Insurance is the latest hot topic I get asked about all the time. We have an extensive policy since we interact with PHI from many offices. If we cause a breach it would effect hundreds of thousands of patients. We also have the ability to extend this policy to cover our clients, which is amazing since there are a lot of not-so-stellar policies out there.
Keep in mind that insurance doesn’t mean you can not do anything and expect the carrier to pay for everything. Most carriers are requiring a minimum standard, or good hygiene, when it comes to insuring your practice.
We have found that most of these requirements are easily met when working with a Managed Services Provider (like ACS). The carrier expects that you are not doing egregious risky behavior and some carriers have gone after policy holders for lying about their security practices that caused claim payouts. A Boston facility found out the hard way that you can’t lie to your insurance carrier or they will come after you.
Cyber and Data Breach Insurance is still fairly new in the insurance space. Unlike General Liability, Disability and Workman’s Comp that are fairly similar between carriers with the differences in price, limits and deductible, Cyberlibility policies often have low limits and lots of exclusions. You expect this insurance to cover you, but what happens when they deny the claim over something you thought was covered? You get stuck with the expense. Personally, ACS has seen data breaches cost between $50,000 – $800,000. That’s a wide range to not know for sure.
Of course, ACS has a comprehensive plan that protects you with a complete solution, including Cyber, but if for some crazy reason you want to get your own, here are some things you can look for in Cyber insurance:
I see a lot of $50,000 and $100,000 policies out there, most of which are very expensive premiums. Even in a best case scenario (where we have everything in place proactively) you can burn through that amount easily in notification costs and fighting frivolous lawsuits.
There is limit to how many words I can put in a blog posting, otherwise I’d share all the exclusions I’ve run into over the last few years. My favorites have been:
-Credit Card policies attempting to cover HIPAA
-Event caused by error or omission. Come on now — aren’t most breaches caused by someone’s error or omission?
-Legal Defense Costs – This is one of the single most expensive parts of breach mitigation that you will have. What wouldn’t it be covered?
-Repeat Offenders – It’s like bad driver policies – if you keep having breaches, you will get blacklisted.
-“Any virus or malicious code that is or becomes named by CERT”. This one has got to be my favorite. All viruses or malware get named by CERT at some point. Its a legal loophole to shift financial responsibility back to you.
Parameters You Can’t Meet
A new trend in Cyber Insurance is making you responsible for your vendors and vetting them regularly. Most healthcare practices barely have enough time to do the basics, let alone go to each of your vendors and ask them to expose all of their vulnerabilities to you for the purpose of you getting insurance. It is important to vet your Business Associates, as they cause a lot of unnecessary risk to your practice, but it’s even more important that even if you have to work with risky vendors, that you make them financially responsible if they cause a breach. (Read Blog Post What To Look For In A Business Associate Agreement)
Bottom line is that Cyberliability & Data Breach Insurance is important, and you should get it, but look out for the gotchas. You don’t want to prepare as if you are protected only to find out you are left footing the entire bill in addition to the premiums you paid.