Cyber insurance might not be the top priority when you’re busy starting a group practice or running a healthcare business. But the occurrence of a cyber breach –or worse, a ransomware attack – is too late to consider preventative measures and cyber insurance.
The U.S. healthcare sector suffered nearly 300 breaches on companies of all sizes in the first half of 2023 alone, according to the HHS Office for Civil Rights (OCR) data breach portal. Consider some of the following most significant breaches in 2023 alone:
- Malicious code on Managed Care of North America’s (MCNA) system meant an unauthorized party accessed specific systems and removed copies of personal information.
- PharMerica discovered suspicious activity within its network when an unknown party accessed its computer systems and potentially obtained personal information. The long-term care pharmacy breach impacted more than 5.8 million people.
- Online mental healthcare platform Cerebral used tracking pixels on its website that are no longer permissible under HIPAA’s health data privacy practices. They notified over 3.1 million users of the data breach.
On a smaller level, simply uploading the wrong patient’s information in your patient portal is considered a data breach.
October’s cyber security month is an important reminder to review your cyber security protocols and ensure your practice is prepared for a possible data breach or cyber attack. HUB International’s Nathan Hansen, senior vice president, technology & cyber leader, offers advice for healthcare practice owners.
Common cyber security claims in healthcare
According to Hansen, there are two major claims that are the most common, especially in private practices and healthcare businesses.
- Ransomware attacks: This happens when malware gets added to your system, denying users access to files. It most commonly occurs when someone mistakenly clicks on a malicious file, giving the bad actor access to the system.
- Cybercrime social engineering: This occurs when bad actors gain the trust of their targets, causing an employee to lower their guard and provide sensitive information.
For example, consider the following two common scenarios.
Two people with similar names are patients of your med spa. A nurse sends a confidential message through your patient portal to the wrong patient. That breach of PHI means you need to notify the patients. Your cyber insurance carrier should support you in that process and cover any costs incurred from the breach.
A third-party marketing firm manages your website. They’re not HIPAA certified and didn’t realize the website cookies they set up years ago on the site are no longer permissible. That data is your responsibility as the healthcare provider, even though the third-party vendor is at fault. Your cyber insurance carrier will help you with the process of notifying every patient whose PHI was involved in the breach. They’ll also cover any costs incurred.
“You may not always be able to prevent a cyber attack, but you can have things in place to help you recover with less impact to business,” says Hansen.
Frequently asked questions about cyber insurance for healthcare
Cyber insurance covers your practice or healthcare business from a data breach of protected health information (PHI), a ransomware attack or an inadvertent disclosure of confidential information.
What does cyber security insurance cover?
Cyber security insurance ensures that a cyber breach does not mean the end of your business. A good carrier will also give you access to experienced vendors to support you throughout the notification and recovery process. These include legal counsel, forensics experts and even negotiators in the case of a significant ransomware attack.
What are the best ways to prevent a cyber attack?
Preventing ransomware attacks and cyber crimes requires employee education and a secure system. Hansen recommends the following three tips:
- Set up multi-factor authentication for remote access to your network, even just to access emails. This is especially true for your patient portal.
- Back up your network offline. If your network is ever breached, you’ll still have access to important files.
- Practice potential cybercrime scenarios, such as malware emails and protocols after a data breach.
Does cyber security insurance help prevent an attack?
Your cyber insurance carrier should also support you in preventing an attack from occurring in the first place. “The carriers don’t want a claim just as much as the client doesn’t want a claim, so they look to help where they can,” says Hansen.
Hansen recommends choosing a carrier who will review your incident response plan and offer vulnerability scanning. Some will even offer simulated exercises to practice a cyber breach scenario.
Does my general liability plan cover a cyber attack?
Some general liability insurance policies may include cyber insurance, which is typically minimal.
What costs does cyber insurance cover?
Cyber insurance covers:
- A claim or class action suit for failing to protect PHI adequately
- Coverage for expenses caused by a breach, such as ransom fees, legal fees and forensics
What should I do if I suspect a data breach or cyber attack?
In the event of a data breach, it’s best to report the incident to your insurance company immediately.
This can be as small an incident as exposing the wrong patient information in a patient portal to a more significant attack like ransomware.
Today, when so much of practice operations occur online, cyber security insurance for your healthcare practice is necessary.
“Even the most well-protected, buttoned-up organizations can have a cyber breach,” says Hansen. “If you’re serious about cyber security, you should put controls in place to protect yourself and find coverage at a reasonable rate.”
Learn more about CM&F Group’s cyber security insurance for healthcare. CM&F Group offers professional liability insurance to over 150 types of healthcare professionals. All our coverage options are available online, allowing our clients to obtain liability insurance coverage within minutes.