Anthem today, HME providers tomorrow?

Tuesday, May 26, 2015

Just how much does a provider stand to lose from a hacker’s breach of protected health information (PHI)? Consider a recent theft in Richardson, Texas, where 5,000 individuals had their PHI stolen. According to Ponemon Institute’s 2013 “Cost of Data Breach Study,” the average cost to the provider per record of data breach is $188. Even with the Richardson breach of 5,000 individuals being well below the U.S. average of 28,000 records per attack, the total cost of that 2014 incident tops $940,000. Gulp!

Even if you have strong security and privacy controls, you are not immune to cyber extortion or theft of PHI by external sources or internal (rogue) employees. Once a data breach or privacy incident occurs, immediate expertise is needed to navigate the complex landscape and to mitigate financial losses. The cost of a breach could easily put a provider out of business.

Cyber criminals are targeting businesses of all industries, large and small. In the time it takes to hack into a major company like Anthem, Citigroup or Sony, a hacker could steal data from dozens of smaller businesses and not get detected. They don’t play favorites and they certainly aren’t slowing down.  

The number of data breaches, as well as the costs of complying with customer notification requirements and restoring compromised systems, continues to increase steadily. Additionally, it’s not just the professional hacker posing a threat. Old-fashioned events, such as the loss of physical property, including laptops and paper files, may result in a similar breach.

Cyber liability insurance is protection for loss that arises out of unauthorized use of, or unauthorized access to, electronic data or software within your network or business. This coverage provides for liability claims from spreading a virus or malicious code, computer theft, extortion, or any unintentional act, mistake, error, or omission made by your employees while performing their job.

There are several reasons why providers should consider adding cyber liability insurance to their risk management program.

• Exposure: even the best network security may not stop a malicious insider who has access to computer and paper files.

• Human error: unintentional mistakes happen all the time.

• Easy access: lock and key are no longer enough when information is readily and easily accessible through networks, laptops, tablets, cell phones, etc.

• Regulation: from HIPAA to GLBA, from the Fair Credit Reporting Act to the new Identity Theft Enforcement and Restitution Act, this influx of regulation leads to new insurance needs.

Cyber liability insurance not only provides comprehensive protection, but also helps in managing risk. It will cover costs associated with expenses to notify affected parties, business income and extra expense, extortion payments and public relations/crisis management expenses. Insurance policies have been designed to provide coverage for those costs and more, i.e. web content liability, network security, Internet liability, regulatory defense, and intangible assets (damages to code or data).

With more than 50 insurance companies now offering mono-line cyber liability insurance, premiums have been decreasing as the market develops a better understanding of the risk. Unfortunately, there is no “cookie cutter” program that fits the needs of all businesses, especially healthcare providers. In the wrong hands, protected health information and personal records are as valuable as credit card information.

Tim Able is director of sales & marketing for SeibertKeck Insurance with headquarters in Akron, Ohio.