Cybersecurity insurance is an insurance policy that is designed to help with the losses from a variety of cyber incidents, such as data breaches, business interruption or network damage. Each cybersecurity insurance policy, while similar to another policy, is never exactly the same as other insurance policies.
Cybersecurity insurance is only one arrow in your quiver used in the protection of your organization’s electronic protected health information (ePHI). It is only one part of your organization’s mitigation and it is important to remember that it is not the solution to a HIPAA security incident or a HIPAA breach event.
There are two general categories of risks and potential liabilities for ePHI breaches, those that happen within your organization and those that happen with one or more of your vendors or business associates. Since there are two categories, your organization should consider purchasing both first-party and third party cybersecurity coverage. With these two types of coverage your organization would be the first-party and your vendors and business associates would be the third parties.
First-party losses may include loss or damage to your organization’s ePHI; corrupted, lost, stolen or ransomed ePHI by loss or stealing of devices or due to a virus; network interruption or denial of service attack, or; the inability to conduct business due to an ePHI breach or loss.
Third party risks include your organization’s liability to its clients or patients, and in various states and on the federal level, regulatory investigations and fines.
What incidents might be covered by insurance?
- Unencrypted devices;
- ePHI in the control of a third party;
- Human error, mistakes and negligence;
- External attacks by cyber criminals;
- System, data center, or business process failures;
- Malicious or criminal insiders; and
- Credit cards.
What benefits, or protections, might be covered by insurance?
- Notification costs to data breach victims, media and other;
- Legal defense costs;
- Forensics and investigative costs;
- Regulatory penalties and fines;
- Revenue losses;
- Third party liability;
- Communication costs; and
- Productivity losses.
There are also very specifically outlined and defined exclusions in a cybersecurity policy. They often include the following:
- Breaches of PHI in paper files;
- Claims brought by the government or regulators, including the Office of Civil Rights, the Department of Health and Human Services, and the Office of a state’s Attorney General, plus various state’s laws;
- Vicarious liability, for data entrusted to a third-party vendor, when the breach occurs on the vendor’s system;
- Unencrypted ePHI; and
- If your organization waits too long to report the event to the insurance company.
The cost of cybersecurity insurance continues to increase even as you read this blog, as is the dollar amount deductible that your organization will have to pay up-front before any insurance payments will kick in. The deductible is now $25,000.00 on many policies!
Cybersecurity insurance is quickly becoming a necessity for many healthcare organizations, but it is only one piece of an organization’s mitigation. Other parts of mitigation include: a yearly HIPAA Security Risk Analysis/Assessment, a yearly internal or external HIPAA Audit, and a yearly HIPAA Security, Privacy and Breach Training, plus constant, on-going vigilance.
Conclusion: Your organization must understand all the provisions of the cybersecurity insurance policy before it is signed and paid for by your organization.