Identifying Cyber Risks and Protecting Health Care Organizations from Data Breaches

Overview

The modern business landscape requires increasing reliance on the Internet and forms of social media as a platform to interact with potential customers, share information with the public, and sell products and services.  Though these interactive mediums can provide businesses with increased efficiency and connectivity, they also create a variety of risks.  There have been many high profile examples of large-scale data breaches against corporations like Target and Home Depot, where hackers were able to steal credit card data from millions of customers.  However, businesses of all sizes in all types of markets are at risk for breaches including credit card fraud, theft of intellectual property, and theft of trade secrets or other competitive business information.

In response to this marked increase in data breaches, cyber liability policies have become increasingly common in the insurance market place.  In 2013, the market capacity for U.S. cyber liability was estimated at $1 billion; however, that number is expected to increase to beyond $2 billion by the end of 2014.[i]

Data Breaches in the Healthcare Industry

Although cyber risks apply to markets of all types and sizes, there is perhaps no market more susceptible to data breaches than the healthcare industry.  According to recent research, the healthcare industry suffers approximately 51% of all data breaches that occur, and approximately 94% of healthcare organizations have had at least one breach in the past two years.[ii]  By its very nature, the healthcare industry is particularly vulnerable to data breaches because it is required to rely on electronic records systems and digital communications to keep voluminous records of sensitive information.

Why Healthcare Industries?

The changing nature of the healthcare industry involves an increased reliance on electronic records to store personal information, making it ripe for cyber risks.  Healthcare providers store records with comprehensive personal information including financial information, social security numbers, health information, and employee information.  This sensitive information is not only vulnerable to breach, but it can be particularly valuable to exploit.

There are a number of factors seemingly working in concert with one another to make healthcare data breaches as increasingly problematic reality.  For one, the Affordable Care Act set out to insure up to an additional 35 million Americans, which changed the health care market landscape.  Due to the increased number of insured individuals, there is a greater demand for medical services and physicians.  In turn, the risks for cyber attacks only increase in light of the Affordable Care Act’s on-line exchanges and digitized records requirements.  Even though the ACA and HIPAA have strict data compliance standards, healthcare organizations remain at risk since they carry the responsibility of maintaining and protecting private personal/financial information on their customers/patients.

How Data Breaches Occur

There are two main ways that data breaches occur in the healthcare industry.  The first involves high tech hacking through malware or viruses.  This type of data attack is less common but can be particularly disastrous if a skilled hacker is able to obtain substantial amounts of sensitive data, which is often extremely profitable for identity thieves.  For example, this past August, Chinese hackers stole medical records from 4.5 million patients by using sophisticated malware.[iii]  Instances such as this, which have become increasingly common, are clear evidence that healthcare information is valuable, and skilled hackers want access to it.

The other (more common) manner in which data breaches occur typically involves inadvertent disclosure or dissemination of sensitive data by a healthcare employee or third party associate.  This could be as simple as inadvertently sending a fax or email, failing to shred certain documents, or failing to password protect laptops, mobile devices, and Wi-Fi areas.  Sometimes this can even involve inappropriate conduct by employees in accessing or disseminating certain private information.  Even if an organization has a training or and/or supervisory policy to prevent these sort of instances, the ever increasing proliferation of electronic data on a large scale makes this a very difficult problem to deal with systematically.  To accommodate for the massive amounts of data that must be stored, organizations have to rely on more vendors and outside service providers as records and information custodians.  It is very difficult to oversee and prevent all problems that can occur in this type of system.

Regulatory Compliance Makes Data Breach Very Costly

State and federal regulations make data breaches very costly.  In Wisconsin, when there is a data breach involving the loss of personal information of third parties, the law imposes a number of different requirements.  Under Wis. Stat. § 134.98, any company that does business in Wisconsin must, upon learning that personal information pertaining to an individual has been acquired by an unauthorized person or entity, take reasonable measures to provide notice to that person within 45 days of discovery.  Additionally, in the event that an entity must notify 1,000 or more persons at one time of a security breach, that entity is required to also promptly notify all consumer reporting agencies of the breach and of timing, distribution and content of notices.

Additionally, healthcare organizations face additional data breach requirements in light of the HIPAA Breach Notification Rule (also known as the “omnibus rule”), which requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.[iv] Compliance with these breach notification rules is required and penalties can range from $100 to $1.5 million, depending on the violation.

