As hackers become more sophisticated, these cybercriminals are finding novel ways to access protected health data, leaving health care providers to pick up the costly pieces of their crimes.
In 2017, there were at least 477 publicly reported health data breaches in the United States, affecting some 5.6 million patients, up from 450 health care breaches in 2016, according to Protenus, a health care cybersecurity vendor that tracks data breaches reported to the U.S. Department of Health & Human Services.
When medical files are stolen, physicians are on the hook for more than just a possible ransom request; they also face thousands of dollars in potential fines, fees, and legal costs, said Joshua R. Cohen, JD, a medical malpractice defense attorney based in New York. To mitigate the consequences, cybersecurity experts say physicians should consider purchasing cyberliability insurance, a relatively new coverage policy that protects against data breaches and subsequent lawsuits.
“A breach is very expensive,” said Mr. Cohen, chair for the New York City Bar Association Committee on Medical Malpractice. “You have the fine to the Office for Civil Rights, which can be in the millions of dollars, and you’re going to have to ameliorate the breach, which can be hundreds of dollars per person, let alone deal with lawsuits from the patients.”
Cyberliability: What’s the risk?
Cyberliability refers to legal dangers arising from data breaches, privacy law violations, and ransomware/cyberextortion threats, as well as data loss and business interruption from computer system failures.
Of the 477 breaches in 2017 analyzed by Protenus, 37% were from hacking, 37% resulted from insider incidents, and 16% stemmed from data loss or theft. About 10% of cases resulted from unknown reasons, according to the report .
Data breaches caused by hackers and malware attacks are rising in the health care sector, said Katherine Keefe, global head of breach response services for Beazley, a national cyberliability insurer and risk management company. Beazley handled 2,615 data breaches in 2017, more than half of which were health care–related, Ms. Keefe said in an interview. The top three causes of health care breaches reported to Beazley in 2017 were accidental disclosure, hack or malware, and insider incidents, according to a recent report from that company
Ms. Keefe noted that Beazley has seen a recent surge of phishing emails, electronic attempts to gain sensitive information for malicious reasons by disguising the sender as a trusted source. The emails often request that employees click on a link and change a password in an effort to steal data or gain access to medical records.
“We see an awful lot of that,” Ms. Keefe said. “There’s been a real surge in successful phishing emails and social engineering that enables criminals to identify medical practice leaders. It’s not hard to dress up an email to look like it’s coming from a specific individual. There are all kinds of increasingly sophisticated tactics to trick people into letting criminals into their systems or tricking people into forwarding money or valuable information.”
Hackers frequently use phishing emails to get employees to download a payload, the portion of malware that performs malicious actions, Mr. Cohen added. Once downloaded, payloads can do significant damage to a medical practice.
“Once you get hit with these payloads, not only can they start pulling information out of the computer system, they can also start doing things, such as turning on laptop cameras, reading emails, listening in on computer microphones,” he said. “All they need is one employee to click.”
Considering cybercoverage
To protect themselves from potential breach expenses, more medical practices are purchasing cyberliability insurance policies. A 2017 survey of 270 insurance brokers and 125 underwriters found that health care has more first-time buyers of stand-alone cyberliability insurance than does any other industry.
However, Mr. Cohen advises that practices should do their research before buying and be aware of the different types of policies, coverage limits, and insurance options.
“Be careful about what it covers,” he said. “Are they going to pay for all the amelioration for all the patients affected? Some policies will cover ‘repairing and disinfecting the system,’ but they will not likely cover all the [Office for Civil Rights] fines.”
The Doctors Company, a national medical liability insurer, provides $50,000 in cybersecurity coverage to all its insured physician members and the option to increase coverage by $1 million in additional protection, according to Crystal Brown, senior vice president of underwriting for the Doctors Company. The coverageprotects against regulatory and liability claims arising from theft, loss, or accidental transmission of patient or financial information as well as the cost of data recovery. Another policy offered protects against claims arising from administrative actions pertaining to utilization, licensing, credentialing, and misconduct.
“In health care, data breaches are not a matter of ‘if, but when’,” Ms. Brown said in an interview. “With the costs of breach response and potential HIPAA violations now reaching several hundred dollars per stolen medical record, we urge physicians to carefully evaluate their risks and make certain they are adequately protected.”
Meanwhile, national medical liability insurer ProAssurance offers health providers a basic cyberliability coverage endorsement in most states on its medical professional liability policy. The insurer also has a branded cyberprogram that allows clients to buy additional and broader coverage at a discounted premium.
“In today’s electronic environment, we are hearing about breaches occurring at both small and large health care practices,” said Melanie Tullos, vice president for ProAssurance. “Small physician practices are just as vulnerable, if not more so, to a cyberbreach and should take the necessary steps to protect patient data against an attack at all measures, including, but not limited to, purchasing cyberliability coverage.
The price of cyberliability insurance varies by risk and other factors, Ms. Tullos said. Generally, the cost of a $1 million cyberliability policy for a single physician practice is less than $1,000, whereas a group of 10 physicians can pay up to $8,000-$9,000, she said in an interview.
Beazley offers policies that cover the expenses and services associated with investigating whether a data breach has occurred, responding to breaches, and liability that may arise from the breach, said Ms. Keefe, of Beazley, which works with companies such as the Doctors Company to provide coverage and also works with state-run malpractice programs to offer a cyberliability component for a small, additional premium, she said.
Ms. Keefe stressed that cyberliability coverage can ensure that physician practices don’t run up a hefty bill in the event of a data breach by paying for separate specialists and damage control.
“One of the reasons doctors should have cyberliability coverage are the costs associated with figuring out what to do if patient records are lost or stolen,” she said. “The cost of hiring a lawyer, hiring a forensics investigator to assess the situation, the cost of notifying the patients, and taking all the steps required by HIPAA can really add up. Most practices don’t have those costs built into their annual budgets. A cyberpolicy acts as a buffer against those expenses.”
Manage risk before a breach
Of course, there is plenty that practices can do to prevent – and protect themselves from – a health data breach before it happens. Providing employee awareness training is an important step, said Craig Musgrave, chief information officer of the Doctors Company. Institute a training program for staff at all levels and go over the basics, such as refraining from opening emails from senders they don’t know, Mr. Musgrave wrote in a recent column. Updating all software regularly and backing up data is also essential. And Mr. Musgrave emphasizes the importance of “whitelisting.”
“Health care systems are fragmented in their management of systems and data,” Mr. Musgrave wrote in his column. “Their ability to patch legacy systems and employ cybersecurity staff varies enormously. Therefore, application whitelisting is essential. Rather than blacklisting known malicious software, an application whitelist prevents the launching of any executable program (known or unknown) that does not have explicit authorization. This, in combination with strong firewalls and network segmentation tools like micro-segmentation, provides stronger security.”
In addition, consider implementing data security policies and incident response protocols as well as employee training on securing patient data, ProAssurance’s Ms. Tullos said.
“A breach can also occur within a third-party vendors system and infiltrate the physician’s records, so it is important to discuss cybersecurity with those vendors and all parties should purchase cyberliability insurance,” she said.
