According to a USA Healthcare Privacy Claim Trends report by ACE Group — a global insurance organization — in 2012, the healthcare industry sees 58 percent of all reported data breaches. Hospitals and health systems are high risk because of the type of data they work with: patient personal information, financial information, Social Security numbers, names, addresses, birth dates, etc.
For these reasons, it is important for hospital executives to understand emerging trends in data breaches, the costs associated and proactive steps for minimizing risks. Part of being proactive involves knowing what options are available, such as privacy and security insurance coverage.
In a webinar hosted by ID Experts — a data breach solutions provider — Anthony Dagostino, vice president of professional risk and healthcare privacy and technology product manager for ACE Group, and Jeremy Henley, insurance solutions executive for ID Experts, discussed what could trigger a data breach and how privacy insurance mitigates risks for hospitals and health systems.
Emerging threats
First, they covered two major trends in the healthcare industry that are leading to increases in data breaches.
1. Mobile devices. The emergence and prevalence of mobile health in the healthcare industry is creating new challenges that must be tackled in order to ensure data security and privacy. According to Mr. Henley, there are three major ways that mobile devices create threats for healthcare organizations.
1. Use of multiple mobile devices creates multiple data access points.
2. Devices are often unencrypted.
3. The use of personal devices is an increasing (BYOD trend).
When employees can access work-related data from essentially anywhere, it creates liability for a hospital or health system. "Although [hospitals] can install encryption software on employees' devices, if physicians are texting with unencrypted phones, the patient personal health information is still at stake," says Mr. Dagostino. "Knowing where your data is and how it is transacted is a key element of minimizing risks."
2. Outsourcing risks. Many hospitals and health systems outsource certain functions, especially for administrative and back-office tasks, because it makes economic sense. However, some of the outsourced functions relate to patient information, which can lead to security and privacy liabilities. "Even if it the organization is just outsourcing document storage, patient information is being shared, and the outsourcing party could lose it," says Mr. Henley. "Also, many hospitals are shifting to the cloud. When the IT functions, infrastructure and software are outside the hospital's walls; the data security is also outside of their control."
Top breach triggers
Next, Mr. Dagostino covered root causes of data breaches. There are many different ways that data breaches occur in healthcare. Here are the nine most common causes of data breaches in hospitals and health systems, according to 2012 data from ACE's USA Healthcare Privacy Claim Trends report.
1. Human error — 20 percent
2. Hackers — 20 percent
3. Lost/stolen laptop — 15 percent
4. Paper — 9 percent
5. Lost/stolen tapes/CDs — 9 percent
6. Privacy policy violation — 4 percent
7. Lost/stolen USB — 4 percent
8. Software error — 3 percent
9. Lost/stolen mobile — 3 percent
How healthcare data breaches are different
According to Mr. Dagostino, healthcare companies are the biggest buyers of privacy insurance because they are breached so often. "It begins with the sensitive data that healthcare companies collect. Since the data is very valuable, there are a lot of companies who want it. Some pay for it and acquire the data in an honorable manner, but other parties choose to steal the data."
Here are six major reasons why healthcare data breaches are different for the healthcare industry, making them more prevalent and damaging:
1. Type of data lost
2. Complexity of rules and regulations
3. Common threats
4. Rigorous enforcement
5. Reputational harm
6. Costs
Financial burden of healthcare data breaches
The costs associated with data breaches can be extremely damaging to healthcare organizations. This is because, although there are financial costs, there are also reputational costs. Within financial costs alone, there are two different types: first-party and third party. Mr. Henley and Mr. Dagostino covered what these expenses comprise in the webinar.
Potential first party costs include:
• Breach coach/consultant
• IT forensics firms
• Legal (compliance with regulations, indemnification rights)
• Notification
• Call center
• PR/crisis management
• Credit monitoring
• ID restoration and investigation
Potential third party expenses include:
• Lawsuits (regulatory allegations, HIPAA/HITECH)
• Patient claims (emotional distress, mental anguish)
• Regulatory fines (HIPAA, HITECH, PCI-DSS, FTC)
• Attorney General inquiries/fines
• HHS/OCR audits and investigations
"Although you can categorize the first-party and third-party costs, there are always 'what ifs'. What if an employee didn't know what was on a USB [he or she] lost? If just 20 patients' information was threatened, do you need to identity all patients to be prudent?" asked Mr. Henley. "What if an employee lost a flash drive but was afraid to speak up? Ninety days go by, [he or she reports] the incident, but the hospital has already missed the HITECH 60-day reporting deadline. These are issues that insurance coverage can help hospitals cover," added Mr. Henley.
Privacy liability insurance coverage and benefits
Mr. Dagostino closed the webinar by touching on factors to consider when reviewing and purchasing privacy coverage. "There are three primary types of coverage: privacy liability, data breach expenses and network security liability. However, internet media liability, network extortion, business interruption and digital asset loss can also be covered," said Mr. Dagostino. "You cannot think of it as 'cyber' insurance. It is privacy insurance. The coverage needs to account for enterprise-wide risk. From IT to HR and from incident response costs to potential penalties," he added.
According to Mr. Henley, healthcare organizations should look for coverage for broad third-party liabilities as well as first-party expenses.
The following elements could be covered, depending on the privacy insurance policy:
• Independent contractors
• Temporary staff and part-time help
• Unencrypted data
• Hard copy documents and spoken word
• Mobile devices
• Third party vendors related to your IT
If a hospital can turn to privacy insurance to offset the financial risk of a breach, it may be able to invest in a response that accurately meets its needs. "Understanding gaps in your data security reduces later risks. Taking proactive measures now may help you avoid a data breach for a period of time, and it will most likely limit the risk of the breach if it does occur," said Mr. Dagostino.
