Managing Cyber Risks in Medical Practices

There are four major risk management strategies to address cyber perils, some of which can be employed by health care providers:

1. Avoidance;
2. Retention;
3. Control; and
4. Transfer.

Let us briefly look at each.

Avoidance: To implement an avoidance strategy, the health care professional or practice would need to forgo activities that create cyber perils. Unfortunately, while using computers runs the risk of cyber perils, it is unrealistic to expect practices or practitioners — many of them high-tech — to forgo standard features of today's business infrastructure. Since cyber risks are inherent in using computers and the Internet, this is an unrealistic option.

Retention: A retention strategy requires consciously and intentionally setting funds aside to address financial consequences from cyber risk. Self-insurance is one option. Another is to have a deductible or self-insured retention with an insurance policy. Retention should be a conscious process. A company that overlooks risk and suddenly faces uninsured losses has not embraced retention as a risk management approach. Sleep-walking into a “self-pay” situation is not true retention.

Control: To “control” means to prevent cyber risk in the first place. Control also includes loss mitigation, cushioning the impact of cyber perils. For example, to boost patient safety, physicians use informed consent protocols and take regular continuing medical education. To prevent wrong-site surgery or foreign objects being left in patients, hospitals adopt checklists and protocols. With cyber losses, astute health care practices and practitioners should adopt various control measures.

Transfer: A “transfer” shifts the financial consequences of cyber perils to another party, usually a professional risk-bearer, i.e., an insurance company. Buying coverage for cyber perils is an example of financial transfer. This could be accomplished through a standalone insurance policy. Firms also adopt transfer by adding cyber peril coverage to an existing insurance policy.

Since control and transfer are the most viable risk management strategies for health care practices, let's spotlight these two.

Control

Loss-control tactics to thwart cyber risks include any one or combination of the following:

• Contingency plan. Prepare incident response and business continuity contingency plans well in advance of any crisis. Calendar these for regular review and updating, in light of technological and organizational advances.
• Self-assess and include vendors. Evaluate internal systems to prevent data breaches. Verify that vendors and business partners with whom you exchange information have sound internal systems designed to address perils.
• Brainstorm. As a management discipline, periodically make time to brainstorm the worst possible data breaches. Map out potential consequences.
• Include — but go beyond — IT. With the management team, including but not limited to IT, walk through the steps a medical practice would take to respond to and mitigate a loss. Better still, conduct “after-action reviews” of such hypotheticals to determine preventive measures that reduce the odds of such scenarios.

The best strategy: Boost prevention as the first line of defense. View insurance as a “Plan B option.” Health care professionals and practices that leverage the best deals on cyber-coverage are those who demonstrate to underwriters the existence of well-thought-out systems, and protocols that prevent breaches in the first place.

Transfer: Insuring Against Cyber-Risks

Since insurance protection for cyber risks is relatively new, do not assume that existing malpractice insurance policies address the issue. Many property and liability insurance policies ignore the problem, exclude it or are silent regarding the protection. The key take-away: Part of any medical malpractice risk-management program has to address cyber liability as one component. Overlooking this might have been excusable and understandable in the 1990s, but not today. Physicians must be aware of liabilities that they and their practices face if they fail to take reasonable steps to safeguard computerized electronic patient data. Major health care systems such as UCLA Health have been breached by hackers.

Some medical malpractice insurance companies may offer physicians free “riders” on their liability policies. However, these are unlikely to be as thorough as a health care provider needs. Seek instead a standalone policy that bundles all cyber insurance coverage together in one customized package. These services should include absorbing costs for a consultant to handle tasks such as notifying patients of the data breach, informing the public, providing credit monitoring services for patients, and retaining IT security experts. Utilize your insurance broker to thoroughly scour the insurance marketplace and to provide comparisons of policy breadth as well as cost. Avoid the trap of purchasing a policy just because it is the cheapest. In insurance, as in medical care, services are often cheaper for a very good reason.

Some insurance policies, for example, provide scant cyber risk coverage. Contracts often limit reimbursement to physical loss to tangible property. That is fine if a medical practice's building or hospital wing sustains fire damage. Some courts, however, have held that computer data — bits and bytes — are intangible property. Work with your insurance broker to scan the marketplace for the broadest coverage at the most reasonable price.

Health care professionals and entities seeking financial protection for cyber-perils need coverage that specifically addresses these relatively new risks; to find out what is covered, physicians and hospital representatives can pose questions to their insurance agent, broker or insurance underwriters. Some things to ask might include:

• If a liability claim arises because a doctor's office system or a hospital's electronic records are “hacked,” will the policy respond?
• Will the policy cover liability and claims arising from unauthorized data disclosure, access or use of protected health information?
• How much insurance coverage is afforded for cyber perils? Do any sub-limits “cap” the coverage? Can I increase the sub-limit for an additional premium?
• Does the policy cover extra expenses incurred in minimizing losses from a data breach? (“Extra expense” coverage typically includes costs incurred in notifying interested parties of breaches, data recovery, cyber investigation and crisis management.)

The Underwriter

If you buy insurance through an agent or broker, make sure they query your existing insurer and any competing insurance companies about financial protection offered for cyber risks. The decision-maker on coverage terms and price is the insurance underwriter. He or she is the insurer's “gatekeeper” who decides which firms to insure and at what premium.

In evaluating cyber insurance coverage applications, underwriters may ask:

• What priority has the medical practice or facility device company placed on protecting its databases? What specific steps reflect such a commitment?
• Who can access the practice's or hospital's information systems? Are there restricted authority levels?
• Has the medical practice or facility retained qualified outside experts to assess and bolster IT security procedures?
• Does the organizational chart reflect a dedicated team or group assigned to protect data integrity?
• What is the status of password procedures, data encryption, off-site data backup, intrusion prevention systems, disaster recovery plans and anti-virus systems?

Such questions provide a blueprint of items to include in a health care entity's loss prevention program.

Conclusion

Given the scope of cyber-risks, this article is only an overview, not an exhaustive discussion. While the Greek god Prometheus gave mankind the gift of fire, that gift was not rescinded, despite fire's destructive power. Likewise, the tech industry has given health care providers computing power, cloud computing and the benefits of the Internet. But accompanying such “blessings” come perils. Computing technology and Internet connectivity are features of the medical professional's landscape that are here to stay; the trick of effective health care risk management is to harness the assets and mitigate cyber-risks, using strategies cited here.

***** Kevin Quinley, CPCU, is Principal of Quinley Risk Associates, a risk management consulting firm in the Richmond, VA, area. He is the author of Bulletproofing Your Medical Practice: Risk Management Strategies That Work. Reach him at www.kevinquinley.com or at [email protected].