Is Cyber Insurance a Good or Bad Investment?

November 24, 2013

Recent reports of cyber attacks involving patients' medical records have physicians wondering whether cyber insurance is a smart idea to protect their practices.

As physicians adapt to new provisions of the Accountable Care Act, many believe they finally have a moment to stop, take a breath, and look at some issues they've put on the back burner for a few months - like insurance and risk management.

One issue of growing concern to physicians is cyber risk. For many, this vague and shadowy area covers everything from a security breach due to a hacker to an employee leaving a workplace laptop at a local restaurant.

21 million Americans had medical records lost or stolen

Cyber risk is not just an emerging risk - it's a "clear and present" danger to most businesses, including medical practices. According to HIPAA, nearly 21 million Americans have had their medical records lost or stolen since 2009. Still, some physicians who are extremely conscientious and cautious about other areas of their practice haven't let their risk management programs catch up with the myriad potential ways that patient data can be breached. Many physicians use smart phones, but may not have sophisticated security features to protect files, messages, or other data that is sent to them. If that device is lost or stolen, or even if someone who is unauthorized accesses it, private patient data may be breached.

Despite such real risks, some in the medical consulting community say that cyber insurance, while a good strategy, can be skipped if the practice is looking to save money - that the superior approach is to simply manage risk better. I could not agree more that the first and most important line of defense is to manage one's own risk and to take every possible precaution. But I disagree with some industry consultants today who dismiss the insurance options. Cyber insurance is an important and affordable tool for physicians interested in defending themselves against the risk of data breaches. Please know I am president of a company that doesn't yet sell cyber insurance. I really "have no horse" in this race.

The case for cyber insurance

While medical practices must take responsibility for risk management, any good business owner will have the right insurance coverage in place. However, cyber insurance is a good example of an insurance product providing more than just payment if a claim occurs. Yes, cyber insurance policies come with various limits of liability and deductible options. But the real value of cyber insurance is the packaged breach-response services. These policies enable a policyholder to quickly and efficiently respond to a data breach.

Think of it like this. If you are a small- to mid-sized medical practice, do you have staff that can drop everything else they are doing, immediately reach out to all patients, inform them of the data breach, answer questions, vet and arrange for a company to monitor patients' credit profiles for up to a year or more, and coordinate with attorneys? There are also additional measures that need to be taken while following state and federal regulations. Most of us aren't in a position to take on all of this.

Breach coaches and credit monitoring

Practices can and should invest in data breach plans that protect their own valuable data and also the protected health information (PHI) that patients entrust to them. A good cyber insurance policy can be the breach-response plan foundation, as it will include essential elements, such as:

• Breach coach. To provide a single point of contact for the policyholder.

• Notification services. To quickly notify the clients and satisfy the regulatory requirements.

• Credit monitoring. To reassure clients and provide a third party to answer questions.

• Forensic services. To find the hole - or source of breach and quickly plug it and prevent future breaches.

A good cyber liability policy will also offer the policyholder the following advantages:

• Coverage for third-party liability. Indemnify third parties who have been damaged.

• Regulatory coverage in the event of fines, penalties from the state or feds.

• Business-interruption coverage. This could be critical, just think of what it would cost your practice to have your network down?

• Risk-management tools such as webinars or educational programs for staff.

Surviving and not surviving

For many businesses, responding effectively to a data breach can mean the difference between surviving, or not. One can argue that responding to a data breach can actually help a business. Customers will trust the business if it can demonstrate a rapid and transparent response to a data breach. Offering credit monitoring and other measures to reassure clients will also be of benefit to a medical practice and its patients.

I'm sure the debate over the need for cyber insurance will continue. I'm equally sure that the "bad guys" will continue to find new ways to access confidential data. Human error and rogue employees - leading causes of data breaches - will also never completely go away. But to fully protect the practice and cover all possible areas that could be affected by a cyber breach, e.g., financial, regulatory, reputation, legal, I do strongly recommend physicians speak with a trusted insurance adviser who understands medical practice issues and cyber insurance options. This way, physicians will understand what is best for their practices.