What is Cyber Insurance?
As it turns out, this is not a simple question to answer. It means different things to different organizations. One thing is clear, whatever is covered under cyber-liability insurance is almost certainly not covered under an organization's general liability, errors and omissions, or malpractice policies. This is a beast unto itself, and an expensive one at that. Cyber-liability generally covers the following:
- Regulatory fines that may be imposed as a result of a data breach.
- Class action lawsuits usually brought under a state law claim such as negligence.
- Response costs for notifying individuals, the media, and HHS.
- Business interruption in case a cyber-attack stops your operations "dead in its tracks."
- Content liability for such things as copyright and trademark infringement.
This is not an exhaustive list, but it should give you a "feel" for the kinds of questions that you should be asking your prospective provider. As you can tell from this list, many of these items are hard to quantify as to the actual exposure. Given that there is this much uncertainty, it should go without saying that the policies available are not cheap and can run from $20,000 to $50,000 a year or more.
But as a baseline, you absolutely need to understand what it is that you are buying. Insurance policies are notoriously difficult to comprehend and the "fine print" in the details are likely to "kill you." For example, as more and more providers continue rolling out patient portals for meaningful use, the ACA, and for other reasons, Covered Entities may not understand that a "simple move to the Internet" increases your potential liability (e.g. what happens if your technology staff "borrows" photos and content from some other provider's website; you are now likely facing a copyright infringement lawsuit that you never anticipated). However, if your cyber-liability policy does not include "content liability" then you are now looking at paying out-of-pocket for (usually) very expensive litigation in Federal Court.
Further, you need to take a close look at the conditions set forth in the policy. If the policy is conditioned upon the organization implementing the "necessary and proper" security safeguards then you could be paying thousands of dollars a year for illusory coverage. Most healthcare organizations are not even close to implementing the necessary and proper safeguards. In short, the insurance companies are not your friends. The reason for all the "fine print" and convoluted language is to avoid covering you if you fail to comply with the entire minutia. For example, your policy is likely to include a "notice requirement;" which means that within so many days after a breach or attempted breach you must notify your provider. However, you are not likely going to notify until you have investigated sufficiently and by then the notification period may have expired.
What's the Cyber-Liability Risk Pool Look Like?
Anecdotally, although there has been a tremendous amount of discussion of late regarding cyber-liability insurance, there is no strong evidence that the healthcare industry, en masse, has adopted this approach. Therefore, the risk pool is rather small. When the risk pool is small the premiums are going to be so high such that only the dominant players can afford it. I may be going out on a limb, but most small to mid-size covered entities and business associates are not excited about paying $20,000.00 a year for additional insurance. Especially when, as a condition of coverage, they are expected to have the "necessary and proper" safeguards in place. What about all the state and local government covered entities? Does anyone seriously think that their currently stretched budgets allow for the luxury of cyber-liability insurance?
Given a large enough risk pool, almost anything can be insured in a reasonably competitive manner. However, the current cyber-liability risk pool appears to be so small that cost prohibitive policies for the majority of market players is all that will likely be available. AND, even for these players the critical take away is CAVEAT EMPTOR.
How Much Coverage Is Available?
Well the answer to that question likely depends on how much you are willing to spend. But for the purposes of this article let's define a "small breach" as one wherein 5,000 patient records were compromised. If we take a conservative estimate that it will cost you $200 per record to clean up this mess, then you would need at least a million dollars in coverage.
The Ponemon Institute is the market leader in coming up with these costs and under their methodology $200 per record is really conservative, for healthcare it could be 50% higher. According to the Institute's 2014 study "average cost [for a breach] to a company was $3.5 million in US dollars and 15 percent more than what it cost last year." In other words, a million dollars’ worth of coverage is not enough to cover the average breach. Consider that 50,000 records can now easily fit on a thumb drive and you begin to get a feel for the magnitude of the problem.
What Will Insurers Require?
As previously mentioned, cyber-liability policies are likely to contain language requiring that the "necessary and proper safeguards" be implemented as a condition of coverage. If you have not done a risk assessment and completely implemented the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule then obviously you are not going to meet this condition and your coverage will likely be denied. Moreover, if you store credit card information and have not complied with PCI DSS then your coverage will also likely be denied.
What's the Alternative?
For the cost of one year's premium (or less) you can "stand up" a robust HIPAA Compliance Program given the cost effective solutions that are now available. Sure, you are going to need some help getting this done; but essentially a robust HIPAA Compliance Program is a cost effective form of "self-insurance." For example, if you encrypt ALL your PHI, then even if the bad guys get into your network (and they will) there will nothing for them to obtain. You can sleep at night knowing that encryption (according to NIST standards) allows you to take advantage of the Breach Notification Rule's safe harbor. Is encryption a panacea? NO! Is it worth doing? ABSOLUTELY!
Self-insurance is likely to be the ONLY form of insurance affordable for small to mid-size covered entities and business associates. The good news is that it is far less expensive than a cyber-liability policy. The bad news is that standing up a robust HIPAA Compliance Program is a non-trivial wicked problem.