The Medical Group Management Association’s most recent MGMA Stat poll asked healthcare leaders, “Does your organization have a cyberinsurance policy?”
- 82% said “yes.”
- 15% said “no.”
- 3% said “considering it.”
For those who answered “yes,” many said they have coverage through their malpractice insurance carrier. Responses included:
- “We had a ransomware attack in January. Cyberinsurance saved us. Threat actors wanted $7.5 million in bitcoin as payment. Insurance allowed us to use negotiators.”
- “I've had one …. [and] I was very glad I had it when my EHR vendor had a data breach. It really came in handy.”
- “We have a policy and recently increased our coverage. We have also bolstered our staff security awareness training.”
The poll was conducted May 25, 2021, with 810 applicable responses. The results reflect an increase in the percentage of practices that have cyberinsurance compared to a May 8, 2018, Stat poll in which 54% of respondents said their practice had coverage.
Since the start of the COVID-19 pandemic, cyberattacks have been on the rise in healthcare organizations, accounting for 79% of reported data breaches in the first 10 months of 2020. Furthermore, healthcare organizations experienced a 45% increase in cyberattacks in November and December 2020 alone. More concerning is that among cyberattacks, ransomware attacks have increased the most during this time (though email is still the most common attack vector).
MGMA offers several resources to help protect medical practices, including the HIPAA resource center. In addition, as has been documented in prior MGMA Stat polls, it’s sound practice to prepare staff and providers for potential attacks through anti-phishing training and to protect patient information by backing up EHR data. However, preparation will only take you so far.
The benefits of cyberinsurance
Oftentimes when a cyberattack occurs, small and midsize medical practices don’t know whom to contact to address the issue. Once an attack occurs, time is of the essence, says Jeffrey Smith, managing partner, Cyber Risk Underwriters, Atlanta. “The biggest benefit in terms of these policies are they come with a pre-vetted panel of service providers,” who can spring into action, notes Smith, including offering:
- Data breach response: Legal experts who provide representation and advice on regulatory reporting obligations.
- Notification: Vendors who inform impacted individuals.
- Forensics and incident response: Security engineers who assess the event and advise on immediate remediation to mitigate loss.
- Public relations and crisis management: Media experts who manage reputational exposure.
- Forensic accounting: Finance experts who help with loss of income calculation if the organization is forced to close.
According to Smith, the recent uptick in ransomware attacks is reflected in the increase of claims in that area. As he notes, “more than 85% of claims are now a result of ransomware attacks and social engineering exploits, resulting in funds transfer loss.”
In addition, he points to a growing number of claims tied to business interruption income loss. “We see practices actually get shut down for a period of time, because they can't get access to their records,” says Smith. “So we're starting to see more claims for loss of income when they're shut down during a ransomware event.”
With so many threats to consider, practices don’t want to get caught flat-footed. It’s best to have a plan of action before being hit by a cyberattack.
Assessing your cybersecurity and cyberinsurance needs
When determining what’s right for your practice, Smith says the first step is to look for agents and carriers who specialize in cyberinsurance. “Many agents providing medical malpractice coverage do not possess the same expertise when it comes to cyberinsurance,” remarks Smith of the need to make sure the agent you’re working with has more than just cursory knowledge of cybersecurity.
Smith believes it’s also important to look for insurers that can provide practice risk assessments — often provided for free during the application process — through the use of vulnerability scans. “This is a non-invasive scan of internet-facing assets and can include information about software updates and compromised identity credentials such as email addresses, user IDs and passwords,” notes Smith. This can be useful because it can help determine the breadth of coverage a practice may need.
He also encourages practices to create an incident response plan, because it can help them prepare for a cyberattack, while also potentially lowering their cyberinsurance premiums. “Many insurers offer templates to guide the insured through the process of establishing an effective incident response procedure,” adds Smith.
A reputable insurer should also be able to provide information on:
- Activation of coverage and time limits on notification of a breach
- Retroactive coverage
- First- and third-party policies
- Anticipated cost of a breach related to coverage limits and sublimits
- Coverage exclusions
- Data restoration costs
- Merger and acquisition (M&A) considerations
- Coverage for regulatory actions.
Red flags and policy review
Smith emphasizes that practices should be aware of the following red flags when shopping around:
- Too-good-to-be-true policy pricing: “New entrants often underprice policies to capture market share without a proven track record handling claims,” says Smith.
- Coverage included by endorsement to malpractice or other business insurance policies: “They often are substandard in terms of coverage, limits of liability and service offerings,” asserts Smith.
- Ultimately, the goal is to avoid filing a claim, so it’s important to work with insurers that want to help you in that regard: “Beware of insurers that do not provide some level of loss control tools such as ongoing network monitoring, employee training [such as incident response templates, procedure policy templates, training modules, phishing simulation], and security engineering assistance,” notes Smith of the need to look for insurers who are proactive rather than reactive.
Finally, Smith says practices should only work with insurers who take the time to review policies to prevent coverage disputes and higher claim costs. “Make sure your agent reviews the policy with you in terms you clearly understand,” says Smith. “All policies should include the insured’s responsibilities related to claims reporting, duty to cooperate and obligations to not admit liability or incur expense without the approval of the insurer.”
With ransomware attacks on the rise, practices need to be increasingly vigilant to ensure patient data is secure and to mitigate potential income loss during a business interruption. Investing in the right cyberinsurance policy for your practice can provide some peace of mind.
Do you have any best practices or success stories to share on this topic? Please let us know by emailing us at firstname.lastname@example.org.
JOIN MGMA STAT
Our ability at MGMA to provide great resources, education and advocacy depends on a strong feedback loop with healthcare leaders. To be part of this effort, sign up for MGMA Stat and make your voice heard in our weekly polls. Sign up by texting “STAT” to 33550 or visit mgma.com/stat. Polls will be sent to your phone via text message.
- HHS Cyber Security Guidance Material — Resources from the Department of Health & Human Services (HHS) designed to give HIPAA-covered entities and business associates insight into how to respond to a cyber-related security incidents.
- "The most important and effective security tools are your medical practice’s staff" — Cybersecurity often hinges on end users — your practice’s providers and staff — exercising due diligence.
- Cybersecurity Action Steps — To help protect your practice against cyberattacks, download this 10-step tool from MGMA Government Affairs.
- HIPAA Breach Toolkit — Download this member-exclusive resource from MGMA Government Affairs to help your practice better understand and implement the HIPAA breach requirements.
- "Confronting the growing threats to medical practice cybersecurity" — In this episode of the Executive Session podcast, health IT expert Marion Jenkins, PhD, FHMISS, partner, HealthSpaces, discusses the rising trend of cyberattacks in healthcare and how end users play a role in protecting against threats.