5 Elements of Seattle Children's Data Breach Response Management Program
Blount Memorial Hospital Data Breach Affects 27k Patients
For these reasons, it is important for hospital executives to understand emerging trends in data breaches, the costs associated and proactive steps for minimizing risks. Part of being proactive involves knowing what options are available, such as privacy and security insurance coverage.
In a webinar hosted by ID Experts — a data breach solutions provider — Anthony Dagostino, vice president of professional risk and healthcare privacy and technology product manager for ACE Group, and Jeremy Henley, insurance solutions executive for ID Experts, discussed what could trigger a data breach and how privacy insurance mitigates risks for hospitals and health systems.
Emerging threats
First, they covered two major trends in the healthcare industry that are leading to increases in data breaches.
1. Mobile devices. The emergence and prevalence of mobile health in the healthcare industry is creating new challenges that must be tackled in order to ensure data security and privacy. According to Mr. Henley, there are three major ways that mobile devices create threats for healthcare organizations.
1. Use of multiple mobile devices creates multiple data access points.
2. Devices are often unencrypted.
3. The use of personal devices is an increasing (BYOD trend).
When employees can access work-related data from essentially anywhere, it creates liability for a hospital or health system. "Although [hospitals] can install encryption software on employees' devices, if physicians are texting with unencrypted phones, the patient personal health information is still at stake," says Mr. Dagostino. "Knowing where your data is and how it is transacted is a key element of minimizing risks."
2. Outsourcing risks. Many hospitals and health systems outsource certain functions, especially for administrative and back-office tasks, because it makes economic sense. However, some of the outsourced functions relate to patient information, which can lead to security and privacy liabilities. "Even if it the organization is just outsourcing document storage, patient information is being shared, and the outsourcing party could lose it," says Mr. Henley. "Also, many hospitals are shifting to the cloud. When the IT functions, infrastructure and software are outside the hospital's walls; the data security is also outside of their control."
Top breach triggers
Next, Mr. Dagostino covered root causes of data breaches. There are many different ways that data breaches occur in healthcare. Here are the nine most common causes of data breaches in hospitals and health systems, according to 2012 data from ACE's USA Healthcare Privacy Claim Trends report.
1. Human error — 20 percent
2. Hackers — 20 percent
3. Lost/stolen laptop — 15 percent
4. Paper — 9 percent
5. Lost/stolen tapes/CDs — 9 percent
6. Privacy policy violation — 4 percent
7. Lost/stolen USB — 4 percent
8. Software error — 3 percent
9. Lost/stolen mobile — 3 percent
How healthcare data breaches are different
According to Mr. Dagostino, healthcare companies are the biggest buyers of privacy insurance because they are breached so often. "It begins with the sensitive data that healthcare companies collect. Since the data is very valuable, there are a lot of companies who want it. Some pay for it and acquire the data in an honorable manner, but other parties choose to steal the data."
Here are six major reasons why healthcare data breaches are different for the healthcare industry, making them more prevalent and damaging:
1. Type of data lost
2. Complexity of rules and regulations
3. Common threats
4. Rigorous enforcement
5. Reputational harm
6. Costs
Financial burden of healthcare data breaches
The costs associated with data breaches can be extremely damaging to healthcare organizations. This is because, although there are financial costs, there are also reputational costs. Within financial costs alone, there are two different types: first-party and third party. Mr. Henley and Mr. Dagostino covered what these expenses comprise in the webinar.
Potential first party costs include:
• Breach coach/consultant
• IT forensics firms
• Legal (compliance with regulations, indemnification rights)
• Notification
• Call center
• PR/crisis management
• Credit monitoring
• ID restoration and investigation
Potential third party expenses include:
• Lawsuits (regulatory allegations, HIPAA/HITECH)
• Patient claims (emotional distress, mental anguish)
• Regulatory fines (HIPAA, HITECH, PCI-DSS, FTC)
• Attorney General inquiries/fines
• HHS/OCR audits and investigations
"Although you can categorize the first-party and third-party costs, there are always 'what ifs'. What if an employee didn't know what was on a USB [he or she] lost? If just 20 patients' information was threatened, do you need to identity all patients to be prudent?" asked Mr. Henley. "What if an employee lost a flash drive but was afraid to speak up? Ninety days go by, [he or she reports] the incident, but the hospital has already missed the HITECH 60-day reporting deadline. These are issues that insurance coverage can help hospitals cover," added Mr. Henley.
Privacy liability insurance coverage and benefits
Mr. Dagostino closed the webinar by touching on factors to consider when reviewing and purchasing privacy coverage. "There are three primary types of coverage: privacy liability, data breach expenses and network security liability. However, internet media liability, network extortion, business interruption and digital asset loss can also be covered," said Mr. Dagostino. "You cannot think of it as 'cyber' insurance. It is privacy insurance. The coverage needs to account for enterprise-wide risk. From IT to HR and from incident response costs to potential penalties," he added.
According to Mr. Henley, healthcare organizations should look for coverage for broad third-party liabilities as well as first-party expenses.
The following elements could be covered, depending on the privacy insurance policy:
• Independent contractors
• Temporary staff and part-time help
• Unencrypted data
• Hard copy documents and spoken word
• Mobile devices
• Third party vendors related to your IT
If a hospital can turn to privacy insurance to offset the financial risk of a breach, it may be able to invest in a response that accurately meets its needs. "Understanding gaps in your data security reduces later risks. Taking proactive measures now may help you avoid a data breach for a period of time, and it will most likely limit the risk of the breach if it does occur," said Mr. Dagostino.
More Articles on Data Breaches:
6 Scariest Issues in Healthcare Right Now5 Elements of Seattle Children's Data Breach Response Management Program
Blount Memorial Hospital Data Breach Affects 27k Patients