Insuring Against a Data Breach: Are Cyber-liability Policies Worth the Premiums?

Understanding risks, policy costs and potential value can help you decide whether to invest in cyber-liability insurance.

With healthcare organizations in the cross hairs of criminal hackers seeking to score high-value patient information, many hospitals and medical practices are hoping the purchase of cyber-liability insurance will mitigate their risk. About one-third of healthcare organizations have a data breach insurance policy—with more than half purchasing up to $5 million in coverage—according to a 2016 report by the Ponemon Institute. But for the many healthcare organizations still on the fence about cyber-liability insurance, questions remain about risk, cost and value. 

Ask a handful of experts to quantify the risk of a potential cyber-attack on a healthcare organization, and the answers aren’t comforting. “It can be a catastrophic event if you have a major security breach,” one warns. “It does have the potential to threaten their business,” another says. “We will see more hacks,” a third predicts.

Healthcare organizations are at greater risk than others because they maintain data with a high street value, including Social Security numbers and medical background details. “The stakes are really high because you’re talking about patients’ lives,” says Carter Groome, MBA, chief executive of First Healthcare Advisory Solutions, a consulting firm based in Scottsdale, Ariz. “Your medical information is your history. You can’t change that.” The proliferation of electronic health records and medical devices plus increased patient connectivity only add to an organization’s vulnerability.

Weigh the risks 

The risk of a large-scale cyber-security breach can certainly be overstated. Many breaches are relatively small events, says Reece Hirsch, JD, a healthcare attorney and co-head of Morgan Lewis, a global privacy and cybersecurity practice. But, he adds, large-scale breaches are on the rise. And when information stolen from a healthcare organization is used to commit fraud, the likelihood of regulatory action and class-action lawsuits rises.

The Office for Civil Rights (OCR), the arm of the U.S. Department of Health and Human Services that protects patients’ health information privacy rights, will fine healthcare organizations after a cyber-security breach if it finds data security flaws or HIPAA noncompliance. The fines range from about $50,000 to $5 million. (The OCR maintains a webpage that lists all breaches reported in the preceding two years that are under investigation.)

Class-action lawsuits have been filed in a number of larger security breaches. After a cyber-attack estimated to impact nearly 80 million customers, for instance, Anthem agreed to pay $115 million in class-action settlements.

There are other costs associated with cyber-security breaches. Mike Mytych, MBA, president of Health Information Consulting in Menomonee Falls, Wis., says one of his clients, a 35-physician group whose electronic health record system was hacked and held at ransom, spent about $500,000 on post-breach logistics, such as notifying patients. That was on top of a $500,000 fine levied by the OCR.

Another cost of a cyber-attack, much more difficult to quantify, is the reputational price to a healthcare organization, says Robin Sarkar, PhD, CSM, CPHQ, chief information officer at Lakeland Health in Michigan. A breach that violates a patient’s confidence can have far-reaching consequences. Patients ask, “If I cannot trust you with my information,” Sarkar says, “how can I trust you with my health?”

Check the fit 

While healthcare organizations once got some cyber-liability coverage through their commercial general liability policies, Hirsch says, now cyber-liability usually requires a separate policy. At a minimum, he recommends hospital and medical center administrators seriously consider this insurance as a business decision. “Almost every healthcare organization should be considering cyber-liability insurance,” Hirsch says.

A broker and legal counsel can help determine your healthcare organization’s risk, Hirsch says. One way to estimate this is to review surveys of healthcare security breach costs (the Ponemon Institute is a good source), including average per-record costs of different types of breaches, while considering the amount and scope of the data your organization maintains. “You need to think about, realistically, the risk you’re trying to address,” Hirsch says.

The combination of financial and reputational risk was enough to motivate Lakeland Health to purchase cyber-liability insurance several years ago, Sarkar says. Though he says Lakeland hasn’t been breached, the health system gets other benefits from a cyber-liability partnership. “The insurer provides a number of add-on benefits, like training material and policy support material,” he explains. “These cyber-liability companies offer multiple breach management services, which help healthcare systems prepare and prevent attacks and strengthen their cyber-security defense.”

Calculate costs

While some healthcare organizations choose to cover cyber-liability through their own self-insured policies, premiums for third-party cyber-liability insurance can range from $800 to $1,200 for individuals, such as consultants, to hundreds of thousands of dollars for large healthcare organizations, according to C. Elizabeth O’Keeffe, JD, MPH, LLM, CHC, CHSP, chief compliance officer for Advanced Infusion Solutions, an intrathecal medications provider in Ridgeland, Miss.

A private practice of two or three cardiologists might be able to get a policy for a couple thousand dollars a year, Groome says. For physician practices and smaller community hospitals that don’t have the budget for a full-time security officer on staff, he says, cyber-liability insurance can be a popular option to defer risk affordably.

A large medical center with multiple regional practices could face a cyber-liability insurance bill upwards of $100,000, Groome says. While declining to discuss specifics, Sarkar described Lakeland Health’s cyber-liability insurance as “within the affordable range.”

Manage your risk profile 

If insurers see your organization as a “high-risk disaster” doing little to protect patient information, Groome says, your insurance will cost more. But mitigation efforts, such as meeting regulatory compliance standards, commissioning a third-party risk assessment and implementing a detailed security policy, can ease costs, he says. “You want to leverage cyber-liability insurance for areas that you feel are holes in your security,” Groome says. “Hospitals that do security well are going to have a competitive advantage.”

At Lakeland Health, for instance, laptops are encrypted, so thieves can’t pilfer information from lost or stolen devices, Sarkar says. The health system has also invested in professional organization memberships that offer a discount on cyber-liability insurance. “A cyber-insurance policy is a fallback,” Sarkar says. “It’s a supporting mechanism to help us mitigate some of the consequences of a cyber-attack.”

Understand policy options 

Just a few years ago, there weren’t many options in the cyber-liability insurance market, O’Keeffe says, and the few policies available were expensive and limited. Now there’s more maturity in the market, she says, but there are still high deductibles and exclusions to consider.

Cyber-liability insurance policies vary, Hirsch says. The following are types of cyber-liability insurance that can make up a single policy:

Event management insurance can cover the cost of a breach, such as a forensic investigation, public relations, notifying patients and credit monitoring. This is perhaps the most important component of a cyber-liability insurance policy, Hirsch says.

Network business interruption insurance can reimburse for lost income and operating expenses.

Liability insurance can cover third-party claims, such as fines, defending a lawsuit and an imposed judgment.

Cyber-extortion insurance can reimburse for ransom payments.

As important as knowing what’s covered in a policy is knowing what’s excluded, Groome says. This is especially relevant as new types of cyber-threats seem to crop up every week. “You don’t want to let the insurance company advise you from a security and privacy standpoint,” he says. “Somebody in your organization needs to get smart on this stuff.”