This article originally published on Executive Insight’s website on July 6, 2015.
By Nicholas M. Cushmore, ARM, Assistant Vice President
Experts have predicted 2015 will be the year of healthcare data breaches, and it appears that this prediction may be spot on based on the number of incidents that have already been reported in just the first six months of this year. While data breaches in the financial industry have been about as prevalent as the common cold, the industry has become smarter and worked towards removing those gaps that make it a prime target for data breaches. The healthcare industry, on the other hand, is very susceptible to data breaches and has been seeing an influx of cases in recent years.
According to Symantec, cyber attacks in the healthcare industry increased by 72 percent from 2013-2014. The increase is due, in large part, to the widespread implementation of electronic health records across the industry in organizations that often lack sophisticated data protection programs. Adding more salt to the wound is fraudulent activity in the healthcare industry often goes undetected for years, allowing criminals to do more damage with the stolen information over a longer period of time.
Healthcare executives must ensure their companies have an effective risk management plan in place to combat data breaches, which the Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis found cost companies on average $3.8 million. Healthcare companies that have a plan in place to respond to breaches and contain the damage have been able to significantly reduce the overall cost of breaches and the long-term negative effects associated with them on, for example, patient retention and the organization’s reputation.
As an annual practice, healthcare executives should review their organization’s cyber risk management program and as part of this review process, should carefully examine their insurance policies to ensure the policies will adequately protect the organization in the event of a data breach and confirm that the organization as a whole is following best practices for preventing data breaches.
The first step in reviewing your organization’s cyber liability insurance policy is ensuring it has the five main coverage components:
- Third-Party Coverage for claims arising from a failure with the company’s network security, failure to protect personally identifiable information, failure to protect confidential corporate information or associated regulatory actions (including HIPAA/HITECH).
- First-Party Coverage for responding to a security failure or privacy breach. This coverage pays the costs of notification, public relations and other services to assist in managing and mitigating a cyber incident. This coverage can typically be provided with a dollar limit or can be purchased on a “number of records” basis. If purchasing coverage on a per-record basis, the carrier would cover the cost of notification for 500,000 records, for example, regardless of the dollar value to do so.
- Coverage that responds to pay for the threat of intentional security attacks against a company by an outsider attempting to extort money.
- Network Business Interruption Coverage for loss of income and operating expenses due to a network security failure like a denial of service attack, but not from a privacy breach.
- Media Liability Insurance that covers claims arising out of the gathering and communication of information. This coverage protects against defamation and invasion of privacy claims as well as copyright and/or trademark infringement.
Beyond these five coverage areas, healthcare executives should ensure that the policy includes coverage for regulatory fines and penalties associated with HIPAA and HITECH. This coverage can be excluded altogether from policies and may typically have a sublimit, if provided. In the “BYOD” (bring your own device) era, it is also critical to make sure policies do not contain an encryption exclusion or a sublimit for unencrypted mobile devices. Another point to consider is some policies require providers work with the insurance company’s pre-selected law firms, PR firms, etc., and while this sounds fine at the time, it can leave you feeling like your hands are tied if a data breach occurs.
Making sure that your cyber coverage is appropriately tailored to fit your healthcare organization is only half the battle. A major component of any solid cyber risk management program is commitment to best practices by all staff, starting with upper management within the organization. If employees know and understand that the leaders within the organization are serious about cyber security, it will help the implementation of good risk management. Training on cyber security isn’t just a concept for the IT department; every end-user of technology in the healthcare organization has the potential to lead to a breach.
As discussed earlier, this is the era of BYOD. Laptops, tablets and smartphone devices all allow employees to work remotely and transmit data at the same time. It is imperative that an organization instill best practices when it comes to working with these devices. Some key best practices include:
- Install encryption technology so health information stored on or sent by a mobile device is protected.
- Ensure that mobile devices require passwords to unlock their screens and that those passwords are changed frequently.
- Ensure that anti-virus software is used to protect the devices and is updated as needed.
- Install technology that allows you to “wipe” the device clean of all data if it is deemed to be lost or stolen.
- Issue company smartphones to be used only for work to keep dangerous personal mobile applications off the devices.
- Delete all records from devices before discarding them.
Data protection should be a central part of all healthcare organizations’ businesses. Healthcare organizations must take an active approach to protecting data and preventing data breaches. Taking the time to carefully examine the cyber risk management program will help ensure your business and patients continue to thrive.
Philadelphia, PA, 19102