Is carrying cyber insurance needed in a medical practice?

August 27, 2020

"We had a Russian-based attack. All of our data was encrypted. They said they’d give us back our data for $24,000 in bitcoins," says one urologist.

Urology Times reached out to 4 urologists (selected randomly) and asked them each the following question: Is carrying cyber insurance needed in a medical practice?

“We have insurance for our EMR and computer system in case we break down, but we’ve also carried cyber insurance for at least 7 years. It covers us for ransom, as well as potential penalties if personal data is compromised.

Attacks are increasing across the world. Health care providers are prime targets due to personal data with which we’re entrusted. We have an in-house IT department working 24/7 to make our electronic medical records and our internet exposure as safe as possible from cybercrime, but cybercrime is ongoing, so cyber insurance will be normal for practices as time goes on.

In any medical practice, the first step in protecting themselves is to be as strong as possible—from password protection to firewalls and ongoing surveillance for scams.

Both financial and medical information security is important. From the HIPAA standpoint, it could be devastating if medical records were victimized to a cyber attack. Then there’s ransom that’s been seen in multiple businesses that has a huge financial impact.

Depending on the size of the practice, the amount of cash flow you’re out on a daily basis could be minimal, but HIPAA violation fines could be massive.

Government agencies can judge whether enough was done to protect against attacks. Our practice tries to maintain as tight security as possible, but that bar is constantly changing.”

Douglas Tietjen, MD / Kansas City, Missouri

“I have a Mac. They have pretty good internet security. They keep changing things based on what’s happening, so I’m not worried somebody could take us hostage and try to close down my

system.

I don’t see a need to insure against a cyber attack. My office has its own firewall system. I’m confident hackers can’t get through it.”

Arnaldo Trabucco, MD/ Merced, California

“When I think about security for medical records and electronic medical records, we’re a private practice group and it just hasn’t come up in our group.

We have IT people that we pay a lot of money to and they take care of all our security needs. If something does break so that we can’t log on, we call them and they’re here. They also work on our personal computers, so we’ve never had an issue. We feel we’re well protected by our IT professionals that maintain all that equipment in the office.

We haven’t discussed hackers. We have a huge practice, but there are only 3 of us, which is unusual in today’s landscape. Maybe that protects us also.

We’re extremely busy—we do every procedure in urology and see a ton of patients weekly, but cyber security hasn’t really been an issue because our IT guys protect us.

The strongest protection is a good IT system to keep security strong. We pay a decent amount of money, so we take this seriously. We have two guys who are here periodically to make sure we have no issues.”

Salim Hawatmeh, MD/ St Louis, Missouri

“We were held for ransom. It’s a crazy story. We were transitioning from a local IT group we’d had for 10 years, to a new group, when one morning we got an email that said, ‘Get ready to have a bad day.’

We had a Russian-based attack. All of our data was encrypted. They said they’d give us back our data for $24,000 in bitcoins. We said, ‘Before we do that, we want to make sure you can do what you say you can do.’ The funny thing was, they said, ‘Oh, we’re sorry, the guy who unencrypts these files is on vacation.’ We said, ‘What the heck is this?’

We ended up paying a US-based encryption company more than $70,000 to fix it. Our new IT company took full responsibility, even though it was probably not their fault. We think a virus was sitting in our computers for weeks before being activated.

We lost probably 2 to 3 weeks of revenue because we were down to paper. We had 2 insurance policies—1 via our medical malpractice and another from insurance on our building that enabled us to reclaim some losses.

It was a tremendous learning experience.

Actually, we recently paid a company to attack us. Before the electronic medical records (EMR) company would return our data, we needed to make sure we were secure.

When the penetration results came, we were stable, but the EMR company had 3 issues needing repair.

I would absolutely advise practices to carry actual cyber insurance—100%! We do carry specific cyber insurance now.

It’s interesting the hackers were not interested in patient medical or financial data …just in holding us hostage/demanding ransom.”

Mark Memo, MD/ Boardman, Ohio