American Medical News
By — Posted Aug. 19, 2013
Many companies, including those in health care, consider cyber security threats to be as big as — or bigger than — the threat of a natural disaster or fire. Just as those organizations carry insurance for the relatively small chance that a tornado or fire destroys their businesses, many now are looking at policies that will cover the potentially devastating impact of a data breach.
The number of people affected by breaches in the U.S. continues to climb each year. For health care organizations, the threat of being slapped with a large fine for violating terms of the Health Insurance Portability and Accountability Act also has increased. The Dept. of Health and Human Services' Office for Civil Rights has made clear that no practice is too small to be fined. A new study from Experian and the Ponemon Institute finds that the majority of companies across several sectors, including health care, are turning to cyber or data breach insurance to mitigate the financial risks of a breach.
The study found that 31% of companies have cyber insurance, and 39% plan to buy it. In health care specifically, 32% have it and 41% are interested, said Michael Bruemmer, vice president of Experian Data Breach Resolution.
There are no historical data to show actual growth, but industry insiders say there is plenty of anecdotal evidence to show a definite increase in interest from health care organizations. Bruemmer said the interest started about two years ago with mid- to large-sized organizations such as hospitals and health care systems. In the past six to nine months, he has seen a shift toward smaller practices expressing interest in the coverage. Although some physicians are having a hard time seeing the cost benefit of having the insurance, those that have had to use it say it was worth it.
The Experian-Ponemon report found that of the health care organizations surveyed for the study, 77% said cyber risk insurance was important. Of those that made a claim against a breach event, 97% said the experience was good or excellent.
As more health care organizations become victims of breaches, awareness and interest in data breach insurance have grown, said Holly Moriarty, small commercial business marketing director for outpatient health care at the Hartford, an insurance company based in Connecticut that sells breach coverage.
NetDiligence, a cyber security firm that conducts risk assessments and data breach services, published a white paper in October 2012 in which it analyzed 137 events reported to breach insurance underwriters between 2009 and 2011. Health care and financial services topped the list as the most frequently breached sectors. The report said the average cost per breach was $3.7 million, the majority of which was legal damages. This figure was lower than the figure calculated by the Ponemon Institute, a data privacy and security researcher in Traverse City, Mich. Its May report, “2013 Cost of Data Breach Study: Global Analysis,” put the average cost per breach in the U.S. in 2012 at more than $5.4 million, or $188 per breached record.
Although a breach at a small physician practice probably won't cost that practice anywhere near $5 million, it could easily run into the hundreds of thousands of dollars — enough to cripple a practice running week to week financially.
Chris Apgar is CEO of Apgar & Associates, a privacy and security consulting firm. He recently conducted a risk analysis for a nine-doctor physician practice showing that the cost of notification alone in the event of a breach would be more than $100,000. Under HIPAA, a practice with a data breach affecting 500 or more people is required to notify patients, local media and the secretary of the Dept. of Health and Human Services. “It can get very, very expensive,” he said.
When Howard Bergstein, an insurance agent from Maywood, N.J., decided to offer data breach insurance to medical offices 2½ years ago, he thought it would be an easy sell. He was selling stand-alone policies for $2,500 a year that covered everything from the cost of notification to the price of a public relations firm to help protect the reputation of the practice. The policies also covered third-party claims for practices that find themselves the target of a lawsuit as the result of a breach.
Bergstein spoke at several physician-led conferences, visited numerous practices and spent several hours marketing the policies. Everywhere he went, he got good feedback from physicians who thought the plans were a great idea. But after nine months, he couldn't get one of them actually to buy the coverage.
He said the practices were overwhelmed with installing electronic health record systems, complying with the meaningful use incentive program and following new regulations from the Health Information Technology for Economic and Clinical Health Act of 2009, which includes regulations relating to data security. Even at $2,500 a year, it was money the physicians were unwilling to shell out because of other obligations, Bergstein said.
Mark Greisiger, president of NetDiligence, said he has heard the same arguments about the price of coverage. His response is to refer back to the analysis of claims that have been made and the average claims that are being paid out. “Those costs aren't trivial,” he said. Greisiger also shares with clients research showing how often a practice's peer practices are having security issues.
Moriarty said that as more breaches are publicized, along with the amount of fines against those companies that experienced a breach, more practices are electing to get coverage.
If doctors still are not convinced a practice should invest in the insurance, physicians should look deeper at their existing coverage, Apgar advised. Doctors should check into what a practice's liability insurance covers. There also might be protections built into an individual physician's coverage, he said.
“A lot of times malpractice insurance is heavy on risk protection, and risk can be defined pretty broadly,” he said.
Many health care organizations that have gone into the market for breach insurance did so because they already had experienced a breach. Bruemmer said getting insurance has made many feel more secure not just because of the coverage but also because of the issues they were forced to think about as part of the application process.
Breach insurance contracts ask about certain controls the practice has in place, as well as access and workflow issues that affect data privacy and security, Moriarty said. There also are issues such as employee background checks and limited employee access that practices must have to even qualify for coverage, she added. Practices are required under federal law to have a breach protection plan, though an insurer might ask for more precautionary preparation.
“Just by asking those types of questions, it starts to trigger a lot of thoughts like, 'OK, these are things I haven't considered or things I don't have in place today but should have in place,' ” she said.
When shopping for a policy, Apgar said, a practice should look not only for what the policy covers but also for what it doesn't cover. Policies can be either stand-alone or an addendum or endorsement to an existing business owner's policy. Smaller organizations tend to go with endorsements, he said. Policies should cover the cost of notification to victims, forensic investigations, regulatory fines and penalties, legal costs, and damages.
The market is still maturing and growing, and policies have grown broader in their coverage in recent years. There also has been a growing number of insurance carriers that offer it. “It's still a growing market out there, but it's come a ways in the last couple of years,” Apgar said.