Can Healthcare Providers Afford Not to Have Cyber-insurance in 2018?
Cyber-attacks targeted hospitals and health systems at an alarming pace in 2017—nearly exceeding one breach per day. These attacks are more than an operational inconvenience; the legal services, public relation expenses and regulatory fines it takes to recover from data breaches and cyber-extortion are extremely costly, especially for small and mid-sized provider groups. As cybercriminals and disgruntled employees attack healthcare organizations at increasing rates, many providers are purchasing cyberinsurance policies to ensure they are prepared with the appropriate financial protections and expertise to weather these incidents and preserve their reputation.
A Growing and Expensive Problem
Healthcare organizations must weigh their preparedness for cyber-attacks against the cost of cyberliability insurance and the potential costs of a breach. As cybercrime soars, these costs are becoming increasingly apparent.
Direct costs required to deal with breaches include attorney fees, data forensics services to investigate, restore and delete malware, and material and labor expenses for patient notification and credit monitoring services. These costs are in addition to regulatory fines when patient data is compromised, which can reach $1.5 million per violation per year.
Indirect economic losses from a cyber-attack, although more difficult to quantify, can be just as costly. Postattack disruption to business and clinical services, lost productivity and damage to a company’s reputation may cause long-felt harm to an organization’s financial performance.
Reputation and patient trust hold utmost weight in healthcare, suggesting data breaches can directly affect patient volumes. Some surveys show up to 70 percent of consumers affected by a data breach will not return to a practice.
Despite providers’ best efforts to protect themselves, the high likelihood of experiencing a breach is particularly troubling. Businesses face a 25 percent likelihood of experiencing a material breach involving at least 10,000 lost or stolen records, Ponemon found.
Not all breaches are limited to data exposure. Monetizing cyber-attacks through ransomware has become a leading example of new and evolving digital risk since 2016.
Ransomware is malicious, self-propagating software that infects computers and restricts users’ access to critical systems until a ransom is paid, typically in the cryptocurrency bitcoin. These types of malware are particularly difficult to eradicate and increasingly hackers’ program of choice; ransomware sales on the dark web grew more than 2,500 percent year-over-year.
Unlike data breaches, ransomware threatens an organization’s ability to function normally or perform critical services. How will physicians and care teams continue to care for patients if a virus takes an enterprise’s computer systems offline? This is a question every health system and hospital leader must probe today. Patient injury or death arising from cyber-attacks is becoming a realistic risk, as medical devices are increasingly connected to and dependent on the internet.
Despite the increased frequency of cyber-attacks, many healthcare organizations lack the money, resources and expertise to manage data breaches caused by evolving cyberthreats, preventable IT or employee mistakes, and other dangers. Although organizations increased investments in cybersecurity technology and expertise in the last year, the majority of healthcare providers reported little to no confidence in curtailing or minimizing data breach incidents in 2016, according to Ponemon. Recognizing this challenge, many health systems are purchasing cyberliability policies to help them weather the economic fallout from a cyber-attack.
Evolution of Cyberliability Insurance
Cyberliability insurance helps healthcare organizations cover the costs of a data security breach for things like identity protection solutions, public relations, legal fees, liability and more due to loss, theft and unauthorized disclosure of data.
Deciding the type of cyber-insurance to buy is no trivial matter; there is a true need for thoughtful discussion when it comes to purchasing coverage. This responsibility rests primarily with the board of directors and CFO. Directors and executives have the highest-level view of cyber-risk across the organization and are best positioned to align insurance coverage with business objectives, asset vulnerability, third-party risk exposure and other external factors.
Although coverage has been available for over 20 years, cyberliability insurance has grown significantly in recent years, and various types of policies are now available to organizations concerned with privacy breaches, data loss and ransom scenarios. A broker can be particularly valuable in helping leaders assess their organizations’ risk and find bundled or standalone policies written to match their unique needs.
Three key domains of coverage healthcare organizations may consider when assessing cybervulnerabilities.
Immediately following an attack or breach, cyberforensics investigators begin analyzing system information to understand the scope of damage. Most cyber-insurance policies give healthcare organizations access to teams of computer forensic experts that help providers fulfill regulatory reporting requirements as well as understand what happened and whom to notify.
Data breach notification and credit monitoring services
One cornerstone of a robust cyber-insurance policy is the notification and action strategy by which providers appropriately and quickly respond to security breaches. Health systems must satisfy an important legal requirement when data is compromised, including patient notification. Currently, 47 of 50 states maintain data breach notification requirements. Each law demands the organization in question notify affected individuals when a breach occurs; finer regulations regarding verbal phrasing and timeliness vary by state.
Cyber-insurance policies typically include legal services to support data breach notification processes, which can help healthcare organizations get the right information to the right people at the right time. Breach notification specialists help hospitals write appropriate notification letters, establish call centers and respond to patient inquiries, alleviating organizations of substantial stress and financial burden.
Business interruption and crisis management
A business interruption policy offers financial protection if an organization’s IT system is inoperable for a prolonged period of time following a breach.
Closely related to financial losses from a business interruption is a loss of goodwill or standing in the community. Brand awareness and reputation are increasingly valuable to provider organizations amid growing healthcare consumerism and competition. This makes minimizing negative press all the more critical following a data breach.
Other Considerations for Healthcare Organizations
Two factors driving CFOs and healthcare leaders to see value in cybercoverage investments.
Some healthcare leaders may be tempted to spend money fortifying cyberdefenses rather than paying cyber-insurance premiums. However, the reality is no IT system is infallible. Providers can boast highly sophisticated cyberdefenses and still risk exposure to low-tech threats, such as a disgruntled employee taking a laptop containing sensitive health data when he or she leaves the company. In fact, more than half of data breaches are attributed to mistakes, misuse or malicious acts by employees. As healthcare leaders grapple with the unpredictable nature of evolving cyberthreats, providers see financial and strategic value in purchasing liability coverage.
Future merger, acquisition and affiliation plans
Value-based payment reform, in part, is driving consolidation as healthcare organizations aim to strengthen their foothold in the market and prepare to manage care across the continuum. Because the success of many of these partnerships depends on exchanging and using patient data, providers are challenged to connect multiple disparate legacy systems during mergers and acquisitions.
Purchasing cyberliability coverage prior to a merger or acquisition ensures both organizations are financially protected should a breach or accidental exposure occur.
Let Our Remedy for Cyber-attacks Help You
Healthcare organizations of all sizes are experiencing cyber-attacks at increasing rates and realizing the significant financial costs associated with recovery. Purchasing cyber-insurance is an important step in ensuring an organization is prepared for a cyber-related event. As the cyber-insurance industry matures, policies will become more standardized. For now, this type of coverage is an evolving product in a dynamic market—something healthcare executives and hospital boards should closely monitor. As such, organizations should partner with the right broker to understand precisely what each policy covers in different incidents.
Visit key.com/healthcare for more information.