hackers and malware. Katherine Keefe, of a national insurer and risk management organization called Beazley, explains that breaches are most commonly accidental, the result of hacking, or “insider” actions. In 2017, Beazley responded to more than 2,600 breaches, which often leads to large fines and legal costs. Many healthcare providers have begun purchasing cyber-liability insurance coverage.
Over the last three years, medical organizations have paid over $20 million in fines for violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The insurer Anthem lost approximately $16 million in a highly publicized breach. The U.S. Department of Health and Human Services reported that fines may range from as little as $100 to $50,000. Companies who have a breach often experience significant losses in revenue.
HIPAA now has a host of security requirements for medical practices. Their best practices begin with conducting a risk assessment that will reveal the organization's potential vulnerabilities. Many of the practices that have a breach are later determined to have neglected to complete a proper risk assessment.
Michael Yamamoto is the head of information security at Beth Isreal Deaconess Medical Center in Boston. He feels that one critical aspect of network security is simply the usage of strong passwords. He emphasized the importance of creating passwords that are 12 characters in length and using a software application that is designed exclusively for managing all password accounts.
Medical Practice Cyber-Liability Insurance
Many cybersecurity insurance policies were originally introduced as add-ons to existing policies for medical malpractice. In recent years, standalone policies are more common and are typically either first or third party. The policies are designed to pay costs related to a breach of data security or privacy. First-party scenarios are those where someone within the insured organization determines that their system has been breached. The in-house IT staff or contracted provider is promptly contacted to investigate.
Third-party coverage is used when claims are made by any external parties. This may include a regulator such as the U.S. Department of Health and Human Services. Credit card companies may bring a claim if an organization that accepts credit cards lacks proper “Payment Card Industry Data Security Standards.” A patient may determine that they were victimized due to a data breach that occurred involving their medical provider and pursue a claim.
Following a Breach
- The first step involves determining how the breach occurred and the data that may have been compromised
- In addition to patient data, the breach commonly involves sensitive information regarding employees, which can lead to claims
- Often a breach is triggered by an employee who clicks on a link that is part of a “phishing” scheme
- States have varying requirements about notifying patients when their personal information may have been exposed
- There is often some confusion when the company is based in one state and the breach involves information that relates to individuals who reside in other states with differing laws