Hospitals Jumping Into Cyber Insurance to Hedge Risks

A recently published article in Fierce Health IT highlights a trend by US hospitals towards purchasing cyber insurance. The reasoning for this purchase is typically a function of concern over the financial exposures that result from data breach incidents, combined with the growth in data breaches (32% annual growth rate) being experienced by healthcare organizations (Ponemon Institute, 2011, Benchmark Study on Patient Privacy and Data Security).

It is especially important for hospitals and other healthcare organizations to carefully understand exactly what they are purchasing, in terms of cyber insurance. Larry Harb, president and CEO of Okemos, Mich.-based IT Risk Managers, notes that "there are no standardized data breach policies. Every policy is different. When we write a policy for a hospital, we're going to customize that policy to meet the needs of the client." He go on to comment that most policies will cover costs associated with a data breach response effort, as well as legal costs for defending litigation, and any fines or penalties that might be assessed by regulators or law enforcement agencies.

Within healthcare, increasingly HIPAA covered entities (healthcare providers and payors) find that it is their business associates (outside organizations that are entrusted with patient data by the covered entity) that represent a substantial source of risk for data breaches. Because of this situation, it behooves a hospital or other healthcare organization to clearly require that their business associate be responsible for any costs associated with a data breach that they cause. While the business associate may be the "cause" of the breach, it is ultimately the hospital that is "liable" for patient and regulatory notification, as well as any legal exposure.

"Business associates of providers cause many data breaches. Last September, for instance, Stanford University Hospital discovered that a billing contractor had inadvertently posted a spreadsheet containing information on 20,000 of its ED patients on a public website. In that case, the billing service accepted responsibility for the data breach".

Again, the healthcare organization, when purchasing cyber insurance, must clarify exactly how a business associate breach would be covered under their policy. Especially given the fact that such situations are now regularly leading to class action lawsuits being filed, as well as investigations mounted by the Department of Health and Human Services' (HHS) Office for Civil Rights (OCR).

And lastly, when evaluating cyber insurance, the healthcare organization's risk executive is advised to involve the compliance, privacy and legal officers in evaluating the terms of the insurance policy. Unlike most other types of insurance, cyber policies may not only provide a financial backstop for the costs associated with a data breach incident, but also may be somewhat "prescriptive" in how the organization should carry out the data breach response effort. It is advisable to ensure that any such limitations or contraints fit within the healthcare organizations' culture and data breach response planning guidelines.