Cyber Security Coverage: Can You Afford to Be Without It?
By Susan Decareaux, CPCU, RPLU, CISR
Cyber security continues to rise towards the top of the list of concerns for businesses and medical practices. Consequently, cyber insurance protection is also becoming more and more important. Along with the basic cyber security insurance limits ($50,000) provided by SVMIC at no additional premium, higher limits are readily available through a partnership with NAS Insurance Services. But, with all the financial and regulatory demands on medical practices’ resources, many have concluded that they cannot afford more adequate coverage. However, there is growing concern that the potential for loss is probably greater than most realize and the premium for higher limits is more affordable than most may think.
We recently interviewed a couple of practice administrators who have purchased higher limits from NAS to get their feedback. One was a group of six primary care physicians in middle Tennessee. The practice administrator realized that the potential risk of a cyber-attack or information technology (IT) system failure and the ensuing costs to recover data, possible lawsuits and regulatory fines and penalties could add up to more than the basic limits provided by SVMIC.
The group had experienced minor losses prior to their purchase of higher limits – some involving errors by their own staff, and one protected health information (PHI) violation was caused by an outside vendor. The claim generated by their outside vendor took their employees’ time away from their regular job duties. These experiences convinced the administrator how vulnerable the group was to potential loss.
When asked how he justified the expense of the premium to his physicians, the administrator credited the physicians with being “smart and logical professionals who understood the cost-benefit trade-off.” With the estimated cost of a cyber security loss at a minimum of $30 per record, and possibly more due to the potential for regulatory fines and penalties, it was relatively easy to see that the potential for loss is great, and by contrast, the premium is relatively affordable.
The administrator said that in addition to purchasing the higher limits through NAS, staff training on PHI and HIPAA security is mandatory. Further, the group has an extensive IT security system in place, both internally and externally, that meets or exceeds all Federal Meaningful Use (MU) standards regarding PHI and IT security. You can find those regulations at the Centers for Medicare and Medicaid Services (CMS) website.
A group of six rheumatologists in east Tennessee also recently purchased excess limits with NAS Insurance through SVMIC. The practice administrator said that seeing the recent news of more frequent cyber security attacks, and realizing how vulnerable medical practices are to such attacks, she was prompted to purchase the higher limits.
During a training session for all the practice staff, the doctors were made aware of the potential costs that the practice could incur should there be a cyber security breach. They realized that the potential for loss far outweighs the cost of the premium to protect their practice.
This practice also requires ongoing training and sends out reminders to staff to follow up on their training and to stay aware of the potential for a cyber security breach. The administrator acknowledges that “cyber security expert” is yet another hat that practice administrators are expected to wear. With technology and regulation changing frequently, it is a daunting task, especially if one’s background is not in information technology. However, it is a responsibility that cannot be ignored or taken lightly.
You will also find helpful articles and tips on the SVMIC website on our cyber security resources page. In addition, SVMIC’s Medical Practice Services offers consulting and training related to cyber security and HIPAA. As mentioned earlier, SVMIC has partnered with NAS to offer discounted premiums on increased limits for cyber security insurance. NAS has implemented a resource to offer support and risk management to policyholders. The site offers a 24-hour support hotline, monthly newsworthy updates, webinars and online training and support. This resource can be found here. The cost for additional coverage is based upon the limits chosen, group size and other factors. For more information, please contact SVMIC at ContactSVMIC@svmic.com or call us at 800.342.2239.
The contents of The Sentinel are intended for educational/informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice, as specific legal requirements may vary from state to state and/or change over time.