Barbara L. McAneny, MD, CEO of New Mexico Oncology Hematology Consultants, experienced a data breach about 10 years ago, when a laptop was stolen from her large practice.
She and the other physicians were upset and worried that the individual would attempt to log in to the computer system and hack their patients’ private health information.
Dr. McAneny was also worried that the practice would have to pay a hefty fine to the government for having unsecured private health information on a laptop. She could have paid from $50,000 to more than $1.9 million for lost and stolen devices (although that didn’t happen).
Dr. McAneny had a standard cyber liability benefit in her med-mal policy that covered up to $50,000 of the data breach costs. That covered the legal advice The Doctors Company provided about state and federal reporting requirements when a data breach occurs and the costs the practice incurred from mailing letters to all of its patients notifying them of the data breach, says Dr. McAneny.
“The data breach taught me a lot. Our practice spent a lot of money on increasing our internal controls, cybersecurity, and monitoring. Our IT department started testing our computer firewalls periodically, and that’s how we discovered that cybercriminals were attempting to break into our computer system at least 100 times daily,” says Dr. McAneny.
That discovery changed how she thought about insurance. “I decided the med-mal benefit wasn’t enough. I bought the best cybersecurity policy we could afford to protect against future breaches, especially malware or ransomware attacks.”
Her practice also had to make its electronic health records (EHRs) more secure to comply with the Department of Health & Human Services Office of Civil Rights standards for protected health information. The cost of increased security wasn’t covered by her cyber benefit.
Cyberattacks increasing in health care
Despite having comprehensive coverage, Dr. McAneny worries that the cybercriminals are a step ahead of the cybersecurity experts and her practice will eventually have another data breach.
“The policy only covers things that we know about today. As we upgrade our defenses, criminals are finding new ways to breach firewalls and work around our defenses,” she says.
So far this year, nearly 200 medical groups have reported cyberattacks involving 500 or more of their patients’ medical records to the federal government.
EHRs are valuable targets to cybercriminals because of the protected health information they contain. Cybercriminals grab information such as Social Security numbers, dates of birth, medical procedures and results, and in some cases billing and financial information and sell it on the dark web.
They typically bundle the information and sell it to other criminals who later use it for various kinds of fraud and extortion such as banking and credit fraud, health care fraud, identity theft, and ransom extortion.
What do most doctors have?
The vast majority (82%) of doctors polled by the Medical Group Management Association last year said they had cyber insurance, compared with 54% in 2018.
For those who answered “yes,” many said they have coverage through their malpractice insurance carrier.
David Zetter, president of Zetter HealthCare Management Consultants, recommends that physicians speak with their malpractice carrier to determine what coverage they have, if any, within their malpractice policy.
A typical cybersecurity benefit is limited to what is needed to fix and resolve the hacking incident, says Raj Shah, senior regulatory attorney and policyholder advisor at MagMutual, which insures medical practices for malpractice and cyber liability.
That usually covers investigating the cause of the breach and the extent of the damage, legal advice about federal and state reporting requirements, whether to pay a ransom, and a public relations professional to handle patient communication, says Mr. Shah.
The benefit doesn’t cover lost patient revenue when practices have to shut down their operations, the cost of replacing damaged computers, or the ransom payment, he says.
Mr. Zetter advises doctors to consider buying cybersecurity coverage. “I recommend that they speak with an insurance broker who is experienced with cybersecurity policies sold to health care professionals to determine what type of coverage and how much coverage they may need. Their malpractice carrier may also be able to provide some answers,” says Mr. Zetter.
The physician will need to be able to answer questions about their network and how many staff they have and may need to involve their IT vendor too, he adds.
How does comprehensive coverage compare?
Ransomware attacks continue to be one of the most frequent types of attacks, and the amount criminals are demanding has risen significantly. The median ransom payment was $5,000 in the fourth quarter of 2018, compared with over $300,000 during the fourth quarter of 2021.
Cybercriminals now engage in “double extortion” – demanding a ransom payment to hand over the code that will unlock their encrypted data – and then another ransom payment to not post patients’ sensitive medical information they copied onto the dark web.
Comprehensive cybersecurity insurance will cover “double extortion” payments, legal costs that may arise from defending against patient lawsuits, and the costs of meeting federal and state privacy requirements, including notifying patients of the data breach and regulatory investigations, says Michael Carr, head of risk engineering for North America for Coalition, a cyber insurance firm.
Cyber insurers also contract with vendors who sell bitcoin, which is the currency cybercriminals typically demand for ransom payments, and work with ransom negotiators.
For example, once Coalition decided to pay the ransom on behalf of a health care client, it negotiated the ransom demand down by nearly 75% from $750,000 to $200,000, and proceeded to help the company restore all of its data.
The costs to respond to the incident, to recover lost data, and to pay the extortion, together with the lost business income resulting from the incident, were covered by Coalition’s cyber insurance policy.
Other clients have had their funds retrieved before a fraudulent wire transfer was completed. “Medical practices have vendors they pay regularly. A cybercriminal may compromise your email or take over a bank account and then impersonate a vendor asking to be paid for services they didn’t provide,” says Mr. Carr.