- About PS&F
- Industry Focus
- Client Tools
- Education & Events
- Case Studies
February 22, 2010
By Steven Brown, Vice President
Few CEOs, CFOs or risk managers are able to appropriately respond to this question from their Board of Directors unless the facility has previously suffered such a loss. While we have all heard the news stories of large banks, credit card companies, or credit agencies that have had breaches of their security affecting hundreds of thousands of customers. Similar breaches occur regularly at healthcare facilities across the nation. Obviously, sensitive financial information of patients and/or employees is at risk but a healthcare facility has the additional exposure associated with maintaining the health record confidentiality of its patients.
While there have been many incidents that involved larger numbers of lost records, here are a few recent incidents involving healthcare facilities that were made public:1
As seen above, many losses are due to persons outside the facility, but as awareness and security procedures are enhanced, a majority of these types of events now stem from insider negligence. In 2008, more than 88% of all in incidents involved negligence of insiders.
For those facilities that are using electronic medical records or are in the process of working towards that standard, the exposure to security threats and data loss becomes greater. Currently, at least 47 states have enacted laws requiring notification of security breaches involving personal information2. In addition to state-specific breach laws, healthcare facilities are affected by the following legislation:
Despite all of the statutory requirements, the single most important reason for healthcare institutions to maintain security and protect confidential information may be their reputations. According to the Ponemon Institute’s most recent study, customer loyalty is a particular challenge to healthcare institutions with an average reduction in their businesses of 6.5% following a publicly disclosed data breach.4
What are the costs associated with the loss of personal and confidential information? According to the Ponemon Institute’s fourth annual U.S. Cost of a Data Breach Study, the average cost per lost record was $202 in 20085. Using this metric, a facility’s loss of 5,000 records will result in an average total cost in excess of $1 million.
Cleary, the threats to security and privacy of healthcare facilities come from many sources, which leads us to the initial question, does your insurance program provide the necessary protection for these types of incidents? General Liability insurance, Directors & Officers Liability insurance, and Crime insurance policies are three potential coverage sources. With general liability policies, while invasion of privacy may be covered, unauthorized disclosures of information via hacking, a stolen computer, or lost media may not be covered since it does not involve intentional disclosure by the insured6. Most GL policies will exclude loss of data, while many can be amended to provide for loss of data of others. To be covered, however, the loss must involve an accident resulting in damage to tangible property and this does not occur in losses affecting personal information.
Crime policies generally provide coverage for theft of tangible property. While some can be endorsed to include theft of the insured’s information, crime policies are property policies so they will not respond to lawsuits from third parties brought against the insured as a result of lost or stolen data. While Directors & Officers policies may provide coverage for third-party lawsuits filed due to the release of private information, they do not provide any of the first party costs to a facility such as hiring IT experts, enhancing security measures, recreating lost data, recovering loss income due to the breach of security, notification costs, credit monitoring expenses, or meeting the demands of extortionists. To address these large gaps in coverage, the insurance industry has created a newer coverage now generically termed Cyber Risk Liability insurance.
Cyber Risk Liability insurance is specifically designed to respond to loss of security to an insured’s data systems and losses of private information that may occur. The coverage began to emerge about five years ago and is now offered by numerous insurers for healthcare institutions. While many policies contain similar provisions, cyber risk liability is perhaps the least standardized segment of property and casualty insurance. Similar coverages can be purchased from most cyber risk liability insurers but there is no standard for built-in coverages in a cyber risk liability policy, as one typically finds with a general liability policy or a directors & officers liability policy. Typical coverages include, but are not limited to, the following:
Even for core coverages such as Network Security and Privacy Liability, each insurer’s insuring agreement may be substantially different than that of another insurer. Your insurance broker must be able to explain the differences between the insuring forms. Furthermore, do not assume that your insurance broker knows what cyber risk liability coverage endorsements your facility requires. While some of the main coverages are obviously required at all facilities, there are many coverage options that may or may not be appropriate for your facility. Discuss your concerns with your broker so that, with his or her assistance, you can select the coverages and the limits to be included in your facility’s policy.
Cyber risk liability underwriters will evaluate your facility’s exposure to loss. This will depend in part on the sophistication of the facility’s IT department, the security provisions utilized by the facility’s network, the number of records stored, the manner in which the information is maintained, type of facility website, and history of losses. A healthcare facility’s IT Department and/or its independent consultants will be integrally involved in the completion of the application required to apply for Cyber Risk Liability insurance. Often a risk management phone call with the insured is a requirement prior to the insurer offering coverage. Pricing can vary significantly when comparing seemingly comparable coverages; therefore, it is advisable to obtain multiple quotes from financially robust insurers. Key differentiating coverage components include the following:
Senior management must work with its IT Department to evaluate the facility’s exposure to these types of losses, including the threat that a rogue employee, hacker, or dumpster diver could pose to patient, employee, and hospital data. Discuss the issues with the independent contractors and vendors that interact with the facility to provide data management and processing capabilities. Inquire as to what these firms are doing to protect your facility and determine if they too are properly insured, as these types of losses have occurred to at least one data storage firm as well. In fact, while privacy and security losses are less common than general liability, professional liability, and even directors & officers liability claims, the magnitude of loss potential to healthcare facilities remains severe. While a comprehensive approach to risk management is paramount, providing a funding mechanism for the unforeseen, catastrophic losses is prudent for any size healthcare facility.
6Journal of Healthcare Risk Management, Volume 28, Number 4, page 23
The views and opinions expressed within are those of the author(s) and do not necessarily reflect the official policy or position of Parker, Smith & Feek. While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it.