“We have cyber insurance. We’re covered.”

Posted by Ken Reiher

Krystyna Monticello, ESQ, Healthcare Attorney, Attorneys at Oscislawski LLC, Princeton, NJ

Gerry Blass, President & CEO, ComplyAssistant, Colts Neck, NJ

Why this statement is false and how you can protect your organization

“It’s not a matter of if. It’s a matter of when.” Have you heard this – or even said it yourself – when discussing cybersecurity matters at your healthcare organization?

Whether or not we want to believe it, and no matter how much we prepare, this is a true statement. We can document procedures, test our policies and put security around our networks that even Fort Knox would envy. But it is simply not possible to cover every single angle due to the potential for human error and the complexity of networked infrastructures. That is part of the reason why cybersecurity insurance exists, to be there when the unthinkable happens.

Cybersecurity insurance: The basics

Any healthcare organization that conducts business via email, has an electronic medical record (EMR) or similar record-keeping system or transmits data electronically needs some form of cybersecurity insurance. With the focus on meaningful use, promoting interoperability, population health and care coordination, this describes the majority of healthcare providers in the country.

It is equally as important for solo physician practices to have cyber liability insurance as it is for larger health care entities. Obviously, the needs of a multi-facility health care system will differ from those of a solo physician practice or other health care provider. Thus, the types of cyber insurance will vary, depending on the size, operations and needs of the provider, as well as the type of policies being offered by the insurer.

Unlike other forms of insurance, there is no “standard” or traditional policy offered by an insurer. However, insurance companies will generally require providers to complete a questionnaire (think of it as an upfront attestation), which will help the insurer:

  • Determine the type and amount of data maintained and processed by the provider,
  • Determine the nature of existing privacy and security safeguards,
  • Determine the risk profile of the provider, and
  • Help the insurer determine what type of insurance the provider needs.

During this upfront attestation, insurers most likely will not request actual policies or documentation, although it is not unheard of for copies of your organization’s privacy policies to be requested. They will assume that you are truthful in your responses and determine your risk profile accordingly. If you represented something in the questionnaire that simply was not true, the insurer can deny coverage.

TIP: Make sure your upfront attestation questionnaire is either completed by, or vetted by, someone on your staff who knows your security policies.

Although it is rare that a healthcare organization cannot get some form of cyber insurance coverage, it is possible. Rather, an insurer will typically levy a higher premium or limit access to certain policy coverage depending on the responses provided by the organization. For organizations that can demonstrate more robust security controls, an insurer may charge lower premiums, for example.

Cyber insurance mitigates the majority of the more expensive costs related to cybersecurity breaches, including legal fees and the costs associated with notification of affected parties and credit monitoring services, and certain business interruption costs. However, it does not typically cover all costs related to reputational harm, loss of business, business continuity or regulatory authority audits. In addition, coverage in the event a claim is filed could be denied for a variety of other reasons, such as policy exclusions, failure to maintain safeguards represented as part of the application process, or because the cyber event was of a type considered by the insurer to be not covered by the policy.

Cyber insurance won’t cover negligence

Just like any other type of insurance, cyber insurance won’t protect your organization if you’re negligent in your security controls and policies.

Don’t get caught in the misguided trap of thinking “We have insurance, so we’re covered.” Although routinely this isn’t the pattern of thinking most healthcare organizations fall into, having cyber insurance should never lull your organization into a false sense of security.

For your cyber insurance policy to cover any breach within the available coverage and limits, you must be able to document existing policies, procedures and controls, and show evidence that you have continually audited and updated those controls to remain as secure as possible. This level of due diligence requires the right resources, the right expertise, a keen sense of urgency, corporate governance and a long-term strategic plan.

Layers of protection: Assessments and governance

Cybersecurity insurance policies are typically for renewable one-year periods. Although you may not need to complete the insurer’s initial application and attestation each year, you will have to agree to the policy terms. A few things to consider:

  1. Make sure you know what the policy covers, including coverage for critical operations. Work with an insurance broker to assess what coverage options may be available to address risks unique to your organization’s operations and environment.
  2. Err on the side of more coverage, rather than less. A breach response can be costly, depending on the number of individuals affected and type of data affected, and lower policy limits will quickly be exhausted.
  3. Don’t be afraid to shop around to find comprehensive coverage. An insurance broker can help you find the right coverage and answer any policy questions.
  4. Be proactive about your organization’s privacy and security posture. Perform your annual security risk assessment, making sure it is updated according to any new regulations or changes in the system’s environment or operations.
  5. If anything has changed from your original attestation, proactively communicate with your insurer.
  6. Document any high-risk areas and what your plan is to mitigate them. If you do not have an immediate fix, explain the long-term plan and what temporary measures can mitigate the risks in the interim. Document everything you can to support such steps were taken.

If the same issues keep coming up year after year on your security risk assessment, work together to develop alternative solutions. Perhaps you do not have the budget or expertise for the best solution, but what can you do in the meantime to mitigate risks? Be creative in your solutions. Understand the barriers and look for a short-term solution if necessary. Something is always better than nothing.

TIP: Make cyber insurance a regular talking point at your governance steering committee meetings. Make sure the team is aware of existing risks and what insurance will not cover.

The worst-case scenario is when healthcare organizations were aware of the risks and threats faced by their organization and did nothing about it. Cross-functional governance and oversight is critical to making sure your organization is prepared and protected. If documentation is the key to proving due diligence, then governance is the key to transparency and accountability.

Looking for more resources?

Solution: GRC software from ComplyAssistant

Quarterly News: OCR Cyber Awareness Newsletters

Blog: 4 free tools for healthcare compliance management