Keith Loria is a contributing writer to Medical Economics.
In an era of increasing and costly cyber-attacks in health care, physician practices must arm themselves with technical controls as well as internal protections to reduce their risk, according to Michael C. Lamprecht, president of Chicago-based BigData Insure, LLC.
Lamprecht spoke at the LUGPA annual meeting in Chicago in a presentation designed to educate urologists on potential cyber risks and how practices might be affected by a privacy breach, ransomware attack, extended computer system downtime, and similar cyber perils that frequently impact the health care field.
A 20-year veteran of the insurance industry, Lamprecht initially started working with technology and dot-com firms before dedicating himself to a single type of risk, now known as cyber risk. Over the past 25 years, he’s been providing cyber risk management consulting and cyber risk insurance to all types of firms.
He explained that various industries face different cyber risks, and physician practices have increased exposure to certain risks, such as privacy breaches and reputational injury as well as unique exposures, including negative patient outcomes as a result of cyber-attacks.
Lamprecht told LUGPA attendees how to identify their own cyber risks and potential losses based on their practice’s activities, use of technology, and the data collected from patients, insurers, and vendors. The core cyber risks for urologists, he said, are employee dishonesty, human error, viruses, hacking, software failures, ransomware, and social engineering, which commonly cause urologists to incur financial losses due to the resulting privacy breaches, HIPAA violations, computer system downtime, loss of patients, extortion payments, and fraudulent funds transfers.
Practices held for ransom
In one example provided by Lamprecht, a small physician practice was the victim of a sophisticated ransomware attack designed to “lock” the firm’s equipment, software, and databases.
“The hackers demanded $58,000 to unlock files, and the group paid the ransom and unlocked the equipment,” he said. “However, some damage was done, which required some of the data to be restored by a specialty IT firm. In this scenario, the extortion coupled with the $53,150 in data restoration and $29,800 loss of income resulted in a total loss of more than $143,000.”
In another example, a hacker found his way into an insured’s computer system after stealing a physician’s laptop, which had remote access to the patient information database, resulting in mandatory notification in 27 states and optional notification in two other states. However, before the practice could notify customers, it had to conduct extensive forensics to identify which patients were affected and pay credit reporting agencies for the current contact data for many of them.
“The insured opted to provide their clients with a full 24 months of identity restoration and monitoring services supported by a private call center,” he said. “The total loss was $495,305.”
Next: Cyber risk protectionsCyber risk protections
Cost-effective cyber risk loss prevention protections include technical controls such as virus protections, firewalls, user access control, and data encryption as well as policy- and procedures-based loss prevention, including a firm privacy/security policy, employee security training, data sharing, and compliance with state and federal regulatory guidelines and best practices.
Lamprecht also offered advice if a privacy breach does occur. “A coordinated response to a privacy breach includes immediate triage and response, scope and impact assessment, targeted response to resolve issues, and long-term monitoring to prevent recurrence,” he said.
Does medical malpractice insurance cover cyber risk claims? Lamprecht explained that in some cases, it may provide help with claims, but it depends on the circumstances of the claim, the type of loss, and the policy in place. He suggests reviewing your policy carefully.
When discussing cyber risk insurance for urologists, he gave examples of policies designed to protect small- to medium-sized physician practices from first- and third-party cyber risk losses. Some policies also include coverage for medical billing errors and omissions, he said, and many insurers offer health care-focused incident response services as well as access to risk management services and best practice training.
Types of coverage available to urologists, Lamprecht said, include Data Breach Response Expenses coverage, which covers the insured’s expenses of responding to a data privacy breach including technical forensics to identify the source and scope of the data breach; legal counsel, to advise on the applicability and actions necessary to comply with professional, ethical, and regulatory requirements; notification, to alert individuals or organizations about a data breach; identity monitoring, to provide data breach victims with health care record monitoring, credit monitoring, identity theft remediation, and fraud resolution for up to 24 months; and public relations, to advise on, design, implement, and execute a response to reduce damage to the practice’s reputation and prevent loss of patients.
Other coverages available include Network Security and Privacy liability, which covers the insured for regulatory investigations, legal defense costs, damages, fines, and penalties due to a privacy breach, HIPAA violation, negative patient outcome, or breach of payment card industry violations; Electronic Data Restoration Expense, which covers the insured’s expenses of repairing the practice’s computer and electronic data following a cyber-attack; Business Interruption and Extra Expense, which covers the insured for a loss of income following a cyber-attack; Ransomware and Extortion, which covers the insured for extortion payments and expenses to mitigate or terminate a threat to disclose patient information, disrupt the practice’s computer system, or lock the physician’s computer system or data with ransomware; and Cyber Crime (fraud) and Social Engineering, which covers the insured for loss of money or securities due to fraudulent funds transfers.
Lamprecht said capacity in the cyber risk insurance market is growing, with more than 65 insurers offering cyber risk insurance products and up to $500 million in capacity across the marketplace.
The key take-aways, he said, are that urologists need to understand their cyber risks, implement critical protections, and if they choose to purchase insurance, make sure they buy the correct coverages for the practice.