Barbara L. McAneny, MD, CEO of New Mexico Oncology Hematology Consultants, Ltd, experienced a data breach about 10 years ago, when a laptop was stolen from her large practice.
She and the other physicians were upset and worried that the individual would attempt to log in to the computer system and hack their patients’ private health information.
McAneny was also worried that the practice would have to pay a hefty fine to the government for having unsecured private health information on a laptop. She could have paid from $50,000 to more than $1.9 million for lost and stolen devices (although that didn’t happen).
McAneny had a standard cyber liability benefit in her med-mal policy that covered up to $50,000 of the data breach costs. That covered the legal advice The Doctors Company provided about state and federal reporting requirements when a data breach occurs and the costs the practice incurred from mailing letters to all of its patients notifying them of the data breach, says McAneny.
“The data breach taught me a lot. Our practice spent a lot of money on increasing our internal controls, cybersecurity, and monitoring. Our IT department started testing our computer firewalls periodically, and that’s how we discovered that cybercriminals were attempting to break into our computer system at least 100 times daily,” says McAneny.
That discovery changed how she thought about insurance. “I decided the med-mal benefit wasn’t enough. I bought the best cybersecurity policy we could afford to protect against future breaches, especially malware or ransomware attacks.”
Her practice also had to make its electronic health records (EHRs) more secure to comply with the Department of Health and Human Services Office of Civil Rights standards for protected health information. The cost of increased security wasn’t covered by her cyber benefit.
Cyberattacks Increasing in Healthcare
Despite having comprehensive coverage, McAneny worries that the cybercriminals are a step ahead of the cybersecurity experts and her practice will eventually have another data breach.
“The policy only covers things that we know about today. As we upgrade our defenses, criminals are finding new ways to breach firewalls and work around our defenses,” she says.
Cybercriminals — whether from foreign countries or just plain, homegrown thugs — have stepped up their attacks on healthcare organizations. So far this year, nearly 200 medical groups have reported cyberattacks involving 500 or more of their patients’ medical records to the federal government.
EHRs are valuable targets to cybercriminals because of the protected health information they contain. Cybercriminals grab information such as social security numbers, dates of birth, medical procedures and results, and in some cases billing and financial information and sell it on the dark web.
They typically bundle the information and sell it to other criminals who later use it for various kinds of fraud and extortion such as banking and credit fraud, healthcare fraud, identity theft, and ransom extortion.
What Do Most Doctors Have?
The vast majority (82%) of doctors polled by the Medical Group Management Association last year said they had cyber insurance compared with 54% in 2018.
For those who answered “yes,” many said they have coverage through their malpractice insurance carrier.
David Zetter, president of Zetter HealthCare Management Consultants, recommends that physicians speak with their malpractice carrier to determine what coverage they have, if any, within their malpractice policy.
A typical cybersecurity benefit is limited to what is needed to fix and resolve the hacking incident, says Raj Shah, senior regulatory attorney and policyholder advisor at MagMutual, which insures medical practices for malpractice and cyber liability.
That usually covers investigating the cause of the breach and the extent of the damage, legal advice about federal and state reporting requirements, whether to pay a ransom, and a public relations professional to handle patient communication, says Shah.
The benefit doesn’t cover lost patient revenue when practices have to shut down their operations, the cost of replacing damaged computers, or the ransom payment, he says.
Zetter advises doctors to consider buying cybersecurity coverage. “I recommend that they speak with an insurance broker who is experienced with cybersecurity policies sold to healthcare professionals to determine what type of coverage and how much coverage they may need. Their malpractice carrier may also be able to provide some answers,” says Zetter.
The physician will need to be able to answer questions about their network, how many staff they have, and may need to involve their IT vendor too, he adds.
How Does Comprehensive Coverage Compare?
Ransomware attacks continue to be one of the most frequent types of attacks, and the amount criminals are demanding has risen significantly. The median ransom payment was $5,000 in the fourth quarter of 2018 compared with over $300,000 during the fourth quarter of 2021.
Cybercriminals now engage in “double extortion” — demanding a ransom payment to hand over the code that will unlock their encrypted data — and then another ransom payment to not post patients’ sensitive medical information they copied onto the dark web.
Comprehensive cybersecurity insurance will cover “double extortion” payments, legal costs that may arise from defending against patient lawsuits, and the costs of meeting federal and state privacy requirements including notifying patients of the data breach and regulatory investigations, says Michael Carr, head of risk engineering for North America for Coalition, a cyber insurance firm.
