Cyber attacks now occur consistently and typically in detectable forms and are concentrated in particular industries: health care, technology, biotechnology, finance, and legal. (1)
Cyber criminals target health care because they want to steal patient health information. A breach of protected health information (PHI) is a daily business risk. And a simple misstep can lead to an expensive breach incident that includes the loss of business income due to a suspension in operations and extra expenses incurred to remediate the breach.
Accordingly, medical practices need strong cyber security, a tested incident response plan, and comprehensive cyber liability insurance. These strategies can help to mitigate an embarrassing and costly data breach.
Business interruption coverage
Ransomware can cause a business interruption. If a practice cannot access its EMR/EHR because the database was illicitly encrypted, and if they are unable to regain access or do not have a data backup and recovery protocol, the resulting downtime could become costly due to lost productivity and extra expenses to replace the corrupted data.
Some cyber liability insurance policies include coverage for a business interruption loss. So if a practice is partially or totally interrupted by a “covered cause of loss” to its “digital assets” (computer programs or systems), the insurer will pay the projected loss of net income, after a specified “waiting period” and for a specified period of time, plus the continuing expenses to maintain business operations and the extra expenses to help the practice avoid or minimize the suspension. Covered causes of loss typically include accidental damage or destruction, administrative or operational mistakes, and computer crime and computer attacks that cause harm to the practice’s digital assets.
Extra expenses can include overtime pay to staff to restore lost or damaged records and to respond to an Office for Civil Rights (OCR) breach investigation and an extensive Data Request. (If the breach involved over 500 records, the practice must report the breach incident within 60 days to the OCR and to the local media, as required under HIPAA.) In some cases, these extra-ordinary expenses can be greater than the revenue lost from the business interruption.
It is not unusual after a breach notification for a practice to experience a reduction in income due to a drop-off in patient appointments. In most cases, this reduction stops and returns to its pre-loss levels.
Contingent business interruption coverage
More and more practices use cloud computing technology to host their patient and billing data. A practice that is entirely dependent upon a cloud service provider (CSP) to store and access patient information can also suffer an unexpected suspension of operations. If the CSP’s on-demand access is down due to a hardware failure or denial of service attack, this downtime could result in a simultaneous business interruption for the practice too.
Some cyber liability policies also provide coverage for Contingent Business Interruption and Extra Expense to pay the loss of business income plus continuing expenses to maintain business operations and extra expenses due to a suspension in operations caused by a covered cause of loss to a third-party vendor’s operations on whom the practice is dependent upon for its own operations. For example, this coverage may be triggered due to “cloud failure,” defined in one policy, in part, as:
“Cloud failure’ means any unannounced and unplanned failure of a ‘cloud service provider’, located anywhere in the world, to provide you access to the computing resources described in a ‘vendor agreement’ within the parameters described in such ‘vendor agreement.’” (3)
Business continuity coverage
A medical practice’s failure to properly safeguard its PHI from unauthorized disclosure may also result in lasting harm to the practice’s reputation. As one commentator noted, “You can back up your data, but you can’t back up your brand.” (2)
Some cyber liability policies also provide business continuity coverage for reputational harm resulting from a negative media report or notification to affected patients following a security or privacy breach. This would pay the projected loss of revenue or what the practice would have expected to earn. This is additional coverage, beyond the insurer just paying the costs for crisis management, such as public relation expenses to mitigate damage to a practice’s reputation.
It is advisable to check with your medical professional liability carrier or with your insurance broker — prior to experiencing a business-altering cyber attack — to determine if your existing cyber liability policy or business insurance includes coverage for business interruption, contingent business interruption, and business continuity. This financial protection may make the difference in keeping your practice doors open in the event of a security breach.
- eSentire. 2017 Q2 Quarterly Threat Report. Available at https://www.esentire.com/resources/knowledge/2017-q2-quarterly-threat-report/. Accessed October 30, 2017.
- Sanger M. Protecting your firm from vendor risks. ALM Law Journal. August 2017.
- The Hartford. Business income extension for cloud service interruption. (Form 22 41 84 03 16)