In an era of increasing and costly cyber-attacks in health care, physician practices must arm themselves with technical controls as well as internal protections to reduce their risk, according to Michael C. Lamprecht, president of Chicago-based BigData Insure, LLC.
Lamprecht spoke at the LUGPA annual meeting in Chicago in a presentation designed to educate urologists on potential cyber risks and how practices might be affected by a privacy breach, ransomware attack, extended computer system downtime, and similar cyber perils that frequently impact the health care field.
A 20-year veteran of the insurance industry, Lamprecht initially started working with technology and dot-com firms before dedicating himself to a single type of risk, now known as cyber risk. Over the past 25 years, he’s been providing cyber risk management consulting and cyber risk insurance to all types of firms.
He explained that various industries face different cyber risks, and physician practices have increased exposure to certain risks, such as privacy breaches and reputational injury as well as unique exposures, including negative patient outcomes as a result of cyber-attacks.
Lamprecht told LUGPA attendees how to identify their own cyber risks and potential losses based on their practice’s activities, use of technology, and the data collected from patients, insurers, and vendors. The core cyber risks for urologists, he said, are employee dishonesty, human error, viruses, hacking, software failures, ransomware, and social engineering, which commonly cause urologists to incur financial losses due to the resulting privacy breaches, HIPAA violations, computer system downtime, loss of patients, extortion payments, and fraudulent funds transfers.
Practices held for ransom
In one example provided by Lamprecht, a small physician practice was the victim of a sophisticated ransomware attack designed to “lock” the firm’s equipment, software, and databases.
“The hackers demanded $58,000 to unlock files, and the group paid the ransom and unlocked the equipment,” he said. “However, some damage was done, which required some of the data to be restored by a specialty IT firm. In this scenario, the extortion coupled with the $53,150 in data restoration and $29,800 loss of income resulted in a total loss of more than $143,000.”
In another example, a hacker found his way into an insured’s computer system after stealing a physician’s laptop, which had remote access to the patient information database, resulting in mandatory notification in 27 states and optional notification in two other states. However, before the practice could notify customers, it had to conduct extensive forensics to identify which patients were affected and pay credit reporting agencies for the current contact data for many of them.
“The insured opted to provide their clients with a full 24 months of identity restoration and monitoring services supported by a private call center,” he said. “The total loss was $495,305.”
Next: Cyber risk protections