The specific notification requirements depend on the circumstances.  In general, following a breach, covered entities must notify affected individuals, the Secretary of Health and Human Services, as well as the media if a breach affects more than 500 individuals.  Even in cases where a vendor or business associate is responsible for the breach, the covered entity is responsible for investigating and notifying.

Even a seemingly minor breach can have dire consequences.  The need for legal and forensic review of an incident, mass mailing to potentially affected individuals, and providing remedies can lead to costs reaching the millions.  Thus, data breaches threaten not only financial well-being, but also institutional stability, and organizational reputation.

Steps to Mitigate the Risk of Data Breach

Despite the risks, a number of practical steps can be taken to avert a potential data breach.  At a bare minimum, a healthcare organization should develop a comprehensive data recovery “disaster” plan to prepare for certain risks, and also to provide solutions in case the worst happens.  Additionally, organizations should train their employees in responsible data management and establish an adequate supervisory system developed by IT personnel to screen for inappropriate access.

Other practical steps that should be followed: continually update devices with up-to-date anti-virus software, encrypt all computers and devices with sophisticated passwords to limit access to only authorized users, and be diligent about secured access to data by installing firewalls and shredding paper documents.  Lastly, and perhaps most importantly, a healthcare organization should obtain proper insurance coverage to mitigate their risk.

Cyber Liability Insurance in the Health Care Industry

It is becoming increasingly common for healthcare providers to obtain cyber liability insurance to insure against specific cyber risks.  Most traditional commercial liability policies do not provide specific coverage for data breaches, or sufficient coverage for the liability, which a healthcare provider can potentially face.  A traditional commercial general liability policy will not provide adequate coverage.  Even policies with endorsements for “advertising injury” or business interruption will exclude coverage for the type of private information at risk in a data breach.  In limited circumstances, certain endorsements to commercial policies may cover some data breaches.

Cyber liability policies typically cover first-party and third party losses suffered as a result of a cyber security breach.  The scope of coverage can be tailored to a variety of risk scenarios.  With respect to third party claims, a typical cyber insurance policy will cover costs of mitigating the insured’s potential liability from a privacy or security breach.  Covered expenses may include the following:

  • Crisis management expenses including forensic investigation costs, costs to analyze legal responses, costs of public relations consultants to improve reputational harm
  • Notification expenses: including the costs to notify affected parties, provide credit monitoring to affected parties, and call centers to respond to affected parties
  • Regulatory response costs for responding to regulatory investigations and settling claims
  • Claims expenses for defending lawsuits, including civil fines, penalties, judgments and settlements

Coverage for first party expenses can also be available and would include expenses for business interruption, theft and communication losses, as well as costs for cyber extortion.

Cyber liability policies are not “one size fits all.”  It is important to identify the needs of your particular entity to find a policy that is affordable, adequately covers the risks your entity may encounter, and is tailored to your unique situation.

Premiums for cyber liability policies can range widely and are typically determined by a variety of factors including the volume of patient records being maintained, the annual revenue of the practice, existing control mechanisms, loss history, as well as the extent of perceived exposure.  Though these premiums can be costly, the risks associated with cyber breaches will typically substantially outweigh those costs.  Additionally, the insurance industry has gained a better understanding of cyber-related exposure due to the influx of breaches in recent years.  Therefore, coverage has become broader and premiums have generally become more affordable, considering the risks.

Managers and physicians for healthcare organizations and providers would be wise to review their coverage under their current policies and consider contacting a broker or agent to expand current coverage or obtain additional coverage to guard against the continuing.

For more information regarding Health Care Organization Cyber Risks, please contact Attorney John Healy at healyj@corneillelaw.com or (608) 662-1159.


[i] “Timetric Insurance Reports.” Insight Report: Specialty Insurance – Key Trends and Opportunities in the Market. Web. August 21, 2014. 

[ii] Research conducted by the Doctor’s Company, the nation’s largest physician owned medical malpractice insurer and their web series, Healthcare Cyber Security Breaches, 22 Oct. 2014.

[iii] Sullivan, Gail. “Chinese Hackers May Have Stolen Your Medical Records.” The Washington Post, 19 Aug. 2014. Web.

[iv] 45 CFR §§ 164.400-414 (January 2013).

This news update is designed to provide general, educational information on pertinent legal topics, and the statements therein do not constitute legal advice. This news update is not intended to create an attorney-client relationship between you and Corneille Law Group, LLC. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel. 

Comments are closed.