Healthcare News & Insights

Why your hospital needs cyberinsurance with these provisions

Sometimes, despite all the security in place to guard protected health information (PHI), hospitals still experience information breaches. At that point, hospitals and health systems face the potential for massive financial backlash — usually in the form of fines from the Office for Civil Rights (OCR) and class-action lawsuits from upset patients. 

487387117Take, for example, the recent breach of Community Health Systems’ (CHS) electronic health record (EHR) system. Hackers in China were able to break into CHS’ system through security exposures created by the virus Heartbleed, resulting in the second largest U.S. PHI breach — 4.5 million patients compromised.

In a recent article for Forbes, writer Dan Munro broke the financial consequences the system is now facing, such as:

  • technical, legal and administrative remediation
  • fines from the OCR for violating HIPAA’s security rules
  • identity theft protection/credit monitoring for the 4.5 million patients, and
  • legal fees (and possible settlements) for patient and shareholder lawsuits.

Apparently, just a few hours after the breach was reported to the Securities and Exchange Commission, CHS was hit with a class-action lawsuit in Alabama, and Munro expects more are coming. And though the OCR hasn’t issued any fines yet, CHS can expect to be hit hard. The agency has been using huge penalties to scare other providers into HIPAA compiance, like when it fined a facility in New York $4.8 million for a smaller breach earlier this year.

Cyberinsurance protection

Munro estimates that CHS could pay up to $150 million for the  breach when all is said and done. One of the few bright sides for CHS is that its cyberinsurance policy will help it mitigate some of that cost.

But cyberinsurance policies tend to vary from carrier to carrier, according to FierceEMR’s report on a webinar given by two healthcare attorneys on the subject.

Attorneys Scott Godes, with Barnes & Thornburg, and Gary Githens, with Brown & Brown Northwest, recommend healthcare facilities make sure their cyber insurance policies include these provisions:

  • Data breach notification and investigation costs
  • Policy limits on coverage and deductibles
  • Coverage for regulatory investigations
  • Exclusions, such as for failure to maintain security
  • Business interruption and data restoration, and
  • What service providers the healthcare organization can use in the event of a breach.

The FBI believes more hackers will target healthcare providers and likely try to exploit Heartbleed the same way. That means now’s the time to consider cyberinsurance to protect your facility financially, in addition to stepping up your PHI security.

Providers may also want to review their contracts with data cloud vendors so they include coverage for breaches, especially since not all vendors take proper data security measures.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.