Cybercrime can be devastatingly expensive. The recent ransomware attack on Scripps Health in San Diego has cost them nearly $113 million, including $91.6 million in lost revenue. The attack occurred on May 1 and severely disrupted patient care for nearly a month.
Scripps had cyber insurance, and yet their losses are more than five times greater than any insurance recovery they’ll receive (anticipated to receive $20 million by the end of the year). The ransomware attack compromised the personal and health information of nearly 150,000 individuals. So, in addition to financial losses they face numerous other challenges, including class action lawsuits filed in a federal court in California, and potential investigations by the Office for Civil Rights (OCR) (enforces federal HIPAA laws) and the state of California (enforces state health information privacy laws).
Cyber criminals can easily defeat legacy software and unpatched systems. Ironically the U.S. government maintains a public vulnerability database to warn industry of newly discovered software flaws. Unfortunately, this is also a roadmap for cyber thieves. Old software and unpatched systems need to be identified through HIPAA Risk Management, and replaced or updated.
HIPAA Risk Analysis and Risk Management
Following HIPAA is by far the most important tool in the arsenal of defenses against cybercrime and loss of patient data. The security measures required by the HIPAA Security Rule will place obstacles against criminals and stop (or lessen the effects of) most attacks.
A good HIPAA compliance program is also critical to defend against lawsuits and state and federal investigations. If an organization can show that they did all in their power to follow HIPAA, including annual Risk Analysis and Risk Management, but a cyber criminal got through their best defenses in spite of their efforts, they are much better off than if they ignored HIPAA or followed it halfheartedly. Organizations who don’t meet the standard of care required by HIPAA end up paying far larger judgments and settlements than those who tried to comply.
Growing Demand for Cyber Insurance
Cybersecurity risks are skyrocketing globally across sectors, and the cost to the healthcare sector is far greater than to other sectors. It’s natural that organizations are looking for ways to insure against losses that seem inevitable.
Demand for cyber insurance has grown at warp speed. But actuaries trying to calculate risks and set premiums are in uncharted territory because information technology is also growing at warp speed.
The healthcare industry must be exceptionally vigilant. Healthcare is under siege because cyber criminals know information is the lifeblood of any medical institution. Criminals demand ransom for its release and also sell it on the dark web.
Cyber criminals probe for soft targets across the globe. In the U. S. there are about 700,000 health care providers and millions of business associates maintaining protected health information (PHI). All of them should do what they can to support the national call for improved cybersecurity. All sectors need to do better. For health care providers it is literally a matter of life and death.
What does Cyber Insurance Cover?
Traditional insurance policies are backed by historical data. But cybersecurity risks are relatively new, and the data about security breaches and losses are limited which means cybersecurity insurance has no standard scoring systems or actuarial tables to help set rates. The problem is compounded by the reluctance of organizations to reveal details of security breaches due to loss of market share, loss of reputation and so forth.
Without reliable risk information, cybersecurity coverage may be limited and expensive. Nonetheless cyber insurance may be an important tool to mitigate against losses.
Become educated about the cyber insurance policies if you think it might help your organization. They generally cover two types of risks:
- first party coverage for the policyholder’s own losses or damages incurred in responding to a data breach or other cyber incident; and
- third party liability coverage for protection in the event of claims against the policyholder because of a data breach or cyber incident, such as privacy lawsuits from patients.
It is important to review policies and coverage terms carefully and in their entirety.
Cybersecurity Defense Starts with HIPAA
HIPAA compliance is a blueprint to defend against cybercrime. Use it to do your Risk Analysis once a year and follow a Risk Management program 365 days a year. Train the workforce in basic HIPAA rules and security awareness. Cyber insurance may also be a good choice for you but it doesn’t replace HIPAA awareness and a vigilant compliance program.