Cyberliability insurance: Should you purchase a policy?

View on the News

Michael E. Nelson, MD, FCCP

Michael E. Nelson, MD, FCCP, comments: Being old enough to remember a paper chart and scheduling book, I can't help but marvel at the how the electronic health record (EHR) has fallen short of its expectations and added to the cost of medical care. Well, let's add cybersecurity insurance to the cost of doing business. While I love the ability to look at a chest x-ray or CT without a viewbox, I can't think of many other things that the EHR has done to make me a more efficient physician. It has, however, spawned many cottage industries that provide "must have" services with their attendant fees. The ever-increasing regulatory and administrative burdens and costs placed on physicians' practices is making it impossible for smaller practices to remain financially viable, leaving smaller communities without medical services. I don't think this was the intent when we decided to "modernize" medicine. It makes me want to go back to those Halcyon days of the paper chart - try phishing one of those, you hackers.


As hackers become more sophisticated, these cybercriminals are finding novel ways to access protected health data, leaving health care providers to pick up the costly pieces of their crimes.

In 2017, there were at least 477 publicly reported health data breaches in the United States, affecting some 5.6 million patients, up from 450 health care breaches in 2016, according to Protenus, a health care cybersecurity vendor that tracks data breaches reported to the U.S. Department of Health & Human Services.

Joshua R. Cohen, JD, chair for the New York City Bar Association Committee on Medical Malpractice

Joshua R. Cohen

When medical files are stolen, physicians are on the hook for more than just a possible ransom request; they also face thousands of dollars in potential fines, fees, and legal costs, said Joshua R. Cohen, JD, a medical malpractice defense attorney based in New York. To mitigate the consequences, cybersecurity experts say physicians should consider purchasing cyberliability insurance, a relatively new coverage policy that protects against data breaches and subsequent lawsuits.

“A breach is very expensive,” said Mr. Cohen, chair for the New York City Bar Association Committee on Medical Malpractice. “You have the fine to the Office for Civil Rights, which can be in the millions of dollars, and you’re going to have to ameliorate the breach, which can be hundreds of dollars per person, let alone deal with lawsuits from the patients.”

Cyberliability: What’s the risk?

Cyberliability refers to legal dangers arising from data breaches, privacy law violations, and ransomware/cyberextortion threats, as well as data loss and business interruption from computer system failures.

Of the 477 breaches in 2017 analyzed by Protenus, 37% were from hacking, 37% resulted from insider incidents, and 16% stemmed from data loss or theft. About 10% of cases resulted from unknown reasons, according to the report.

Data breaches caused by hackers and malware attacks are rising in the health care sector, said Katherine Keefe, global head of breach response services for Beazley, a national cyberliability insurer and risk management company. Beazley handled 2,615 data breaches in 2017, more than half of which were health care–related, Ms. Keefe said in an interview. The top three causes of health care breaches reported to Beazley in 2017 were accidental disclosure, hack or malware, and insider incidents, according to a recent report from that company

Katherine Keefe, global head of breach response services for Beazley Beazley

Katherine Keefe

Ms. Keefe noted that Beazley has seen a recent surge of phishing emails, electronic attempts to gain sensitive information for malicious reasons by disguising the sender as a trusted source. The emails often request that employees click on a link and change a password in an effort to steal data or gain access to medical records.

“We see an awful lot of that,” Ms. Keefe said. “There’s been a real surge in successful phishing emails and social engineering that enables criminals to identify medical practice leaders. It’s not hard to dress up an email to look like it’s coming from a specific individual. There are all kinds of increasingly sophisticated tactics to trick people into letting criminals into their systems or tricking people into forwarding money or valuable information.”

Hackers frequently use phishing emails to get employees to download a payload, the portion of malware that performs malicious actions, Mr. Cohen added. Once downloaded, payloads can do significant damage to a medical practice.

“Once you get hit with these payloads, not only can they start pulling information out of the computer system, they can also start doing things, such as turning on laptop cameras, reading emails, listening in on computer microphones,” he said. “All they need is one employee to click.”

Considering cybercoverage

To protect themselves from potential breach expenses, more medical practices are purchasing cyberliability insurance policies. A 2017 survey of 270 insurance brokers and 125 underwriters found that health care has more first-time buyers of stand-alone cyberliability insurance than does any other industry.

However, Mr. Cohen advises that practices should do their research before buying and be aware of the different types of policies, coverage limits, and insurance options.

“Be careful about what it covers,” he said. “Are they going to pay for all the amelioration for all the patients affected? Some policies will cover ‘repairing and disinfecting the system,’ but they will not likely cover all the [Office for Civil Rights] fines.”

The Doctors Company, a national medical liability insurer, provides $50,000 in cybersecurity coverage to all its insured physician members and the option to increase coverage by $1 million in additional protection, according to Crystal Brown, senior vice president of underwriting for the Doctors Company. The coverage protects against regulatory and liability claims arising from theft, loss, or accidental transmission of patient or financial information as well as the cost of data recovery. Another policy offered protects against claims arising from administrative actions pertaining to utilization, licensing, credentialing, and misconduct.

Crystal Brown, senior vice president of underwriting for the Doctors Company

Crystal Brown

“In health care, data breaches are not a matter of ‘if, but when’,” Ms. Brown said in an interview. “With the costs of breach response and potential HIPAA violations now reaching several hundred dollars per stolen medical record, we urge physicians to carefully evaluate their risks and make certain they are adequately protected.”

Meanwhile, national medical liability insurer ProAssurance offers health providers a basic cyberliability coverage endorsement in most states on its medical professional liability policy. The insurer also has a branded cyberprogram that allows clients to buy additional and broader coverage at a discounted premium.

“In today’s electronic environment, we are hearing about breaches occurring at both small and large health care practices,” said Melanie Tullos, vice president for ProAssurance. “Small physician practices are just as vulnerable, if not more so, to a cyberbreach and should take the necessary steps to protect patient data against an attack at all measures, including, but not limited to, purchasing cyberliability coverage.

The price of cyberliability insurance varies by risk and other factors, Ms. Tullos said. Generally, the cost of a $1 million cyberliability policy for a single physician practice is less than $1,000, whereas a group of 10 physicians can pay up to $8,000-$9,000, she said in an interview.

Beazley offers policies that cover the expenses and services associated with investigating whether a data breach has occurred, responding to breaches, and liability that may arise from the breach, said Ms. Keefe, of Beazley, which works with companies such as the Doctors Company to provide coverage and also works with state-run malpractice programs to offer a cyberliability component for a small, additional premium, she said.

Ms. Keefe stressed that cyberliability coverage can ensure that physician practices don’t run up a hefty bill in the event of a data breach by paying for separate specialists and damage control.

“One of the reasons doctors should have cyberliability coverage are the costs associated with figuring out what to do if patient records are lost or stolen,” she said. “The cost of hiring a lawyer, hiring a forensics investigator to assess the situation, the cost of notifying the patients, and taking all the steps required by HIPAA can really add up. Most practices don’t have those costs built into their annual budgets. A cyberpolicy acts as a buffer against those expenses.”

Next Article: