Cyber Insurance Series, Part 1: What you need to know

Cyber policies are still pretty ambiguous as to what gets covered and for just how much. Meaning, organizations need to do their homework to ensure they’re covered after a breach.
By Jessica Davis
08:00 AM
Share
computer screen with data breach

As hackers continue to target the healthcare sector at an alarming pace, the need to protect the infrastructure, data and daily operations of a provider organization is paramount. Part of that protection should include cyber insurance, designed to help organizations manage the risk associated with cyber activity.

Cyber insurance can help to reduce the risk, but there’s still a lot of misunderstanding around what it covers, how to buy the right coverage and, frankly, just how to avoid wasting funds on the wrong policy.

With that in mind, here’s what healthcare organizations need to know.

What the heck is cyber insurance?

To start, cyber insurance is not typically included in regular insurance coverage and will need to be purchased separately. The most common cyber insurance is designed to cover both losses and damages caused when patient data is exposed, stolen, held for ransom or improperly shared.

Providers can purchase policies from CNA, Liberty Mutual, Chubb and Travelers, among others. But here’s the catch: Unlike other insurance types, there’s no standard form for underwriting cyber coverage, so organizations will need to do their homework.

Coverage features will include first-party or third-party coverage, involving theft, fraud, the investigations following a breach, data loss and restoration, notification costs and the like.

Organizations will work with an agent to identify the different policies, like breach management, explained Jane Harper, director of privacy and security risk management services for Henry Ford Health System.

Depending on the carrier and policy, the insurance should cover funding for activity monitoring, breach notifications and, for some, it will include funds to replace tech that was negatively affected, Harper added. There are a number of policies and underwriters, which means organizations need to make sure they’ve evaluated their risk -- above and beyond HIPAA requirements.

When it comes to coverage, a lot is “dictated by the number of assets an organization wants to cover and the volume of data, which will affect cost,” Harper explained.

“And if you haven’t thought about it from a risk assessment angle, you may not understand that the incident is a lot like flood insurance,” said Harper. “Many don’t find out until after they’ve experienced a flood that they aren’t covered, even though they thought they had flood coverage.”

Legal questions to ask

To Matt Fisher, partner of law firm Mirick O’Connell, organizations need to first read the policy and what it covers.

“There’s still a lot of variance into what it’s going to cover and what will happen in an event of a breach,” said Fisher. “Within healthcare, if a business associate you have contractual obligations with is breached, some will not cover.”

“Other obligations you assume with the policy: to make sure you have the coverage you think you do when or if a breach will occur,” he added.

Fisher explained that organizations need to ask: when a breach happens, what cost will be covered by the insurance? What actions will not be covered by insurance? For example, sending out mailings, credit monitoring to people impacted, will it cover potential fines? Some things may be outside of scope.

And again, Fisher explained that “if it’s the business associate or covered entity breached, will the cyber insurance cover it?”

“People also need to understand, fines and penalties for noncompliance aren’t covered under cyber insurance,” Harper said. “But if they break in or destroy data, you can look into some insurance to cover those costs.”

Key stakeholders

Organizations first need to ensure the right individuals are helping with the process, explained Harper.

“The appropriate key stakeholders are not only involved with the evaluation process -- like how many patients, how much data to cover, etc… but also the responses to the questions the policy writer is going to ask,” said Harper.

It’s key to have the risk folks involved with the process as they can talk about it in
terms of how it relates to patients and hospital executives also need those folks driving the data on board, explained Harper. That includes the privacy and security risk professional, security officer, IT leader, key business leaders and the like.

“People tend to focus on things like electronic PHI -- but there’s ePHI and PHI,” said Harper. “But if there’s a break in at a warehouse and data is stolen  -- the Office of Civil Rights considers that a breach.”

As a result, it’s important for organizations to have a good understanding of their control environment when it comes to protecting and preventing a cyber incidence, explained Harper.

But at the end of the day, “the biggest thing is to look at the policy you’re looking to get,” said Fisher. “It’s still developing -- there aren’t standard policies out there and every policy will have its own nuances. So make sure you know what you’re actually acquiring.”

Tune in next Tuesday to learn the right way to choose a policy and carrier. In the following weeks, we'll also get real about the mistakes to avoid and legal considerations following a breach.

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com