EXECUTIVE SUMMARY

Cyberinsurance is becoming a necessity for healthcare organizations. Coverage should include data breaches originating both inside and outside of the hospital or health system, as well as ransomware and malware.

• Understand the exclusions of a cyberinsurance policy.

• The number of files protected will influence the cost of coverage.

• Insurers will carefully assess your cybersecurity program.


Insurance to cover cyberattacks leading to data breaches, ransom, and interference with medical care is becoming more popular with hospitals and health systems, almost becoming as much a necessity as malpractice coverage and general liability insurance. Choosing the right coverage requires understanding the available options and the needs within your own organization.

The risk of a data breach and the potentially huge costs were highlighted in the recent $115 million settlement resolving a 2015 data breach at insurer Anthem. The breach exposed the records of 78 million members. (For more information on the settlement, see the story in this issue.)

Cyberinsurance can help minimize the risks arising from hackers and other vulnerabilities, but it is only one part of an overall cyberrisk program, says Kenneth K. Dort, JD, partner with the law firm of Drinker Biddle in Chicago. The type and extent of cyberinsurance an organization should buy depends on the types of data stored and processed by that company, as well as the amount of resources that the company can afford to devote to cyberdefense in general, he says.

The hospital or health system considering cyberinsurance needs to identify its specific vulnerabilities and threat profiles to ascertain what contingencies it wants to protect against, Dort says.

“This comes from a detailed exchange with its insurance broker who can then provide the company with multiple insurance options, packages, and pricing from which to select and which best meet its risk considerations and pricing needs,” Dort says.

There are many options covering the entire spectrum of risks and system protections, Dort notes. It is important to understand what any specific proposed package covers, he says.

Many packages also include access to relevant cyberexperts through the insurance company’s preferred panels, such as forensic investigators, attorneys, and credit-monitoring services. Those resources can be valuable, but if you are considering one of these packages you should confirm whether you still can use experts of your own choosing within such coverage, Dort says.

Variety of Options Available

Policies can vary widely from insurer to insurer, notes Steve Durbin, managing director at Information Security Forum (ISF), a nonprofit organization based in London. He says there are two primary areas of coverage to be familiar with: cyberliability insurance and cyberrisk insurance.

Cyberliability insurance provides cover for liabilities that an organization causes to its customers or to others, he explains.

“A sizeable market exists for these products. It can cover data breach and crisis management, including incident management, investigation, data subject notification, credit monitoring, legal losses, and so on, plus media liability for something like website defacement, extortion liability, and network security liability,” he says.

Cyberrisk insurance is used to cover direct losses to the organization. It is less common not only because insurers still lack meaningful data, but also because many organizations assume that their corporate or general liability policies will cover cyberrisk, Durbin says.

That may not be the case, Durbin says. Always check before assuming you are covered.

“Cyberrisk insurance may include some liability coverage, but it can more broadly cover liability, copyright, effects of malicious code, business interruption, cyberattack, technology errors, and omissions and intellectual property infringement,” he says. “The market continues to develop, and using insurance products to treat cyberrisk is an option for many organizations. It is important to note, however, that although insurance will transfer a precise amount of risk to the insurer, there will be cyberrisks that cannot be transferred and which an organization will have to deal with outside of any insurance policy.”

Now a Necessity

Cyberinsurance is necessary in the eyes of Avery Dial, JD, partner with the law firm of Kaufman Dolowich & Voluck in Fort Lauderdale, FL.

“In this era, you definitely need cyberinsurance,” Dial says. “Furthermore, data theft and loss are not the only concerns. Data-destroying malware and ransomware is also a major concern.”

These threats give rise to first- and third-party risks, Dial explains. For instance, a hospital may make a first-party claim when it must pay for restoration of data destroyed by malware. That same event may also cause harm to third parties who may sue the hospital for damages caused by the destruction of the data, he says.

“Cyberpolicies may cover both first- and third-party risks specific to cyberthreats. While many people have tried to stitch together coverage for cyberevents via commercial general liability policies or property insurance policies, businesses should not rely on traditional insurance policies to cover cyberevents,” Dial says. “The cost is worthwhile because it is necessary. It is almost inevitable that you, as a business, will experience a cyberevent — and the consequences can be quite costly.”

Like all insurance, your premium will be determined by your risk profile, Dial notes. There is no one insurance product that will fit all healthcare organizations, he says. With the help of an IT professional, the hospital should identify the particular risks to which it is most susceptible and insure against those risks, he says.

Healthcare organizations will be presented with multiple coverage options — coverage for breach notification, data restoration, extortion, and business interruption, and third-party coverage for data breach and privacy liability. Policies also may cover regulatory and government investigations and coverage for fines assessed by credit card companies in the event of a breach, Dial explains.

Threats Are Growing

Cyberinsurance is increasingly important in the healthcare industry, says Michael Tanenbaum, executive vice president of North America Cyber Practice at Chubb Limited, which provides cyberinsurance for healthcare organizations of all sizes. Healthcare organizations represent nearly one-third of all cyberinsurance claims for Chubb in the past three years, he says.

The company’s Cyber Index tracks cyberinsurance claims since 2009. Tanenbaum says the trend is clear that healthcare organizations are among the most vulnerable to this type of loss. (The index is available online at: https://bit.ly/2KDKoyE.)

“Healthcare in general is represented in 31% of our cyberclaims in the past three years, and over the entire inventory of cyberclaims it represents 25% of our claims. That is 10 points higher than the next leading industry,” Tanenbaum says. “That is disproportionate to the amount of healthcare risk we write.”

Healthcare organizations may primarily think of cyberinsurance for covering the most obvious costs related to an accidental data breach, including notification, forensics, and crisis management, Tanenbaum says, but there can be substantial other expenses. Ransomware and destructive malware are growing threats, he adds.

