Many physicians don't think a cyberattack is likely. However, the reality is that cyber criminals often target medical practices.

Posted in Risk Management on Wednesday, November 21, 2018

I know of a local clinician who recently suffered a cyberattack and received a ransom demand. His office was shut down for two weeks while he sought to secure the bitcoin payment to access to his records. Of course, the doctor doesn’t want to share his story for fear of it negatively impacting his practice. However, I want to warn other clinicians of the reality of this potential risk and advise them to consider cyber coverage as a protection.

Doctors sometimes tell me they don’t buy cyber coverage because they have smart people and state-of-the-art computer systems. The trouble is that cyber criminals can be smarter. And in the event of an attack, can you be sure you’ll get all your data back even if you pay the ransom? Has it been compromised? How will you know? What is to stop the criminal in the future?

Remember, when it comes to the data you collect that include protected health information (PHI) or personally identifiable information (PII), you have a duty to protect it.

Some clinicians believe cyber coverage is included under their business owners or other commercial insurance policy. However, many carriers exclude data or intangible property. And, even if they are included, the coverage may not be as comprehensive as it would be with a true cyber policy. 

It’s important to realize that cyber coverage is made up of both first-party and third-party coverages. First-party coverage protects you, the insured, while third-party coverage protects the people whose data has been taken. 

Cyber coverage is included in your Professional Solutions coverage. A basic limit of $50,000 is provided, which delivers multiple areas of coverage (see your policy endorsement). These include, but are not limited to: 

• Network privacy breach
• Patient notification and credit monitoring
• Cyber terrorism and extortion
• Network asset protection
• Reputation protection

Unlike your malpractice policy, expenses and payments are included in the $50,000 limit. That means the $50,000 limit can be exhausted quickly. Several experts, including a breach coach, IT experts, lawyers, forensic experts, PR staff and call center operators may be needed to resolve a cyber breach.

How much coverage do you need? That depends on:

• The number of patients and other confidential records (PHI, PII) you have:
• How and where the information is stored and for how long
• What protections are in place, such as encryption and business associate agreements
• The value of your reputation if you suffer a breach
• The access points where a breach can happen and their uses:
• Laptops, cell phones and networks
  • texting, emailing, website access and social media
• Use of third-party processors
• Payment plans such as credit cards
• Recovery plans
• Your peace of mind

With cyberattacks becoming more common, make sure to talk with your representative about your current coverage and whether additional limits make sense. The good news is we have negotiated a reduced cost for our policyholders and have made the application process very simple. 

Don’t be a victim and lose access to your records. Contact your representative today!