Healthcare data breaches are on the rise, and each breach costs an average of $3.8 million, according to a 2015 Ponemon Institute report. Hospitals and health systems have cybersecurity strategies in place to prevent attacks, but even the strongest security strategies can be breached, whether by a sophisticated hacker or simple human error. As a part of safeguarding against cyberattacks and the potential fall out, healthcare organizations can purchase insurance.
Here are five things to know about cyber insurance.
1. There is a wide variety of cyber insurance coverage options, varying based on the types of incidents and costs for which healthcare providers seek coverage. Incidents can range from external threats to insider breaches. Costs to consider include first-party costs — a healthcare provider's own costs — and third-party costs — costs others may try to claim from the healthcare provider as a result of the incident, according to ComputerWeekly.com.
2. There are a number of first-party and third-party coverage features to consider, according to Risk & Insurance.
First-party coverage features
• Theft and fraud
• Forensic investigation
• Business interruption
• Extortion
• Data loss and restoration
Third-party coverage features
• Privacy liability
• Regulatory actions
• Notification costs
• Crisis management
• Call centers
• Credit/identity monitoring
• Transmission of viruses/malicious code
3. Each cyber insurance policy will be different, and not all policies will have the same first-party and third-party traits. Here are 11 additional potential policy provisions to consider, according to Risk & Insurance.
• Loss or claim trigger. This type of provision can be restrictive when it comes to what types of events can actually trigger coverage.
• Defense trigger. This provision can require a lawsuit of written demand as the trigger for an insurance provider's defense obligation.
• Choice of counsel. This stipulation can dictate defense costs are only covered if the insured selects counsel from a list of the insurer's panel law firms.
• Retroactive coverage. Cyber insurance policies often set a retroactive date. Any losses occurring due to events prior to that date will not be covered.
• Acts and omissions of third parties. Some cyber insurance policies can exclude third-parties from coverage. For example, the policy holder may have no coverage if a third-party vendor it uses to store data suffers a breach.
• Coverage for unencrypted devices. Many policies exclude coverage for unencrypted devices.
• Coverage for corporations. It is possible policies may define covered persons, but not the corporations or other business entities that would be affected by a breach.
• Policy territory. A policy holder may have employees lose devices containing its data while traveling abroad. The policy may restrict coverage of loss or theft to just the United States and its territories.
• Location of security failure. Some policies will only provide coverage for security failures, such as loss or theft, which occur on the policy holder's premises. If a device is stolen from an employee's home, it may not be covered.
• Exclusions for omissions. This type of provision can limit or exclude coverage for events stemming from security shortcomings such as failure to maintain and update security features and software.
• Exclusions for acts of terrorism or war. Coverage is often not provided if a data breach is a result of terrorism or war.
4. There are a multitude of cyber insurance options, and costs will vary depending on the policy holder's revenue, risks, security policies and coverage needs. Here are sample costs for seven healthcare industry businesses, based on data pulled from Cyber Data Risk Managers' clients.
Hospital
• Revenue: $170 million
• Policy limit: $5 million
• Premium: $42,000
Physician's office
• Revenue: $700,000
• Policy limit: $500,000
• Premium: $649
Healthcare clinic
• Revenue: $400,000
• Policy limit: $1 million
• Premium: $1,202
EHR vendor
• Revenue: $5 million
• Policy limit: $1 million
• Premium: $8,010
Healthcare IT provider/consulting
• Revenue: $4.5 million
• Policy limit: $5 million
• Premium: $34,600
Healthcare software-as-a-service provider
• Revenue: $2 million
• Policy limit: $2 million
• Premium: $9,398
Pharmacy benefits management company
• Revenue: $4 billion
• Policy limit: $5 billion
• Premium: $84,000
5. When working with an insurer to secure coverage healthcare providers will often be required to produce information such as risk management techniques, disaster response plans, how employees and other access data systems, what antivirus and anti-malware software is in place and the frequency of updates to and performance of firewalls, according to The National Association of Insurance Commissioners.