Is Cyber-Security Insurance Right for Your Practice?

2015 was a notorious year for cyberattacks in the healthcare industry, with more than 100 million health care records compromised in a single year. So far 2016 looks like it might be as bad or worse, once the Department of Health and Human Services' (HHS) Office of Civil Rights (OCR) gets all the breaches posted. Breaches for just the month of June involved more than 11 million patient records. Cyberattacks have become so common that IT experts say that it's 'not if but when' your data will be breached," says Rick Hindmand, a healthcare attorney with McDonald Hopkins in Chicago, Ill.

The big data breaches that make the news are typically the giants in the industry-the Anthem and Premera Blue Cross breaches, for example. But smaller healthcare providers are targets as well and for these practices,the results of a breach can be proportionately much worse. Some breaches are small and the damage can be quickly contained. Significant breaches, however, can be expensive. "Beyond the cost of any fines (and the bad PR), the costs of a significant breach can include paying for data analysis, a forensics expert, letters to patients, setting up a call in number to field patient's questions, and more," says Hindmand. For small practices already stretched to near breaking after paying for software and computer upgrades and ICD-10 prep, one serious breach could mean the difference between staying afloat and going under.

In this realm, cyber-security insurance could be the solution. It can offset much of that expense, turning what could be a catastrophe into just another headache (admittedly, a really bad headache, but a headache not a disaster). "The cost of insurance is almost always less than the cost of a breach," Hindmand said.  

Chuck Winchester, Information Technology Operations Manager for the American Academy of Family Physicians (AAFP) strongly recommends cyber-insurance. "Because protecting members' and employee data is so important to us, the AAFP has cyber-security insurance," he said. The AAFP does not officially recommend cyber-security insurance to its members, but merely suggests that members consider it based on their individual situations. However, Winchester said, "As a security guy, I definitely think it would be a good idea for everybody."

The benefits of cyber-security insurance go beyond just covering the costs. "The insurance company will typically have a panel of attorneys, and you can usually choose from several," Hindmand explained. "They also have forensic experts that they work with who have experience working with just these kinds of issues." In addition, your cyber-security insurance is only likely to pay a claim if you can demonstrate that you took due diligence-so there's another incentive to stay on top of protocols.

Even if you follow all the rules, data breaches can still-and probably will-happen. Just like you planned for the worst when prepping for ICD-10, it's a good idea to do the same in case of a data breach. If you're practice can afford it, cybersecurity insurance might put your mind at ease and possibly save the day in the event of a breach.