According to an article published in Medical Economics, the threat of hacking has led to an increase in the number of physicians opting for cyber insurance. Many physicians are unfamiliar with cyber insurance, what the policy covers, its cost, working and the like—they are familiar with the more common malpractice and business insurance.
Having cyber insurance covers damages and losses caused when patient data is stolen, exposed, improperly shared due accidentally or deliberately, or held for ransom. Cyber insurance helps physician practices in handling the wide-ranging consequences of data breaches. It provides assistance in paying regulatory fines and penalties, hiring IT experts to identify and fix the breach, compensates for income loss due to lost patients and downtime, and the like. The insurance helps practices in engaging public relations firms to handle unwelcome publicity and call centers o handle patient inquiries. It also aids in the process of hiring attorneys who will represent the practice in lawsuits filed by patients and pay for damages awarded to the victims. In brief, it covers almost all expenses and losses attributed to the data breach.
The coverage provided by cyber insurance usually applies only to the patient data but not computer hardware used in practice. The hardware is protected by a general insurance policy. A complete cyber insurance policy includes first- and third-party coverage. The first-party coverage pays for lost revenue, IT forensics, business interruption, data restoration and other damages suffered by the policyholder, while the third-party coverage manages costs incurred due to those affected by the breach.
Physician practices without cyber insurance often have a certain amount of coverage through general business policies. While small practices might think they are protected from cyber attacks due to their size, they are under risk too. Healthcare organizations are targeted as their data contain patient names, addresses, birthdates, social security numbers, and health and credit card information. Oftentimes, a practice might be targeted specifically as it is small—these practices are vulnerable as they focus on patient treatment, and their data is not encrypted. Their security measures are also frequently not up-to-date. Some hackers use small practices to test and refine their methods before moving on to larger targets like healthcare systems. A new and scary pattern—one that uses the computing power of patient information to earn digital currency—is emerging.
The motivation to attack a healthcare practice has little to do with the number of doctors or patients. Healthcare data is highly valuable in the black market, and it is merely a matter of time before a practice is targeted randomly.