As a disclaimer, we are not an insurance company or insurance specialist. We’re a Cyber-Security firm that specializes in HIPAA compliance. We strongly encourage our clients to purchase cyber-breach insurance. We regularly blog on healthcare cyber security and compliance, often citing cyber-breach statistics. It’s likely you’ve been breached or will be breached in the near future. So, it only makes good business sense to protect the investment you’ve made building your practice and transfer all the liability you can to others. However, with all the recent high profile breaches in the news, and the multitude of smaller ones that don’t warrant headlines, it’s very important to realize, the insurance companies are moving to protect themselves as well!
It is relatively easy to purchase cyber breach insurance, filling out the questionnaire and adding it as a “rider” with your existing policy. It’s important to realize, it is becoming much more difficult and lengthy process to collect on the policy. Let’s review the process. The average time to discover a breach has occurred is quoted at 229 days, by companies with fairly robust cyber security organizations. Statistics for smaller companies or practices are hard to come by due to lack of sophisticated security and resources. Such breaches are often discovered when patients are experiencing cyber theft; real damage to their credit history, identity theft or loss of funds. When enough “dots are connected” and it points to your practice, the journey begins. The insurance company doesn’t recognize a breach until a law firm has been hired to investigate and determine a HIPAA privacy law has been violated. They will call in a forensic investigator to determine the extent of the breach. If a breach has occurred, all those affected must be notified. No hope of quietly resolving this issue as social media takes off while your income plummets. The insurance company will then review your stated cyber defenses against your actual capabilities. If you have overstated your capabilities, the insurance company may contest paying on the policy. The OCR will initiate an audit which may result in significant fines. Frustrated customers will file lawsuits. At this point, even if the insurance company does pay, can your practice survive?
Clearly, cyber breach insurance is not a simple answer to this tough problem. This means you, as a healthcare provider, must invest carefully to protect your practice. A good cyber defense must be implemented and maintained with cyber-breach detection capabilities to reduce the Mean-Time-To-Detection (MTTD). There are several software solutions that provide cyber-breach detection, but like all software, some are far better than others. Your HIPAA Risk Assessment should include a HIPAA compliance scan to verify all types of computers employed meet the NIST HIPAA compliance standards. Once you’ve done that, purchase cyber breach insurance. Why? Because the threats are ever changing and becoming more sophisticated. It is smart business to transfer liabilities.
Takeaways
- Cyber security/cyber-breach insurance will pay if you do your job and secure your ePHI.
- Being HIPAA compliant and implementing cyber-security with rapid breach detection (low MTTD) improves your protection from loss.
- Take action; have a risk assessment performed by a third party and implement a breach detection software solution. (Ask us for details about both.)