Cyber insurers also contract with vendors who sell bitcoin, which is the currency cybercriminals typically demand for ransom payments, and work with ransom negotiators.
For example, once Coalition decided to pay the ransom on behalf of a healthcare client, it negotiated the ransom demand down by nearly 75% from $750,000 to $200,000, and proceeded to help the company restore all of its data.
The costs to respond to the incident, to recover lost data, and to pay the extortion, together with the lost business income resulting from the incident, were covered by Coalition’s cyber insurance policy.
Other clients have had their funds retrieved before a fraudulent wire transfer was completed. “Medical practices have vendors they pay regularly. A cybercriminal may compromise your email or take over a bank account and then impersonate a vendor asking to be paid for services they didn’t provide,” says Carr.
How Much Coverage Do You Need? Cost?
McAneny has increased her cybersecurity coverage every year. “It’s expensive, but I think it’s worth it. But you can never buy enough protection due to the coverage limits.”
She worries that the costs could exceed the limits if a ransomware attack disrupts her practice for days, weeks, or longer, or if the Office for Civil Rights fines her practice $10,000 per patient chart — the practice has 100,000 health records. “That can run several millions of dollars and ruin a practice,” she says.
Health systems and hospitals need massive amounts of coverage, which often runs from $20 million to $30 million, says Shah. However, practices insured through MagMutual have lower coverage limits that range from $1 million to $5 million, he says.
“A large practice does not necessarily need more than $1,000,000 in coverage if they have limited loss in this area and strong internal processes and controls. Most large practices also have a dedicated information security director, which reduces their risk, so they may be comfortable with $1,000,000 in coverage,” says Shah.
Premiums are based on the number of patient health records per practice, which translates into higher premiums for larger practices.
Other factors that come into play include the underlying coverage, risk controls the practice has implemented, and its claims history, says Shah.
However, the cost for cyber liability insurance has increased and practices can expect to pay higher premiums and deductibles. For example, a practice that paid $10,000 in premiums for a new policy last year will have to pay $20,000 this year, says Dan Hanson, senior vice president of management liability and client experience at Marsh & McLennon Agency, a risk management firm that sells cyber insurance policies.
“We saw 71% of our self-insured clients experience higher deductibles over last year due to increased claim activity and the lack of capacity in the market. The carriers are saying they will set limits, but you are going to pay a lot more, and you are going to participate more in losses through the higher deductibles,” says Hanson.
Are You Eligible?
Cyber insurance companies have a vested interest in avoiding claims. With increasing cyberattacks and larger payouts, many insurers are requiring practices to implement some defensive measures before they insure them. Some insurers, such as Coalition, say they may still insure small practices for comprehensive coverage, but it may impact the pricing or what’s covered, says Carr.
Here are some of the security measures that cyber insurers are looking for:
Multifactorial authentication (MFA) requires an extra layer of security to access the system. For example, when logging into your organization’s EHR platform, instead of just using a username and password to access the platform, MFA would require you to input an additional unique login credential before you can access the EHR. A secondary login credential may include security questions, a one-time PIN, or biometrics.
Removing a terminated employee’s login credentials quickly from the computer system. “One of the most damaging and expensive types of attacks are by disgruntled employees who still have their login credentials and take revenge by logging back into the system and planting malware,” says Shah.
Automatic system updates (patches). “Phishing email compromises usually result from a failure to fix vulnerabilities. When a system needs to restart, it should be set to automatically update any potential security loopholes within programs or products,” says Carr. The firewall settings should also be updated.
Prior hacking incidents: Are the attackers out of your system? Once criminals hack into the system, your practice is vulnerable to repeat attacks. “If a cyberattack is not completely addressed, threat actors will maintain access to or a presence on the compromised network. In general, we will work with the insured to ensure that the initial point of compromise has been addressed and that any threat actor presence in the network has been removed,” says Carr.
When doctors compare cybersecurity policies, experts recommend avoiding companies that may offer lower prices but lack a proven track record of handling claims and do not offer resources that can detect a threat, such as ongoing network monitoring and employee training with simulated exercises.
“Practices tend to think it won’t happen to me. Every practice needs to take this seriously,” says McAneny.
Christine Lehmann, MA, is a senior editor and writer for Medscape Business of Medicine based in the D.C. area. She has been published in WebMD News, Psychiatric News, and The Washington Post. Contact Christine at clehmann@medscape or via Twitter @writing_health.
For more news, follow Medscape on Facebook, Twitter, Instagram, and YouTube.