Feature

Cyberliability insurance: Should you purchase a policy?

View on the News

Michael E. Nelson, MD, FCCP

Michael E. Nelson, MD, FCCP, comments: Being old enough to remember a paper chart and scheduling book, I can't help but marvel at the how the electronic health record (EHR) has fallen short of its expectations and added to the cost of medical care. Well, let's add cybersecurity insurance to the cost of doing business. While I love the ability to look at a chest x-ray or CT without a viewbox, I can't think of many other things that the EHR has done to make me a more efficient physician. It has, however, spawned many cottage industries that provide "must have" services with their attendant fees. The ever-increasing regulatory and administrative burdens and costs placed on physicians' practices is making it impossible for smaller practices to remain financially viable, leaving smaller communities without medical services. I don't think this was the intent when we decided to "modernize" medicine. It makes me want to go back to those Halcyon days of the paper chart - try phishing one of those, you hackers.


 

Manage risk before a breach

Of course, there is plenty that practices can do to prevent – and protect themselves from – a health data breach before it happens. Providing employee awareness training is an important step, said Craig Musgrave, chief information officer of the Doctors Company. Institute a training program for staff at all levels and go over the basics, such as refraining from opening emails from senders they don’t know, Mr. Musgrave wrote in a recent column. Updating all software regularly and backing up data is also essential. And Mr. Musgrave emphasizes the importance of “whitelisting.”

“Health care systems are fragmented in their management of systems and data,” Mr. Musgrave wrote in his column. “Their ability to patch legacy systems and employ cybersecurity staff varies enormously. Therefore, application whitelisting is essential. Rather than blacklisting known malicious software, an application whitelist prevents the launching of any executable program (known or unknown) that does not have explicit authorization. This, in combination with strong firewalls and network segmentation tools like micro-segmentation, provides stronger security.”

In addition, consider implementing data security policies and incident response protocols as well as employee training on securing patient data, ProAssurance’s Ms. Tullos said.

“A breach can also occur within a third-party vendors system and infiltrate the physician’s records, so it is important to discuss cybersecurity with those vendors and all parties should purchase cyberliability insurance,” she said.

Pages

Next Article: