Product type:

AllBooksEventsOnline CoursesWebinarsPackages
Medical Group Management Association
Top House Ad

With cyberattacks on the rise, cyberinsurance may provide peace of mind

MGMA Stat - May 26, 2021

HIPAA

Disaster Planning

Electronic Health Records

Christian Green MA

The Medical Group Management Association’s most recent MGMA Stat poll asked healthcare leaders, “Does your organization have a cyberinsurance policy?”
  • 82% said “yes.”
  • 15% said “no.”
  • 3% said “considering it.”

For those who answered “yes,” many said they have coverage through their malpractice insurance carrier. Responses included:
  • “We had a ransomware attack in January. Cyberinsurance saved us. Threat actors wanted $7.5 million in bitcoin as payment. Insurance allowed us to use negotiators.”
  • “I've had one …. [and] I was very glad I had it when my EHR vendor had a data breach. It really came in handy.”
  • “We have a policy and recently increased our coverage. We have also bolstered our staff security awareness training.”

The poll was conducted May 25, 2021, with 810 applicable responses. The results reflect an increase in the percentage of practices that have cyberinsurance compared to a May 8, 2018, Stat poll in which 54% of respondents said their practice had coverage.

Since the start of the COVID-19 pandemic, cyberattacks have been on the rise in healthcare organizations, accounting for 79% of reported data breaches in the first 10 months of 2020. Furthermore, healthcare organizations experienced a 45% increase in cyberattacks in November and December 2020 alone. More concerning is that among cyberattacks, ransomware attacks have increased the most during this time (though email is still the most common attack vector).
 
MGMA offers several resources to help protect medical practices, including the HIPAA resource center. In addition, as has been documented in prior MGMA Stat polls, it’s sound practice to prepare staff and providers for potential attacks through anti-phishing training and to protect patient information by backing up EHR data. However, preparation will only take you so far. 

The benefits of cyberinsurance

Oftentimes when a cyberattack occurs, small and midsize medical practices don’t know whom to contact to address the issue. Once an attack occurs, time is of the essence, says Jeffrey Smith, managing partner, Cyber Risk Underwriters, Atlanta. “The biggest benefit in terms of these policies are they come with a pre-vetted panel of service providers,” who can spring into action, notes Smith, including offering:
  • Data breach response: Legal experts who provide representation and advice on regulatory reporting obligations.
  • Notification: Vendors who inform impacted individuals.
  • Forensics and incident response: Security engineers who assess the event and advise on immediate remediation to mitigate loss.
  • Public relations and crisis management: Media experts who manage reputational exposure.
  • Forensic accounting: Finance experts who help with loss of income calculation if the organization is forced to close.
 
According to Smith, the recent uptick in ransomware attacks is reflected in the increase of claims in that area. As he notes, “more than 85% of claims are now a result of ransomware attacks and social engineering exploits, resulting in funds transfer loss.”
 
In addition, he points to a growing number of claims tied to business interruption income loss. “We see practices actually get shut down for a period of time, because they can't get access to their records,” says Smith. “So we're starting to see more claims for loss of income when they're shut down during a ransomware event.”
 
With so many threats to consider, practices don’t want to get caught flat-footed. It’s best to have a plan of action before being hit by a cyberattack.

Assessing your cybersecurity and cyberinsurance needs

When determining what’s right for your practice, Smith says the first step is to look for agents and carriers who specialize in cyberinsurance. “Many agents providing medical malpractice coverage do not possess the same expertise when it comes to cyberinsurance,” remarks Smith of the need to make sure the agent you’re working with has more than just cursory knowledge of cybersecurity.   

Smith believes it’s also important to look for insurers that can provide practice risk assessments — often provided for free during the application process — through the use of vulnerability scans. “This is a non-invasive scan of internet-facing assets and can include information about software updates and compromised identity credentials such as email addresses, user IDs and passwords,” notes Smith. This can be useful because it can help determine the breadth of coverage a practice may need.   
 
He also encourages practices to create an incident response plan, because it can help them prepare for a cyberattack, while also potentially lowering their cyberinsurance premiums. “Many insurers offer templates to guide the insured through the process of establishing an effective incident response procedure,” adds Smith.
 
A reputable insurer should also be able to provide information on:
  • Activation of coverage and time limits on notification of a breach
  • Retroactive coverage
  • First- and third-party policies
  • Anticipated cost of a breach related to coverage limits and sublimits
  • Coverage exclusions
  • Data restoration costs
  • Merger and acquisition (M&A) considerations
  • Coverage for regulatory actions.

Red flags and policy review

Smith emphasizes that practices should be aware of the following red flags when shopping around:
  • Too-good-to-be-true policy pricing: “New entrants often underprice policies to capture market share without a proven track record handling claims,” says Smith.
  • Coverage included by endorsement to malpractice or other business insurance policies: “They often are substandard in terms of coverage, limits of liability and service offerings,” asserts Smith.
  • Ultimately, the goal is to avoid filing a claim, so it’s important to work with insurers that want to help you in that regard: “Beware of insurers that do not provide some level of loss control tools such as ongoing network monitoring, employee training [such as incident response templates, procedure policy templates, training modules, phishing simulation], and security engineering assistance,” notes Smith of the need to look for insurers who are proactive rather than reactive.

Finally, Smith says practices should only work with insurers who take the time to review policies to prevent coverage disputes and higher claim costs. “Make sure your agent reviews the policy with you in terms you clearly understand,” says Smith. “All policies should include the insured’s responsibilities related to claims reporting, duty to cooperate and obligations to not admit liability or incur expense without the approval of the insurer.” 

With ransomware attacks on the rise, practices need to be increasingly vigilant to ensure patient data is secure and to mitigate potential income loss during a business interruption. Investing in the right cyberinsurance policy for your practice can provide some peace of mind.

Do you have any best practices or success stories to share on this topic? Please let us know by emailing us at connection@mgma.com.

JOIN MGMA STAT

Our ability at MGMA to provide great resources, education and advocacy depends on a strong feedback loop with healthcare leaders. To be part of this effort, sign up for MGMA Stat and make your voice heard in our weekly polls. Sign up by texting “STAT” to 33550 or visit mgma.com/stat. Polls will be sent to your phone via text message.

Additional resources

About the Author

Christian Green
Christian Green MA
MGMA Writer/Editor MGMA

cgreen@mgma.com

X

Shopping Cart

Your cart is empty

Subtotal:
Click here if your organization is tax exempt
X

A State Sales tax exempt certificate must be on file and taxable items cannot be ordered online. For immediate assistance during normal business hours of 7:00am to 5:00pm MT M-Th and 7:00 am to Noon MT on Friday, please call toll-free: 877-275-6462, ext. 1888

X

Checkout

Use two letter code for US states
Use three letter code for country
Use two letter code for US states
Use three letter code for country

Grand Total:
Use two letter code for US states
Use three letter code for country
Saved credit card is required for opt-in to autorenew.

Questions? Contact the MGMA Service Center for assistance during checkout or review our return policy for more information.
X

Confirmation

,
,

Total:
Payment:
Balance:
 

Thank you for your purchase! If you purchased an event, you will be receiving a follow-up email from our Learning Management System regarding the product/event purchased and no further action is required.


Loading...