The threat of data breaches and cyber threats is not news to any of us. However, Anthem’s recent 80 million-record data breach was an attention-getter — or it should have been for all of us in the healthcare industry.
But it all became very personal for me the morning after the Anthem news when I opened my local newspaper to a Page 2 story with the headline, “Is your doctor’s office the most dangerous place for your data?” This AP story outlined what all of us should be concerned about. That is, a healthcare practice will face a PR nightmare if a data breach occurs involving patient records.
It is no coincidence that healthcare leads all other industries in the number of data breaches, the total amount of compromised records, and the costs associated with such breaches. Healthcare databases are the pot of gold at the end of the rainbow for cyber criminals. There are three categories of protected health information (PHI) that cyber criminals target: personally identifiable information (PII), such as name, birthdate, and social security number; personal credit information (PCI), including credit card numbers; and PHI, including medical records. Healthcare providers and insurers collect all three types of information and store it electronically.
Data breach statistics and costs related to the healthcare industry are eye-opening. Crittenden Research suggests that annual number of healthcare breaches increased from 160 to 333 between 2010 and 2014. The number of records exposed increased from 1,874,360 to 8,277,991 in the same timeframe. The Ponemon Institute reports that the per-record data breach cost is now $201 averaged across all industries. But the eye-popping number for healthcare is $359! These costs include notification, credit-monitoring, forensic accounting, public relations, legal, and losses related to customer/patient loss and re-acquisition.
So, what is a healthcare practice supposed to do? I have two suggestions.
1. Have a cyber-risk review done of your practice and implement the recommendations. Many of the common threats are easily addressed.
2. Purchase cyber-liability insurance. Please know this is objective advice. I do not sell cyber-liability insurance. But I certainly buy it!
Our healthcare clients routinely ask us about cyber liability insurance, even though we don’t offer this coverage on a standalone basis. Here are our responses to a few of the more common questions:
How does cyber-liability insurance work?
The real value of cyber liability insurance is the bundling of breach response services. When a data breach occurs, the policyholder works with a data-breach coach who coordinates a rapid response. Forensic accounting, public relations, client notifications, credit monitoring, and legal advice are all included. Some policies also cover fines and penalties and protection from third-party lawsuits. But these are rare if a rapid response is well coordinated. The policyholder can purchase varying coverage limits.
Doesn’t my medical-malpractice coverage already cover this?
Most medical-malpractice policies include modest levels of cyber liability coverage. My concern is that the coverage limit is typically in the $50,000 to $100,000 range. This is much too low. Do your own math. How many records does your practice store? Multiply this by the $359 per-record data breach cost figure. Yep, not enough coverage there. Standalone policies with sufficient limits are plentiful and relatively affordable.
Is cyber insurance worth the cost?
I mentioned above I purchase this for our business. We invest heavily in our data security. I’ve never been one to try to beat the odds. The same Ponemon study cited earlier estimates that the probability of a healthcare entity experiencing a breach involving 10,000 or fewer records is 19.2 percent. That’s a one-in-five chance you will be a victim. I don’t know about you, but I don’t like those odds without plenty of protection.
If our business experiences a data breach, I want a rapid response with proper client notification, credit monitoring, and whatever protection our clients need. Our clients’ trust and confidence in us is our biggest asset.
For a physician, the patient-doctor trust relationship is paramount — not something to chance damaging through the malicious actions of an anonymous cyber thief.
So, yes, I think it’s an obvious choice financially. You need to evaluate your own needs regarding your business.
Cyber liability is a growing threat to all of us involved with the healthcare industry. But proper risk management and insurance protection are solid steps any of us can take to fight back.