Attacks in recent years have crippled healthcare organizations’ data systems, notably the May 2017 Wannacry attack that used a ransomware cryptoworm to target computers running Microsoft Windows, encrypting data and demanding ransom payments in the cryptocurrency Bitcoin. The British National Health Service was affected so much that patient care was compromised.

Another encrypting ransomware, NotPetya, attacked healthcare organizations in 2017.

“A medical transcription company was greatly impacted by NotPetya, and as a result a lot of hospitals could not perform surgery or do a lot of other healthcare operations because they had no transcription service. For that company hit by the ransomware it was a revenue loss, but the effects of that attack spread beyond that company to affect hospitals and other organizations,” Tanenbaum explains.

The transcription company announced that its transcription software was taken offline by the attack. Ten other products were affected as well, including those used for radiology, billing, and tracking quality of care.

Insurers have followed the expansion of cyberthreats by offering more types of coverage, Tanenbaum says. These may include incident response, risk transfer, and pre-breach security improvements.

Risk managers must find the right mix of coverage, addressing the risk of outside attacks like Wannacry and NotPetya while also covering the more mundane but very real exposures within their own organizations, Tanenbaum says.

“Our index of claims shows that the number-one issue for healthcare is internal employees, poor controls, lost and stolen laptops, and human error,” he says.

“Risk managers can be more diligent about training employees in things like how to handle paper files, phishing attacks, and what it means to click on links. Phishing represents roughly 40% of all the breaches we’ve handled.”

The need for cybersecurity and cyberinsurance has much to do with the value of protected health information (PHI) on the dark web, notes Roy Hadley, Jr., JD, special counsel with the law firm of Adams and Reese in Atlanta, and a former chief privacy officer. Credit card information used to be most sought by criminals seeking to use data fraudulently, but that has now been eclipsed by healthcare information, he notes.

Stolen PHI can contain far more data on a single person than just a credit card, making it more useful for stealing a person’s identity or committing other fraud, he notes. Credit cards also can be canceled quickly once the data breach is discovered, but healthcare PHI remains usable. That is why healthcare PHI trades for a much higher price on the dark web than credit cards or similar financial information, he says.

“The damage that can be done to an individual financially can be catastrophic. Because of the type of information any healthcare organization collects on its patients, the risk faced from losing control of that information is going to be high,” Hadley says. “I tell all clients to look at your risk profile and make cyberinsurance a part of your program if necessary, but for healthcare organizations the risk profile almost necessitates cyberinsurance for all of them.”

Hadley also advises healthcare clients to take advantage of the cyberinsurance application process to improve their cybersecurity. Underwriters for cyberinsurance will take a close look at how the organization addresses cybersecurity and price premiums accordingly, so going through that process can reveal opportunities for improvement, he says.

“Whether you get their insurance or not, you can see the holes in your program and then work on minimizing any issues that are found and patching the holes that they find,” he says.

The best way to begin seeking cyberinsurance is to work through the broker already providing other types of insurance for the healthcare organization, Hadley says. This person already will be familiar with the organization and should be able to access products from many insurers. Many of the options will be familiar from the organization’s other insurance coverage, such as retention or self-insurance figures.

The size of the organization will be a critical factor in determining the amount of coverage, Hadley explains, because many of the costs associated with a data breach are determined per patient or per record.

“If you are holding a million patient files in your portfolio, a big hospital system, then $1 million in cybercoverage isn’t going to help you. If you have a data breach, the cost of notification, credit monitoring, and other expenses can easily get to be $50 to $100 per patient. When you start multiplying that out, $1 million isn’t going to go very far,” Hadley says. “You also have to consider your risk exposure from, for instance, transferring files back and forth across different systems as opposed to being one standalone hospital that doesn’t carry as much of that risk.”

Watch the Exclusions

When selecting an insurer, inquire about the company’s payment history, Hadley advises. Cyberinsurance is still a relatively new product in the insurance industry, so hospitals should ask to see evidence that the insurer has a history of paying legitimate claims, he says. A lack of paid claims may indicate that the policies are written so as to deny many claims or that the insurer simply does not have enough experience in the field, he says. (For more on selecting an insurer, see the story on page 138.)

Also be wary of the boilerplate exclusion for acts of war or terrorism, Hadley says.

“If it is a nation-state actor like North Korea that is trying to access your hospital system, is that an act of terrorism or an act of war? Depending on how your policy is worded, that policy might not be applicable to your incident,” he says. “That becomes important when we see these countries involved in widespread cyberattacks.”

Policies also might specify that they will pay only for unauthorized access to data. That may sound reasonable since a breach is generally some type of unauthorized access, but such a provision could be problematic, Hadley says.

“The problem is that a rogue employee may cause a data breach that caused you harm, and some insurance companies will say that employee has authorized access so you are not covered,” Hadley says. “The exclusions and riders on the policy must not be so broadly written that they can exclude what would probably happen to you in a cyberincident — the whole reason you’re getting the insurance.”

SOURCES

• Avery Dial, JD, Partner, Kaufman Dolowich & Voluck, Fort Lauderdale, FL. Phone: (954) 712-7442. Email: adial@kdvlaw.com.

• Kenneth K. Dort, JD, Partner, Drinker Biddle, Chicago. Phone: (312) 569-1458. Email: kenneth.dort@dbr.com.

• Steve Durbin, Managing Director, Information Security Forum, London. Email: steve.durbin@securityforum.org.

• Roy Hadley Jr., JD, Special Counsel, Adams and Reese, Atlanta. Phone: (470) 427-3730. Email: roy.hadley@arlaw.com.

• Michael Tanenbaum, Executive Vice President of North America Cyber Practice, Chubb Limited, Warren Township, NJ. Phone: (866) 324-8222.