Phishing, malware & direct attacks by hackers are on the increase and employees are abusing data access rights: Any organization required to collect, store or use Protected Health Information (PHI) is likely to suffer a data breach. It is just a matter of when that breach will occur.
Even when healthcare providers abide by HIPAA Rules – and avoid OCR financial penalties – the cost of a healthcare data breach can be considerable. Patients must be notified, credit protection services provided and identity theft insurance offered. The cost of printing and posting breach notification letters represents a sizable cost.
Mid-sized healthcare providers that hold millions of patient health records and Social Security numbers could well find a large-scale data breach to be ruinous.
Inevitable Data Breaches Mean Insurance Policies are Required
Even the best security systems can be undone by a single worker. The data breach at Medical Management LLC occurred when an employee took data from the company and disclosed it to a third party. A recent data breach at Penn State University shows just how easy a HIPAA breach can occur: An employee made an error of judgement and took data home to complete some work. Even though there appears to have been no bad intentions; that potential exposure warrants a breach response.
Healthcare providers would naturally prefer to avoid data breaches, but if that is not possible the best alternative is to avoid paying the costs associated with it. Insurance companies have been quick to seize the opportunity to provide cover and many are now offering data breach insurance policies which cover the cost of cyber-attacks.
The risk of a cyber-attack or a security breach has grown over the course of the past two years, as have the number of successful attacks. It is no surprise that the cyber security industry has grown so rapidly over the past few years. Today, the industry is estimated to be worth $2 billion a year.
It’s Not Only About Covering the Data Breach Cost
After a data breach occurs a healthcare provider must conduct a thorough investigation to determine the exact data accessed. This is a complex and time consuming task even when IT staff have the device in question to examine. When an unencrypted laptop computer is stolen, the analysis can be even harder to complete.
Many healthcare providers lack staff with the necessary skills to conduct such an investigation, and invariably outsource the task to security professionals. Some insurers are now assisting healthcare providers by offering forensic analysts to assist in this regard, as well as providing legal advice to help deal with the aftermath of a data breach.
It is Important to Read the Small Print
However, purchasing an insurance policy does not necessarily mean a data breach pay-out will be received. A healthcare provider may still have to cover the cost of the breach in addition to the cost of the insurance premiums.
Recently, Columbia Casualty Co. questioned the actions taken by the Cottage Health System to protect data it held, after one of its Business Associates inadvertently allowed PHI to be indexed in Google. The insurance company is arguing that the healthcare provider failed to implement the most basic of security measures, and consequently CCC does not believe it should have to cover the cost.
The Cost of Cybersecurity Insurance
The cost of cybersecurity insurance, including cover for insider data breaches, can vary considerably based on the level of risk, the number of records that could potentially be exposed and the level of cover required.
For many companies the level of risk justifies the paying for an insurance policy. It would not be unusual for a cyber-security insurance policy to cost around $900 a year for $1 million of cover for an individual, whereas a mid-sized healthcare provider may have to cover premiums of up to $50,000 a year for a $10 million data breach insurance policy.
Anthem is believed to have held an insurance policy providing up to $100 million of cover; although the final cost of the 78.8 million record data breach will be considerably more.