News Feature | September 6, 2013

Cyber Insurance In Case Security Fails

Source: Health IT Outcomes
Katie Wike

By Katie Wike, contributing writer

Practices are realizing the value of cyber insurance but coverage fees may to too much for some

Data breaches affect businesses every day with potentially devastating results. The healthcare industry is not exempt from data breaches, and the results can be equally disastrous. And no matter how effective a cyber security system is, there is always a chance it isn’t good enough. Because of this, many providers are turning to cyber insurance.

According to American Medical News, "Cyber insurance policies can carry a variety of benefits. Experts say medical organizations should have policies that include, at minimum, coverage of notification costs, forensic investigation costs, legal defense costs, penalty and fine coverage, and third-party liability." Without insurance, fines for HIPAA violations can force a private practice into bankruptcy.

American Medical News cites a study conducted by Experian and the Ponemon Institute that found, across several sectors including healthcare, 31 percent of those surveyed had some form of cyber insurance and another 39 percent said they plan to purchase it. In healthcare specifically, 32 percent have it and 41 percent are interested.

Of those who were not considering purchasing insurance, 52 percent considered the premiums too high. A breach could cost hundreds of thousands of dollars, but according to Howard Bergstein, an insurance agent who decided to offer data breach insurance to medical offices 2½ years ago, most providers were unwilling to purchase a $2,500 policy. He said "practices were overwhelmed with installing electronic health record systems, complying with the meaningful use incentive program and following new regulations from the Health Information Technology for Economic and Clinical Health Act of 2009, which includes regulations relating to data security."

Marla Durben Hirsch, a health law attorney and editor at Fierce EMR, writes of a providers choice not to buy cyber insurance, "Am I missing something? Or are providers just not thinking this through? Do they believe that the risk that they'll suffer a data breach is so low that it's OK to go bare? Or that their other measures to protect the data in their EHRs - such as conducting a risk analysis - will be sufficient?"

Durben Hirsch continues her arguement for cyber insurance, writing, "For one thing, EHRs arguably are more prone to data breaches than paper records. Yes, paper medical records can be lost or stolen, but it's so much easier for employees to improperly access electronic records for snooping or personal gain, for a hacker to get into the computer system or a thief to steal a laptop.”

Durben Hirsch sums up her position succinctly, saying, “While $2,500 isn't chump change, it's also less than $7 a day. That's about the cost for a Starbucks Frappuccino.”