To augment the potential costs of data breaches, some hospitals are turning to data breach or cyber risk insurance as part of an overall risk management strategy. Cyber risk insurance typically provides coverage for data breach response costs, regulatory and legal fines and liability resulting from a data breach. Due to the lasting and severe implications of data breaches, hospital and health system executives need to choose data breach insurance plans carefully.
According to a report from ID Experts, there are 10 steps a hospital or health system can follow to guide its selection of — and preparation for — data breach insurance.
1. Assess the hospital's risk situation. Before choosing a data breach insurance plan, a hospital should conduct an evaluation of its overall risk as well as the sensitivity of its data. Factors such as amount and type of data, prominence of the hospital, available technology infrastructure, current data protection and prevalence of mobile device usage could influence a hospital's risk. According to ID Experts, the hospital's prominence and the magnitude of its sensitive data could push it toward a higher level of protection, whereas secure data protection and sound technology infrastructure may allow the hospital to purchase less protection.
2. Perform a formal risk assessment. Having a risk assessment on file may speed up the insurance underwriting process and lower insurance premiums, according to ID Experts. In addition, performing a comprehensive privacy and security risk assessment helps identify, evaluate and mitigate gaps in a hospital's security and privacy program. Lessening those gaps can reduce breach risks and lower exposure if a breach does occur. While every hospital should conduct a risk assessment, performing one as a precursor to purchasing data breach insurance is a good idea.
3. Discuss insurance choices with a variety of departments. The discussion of data breach risks and risk management options should be cross functional. When executives work together, they may more accurately quantify and evaluate risk as well as develop a cost-benefit analysis to determine if cyber risk insurance is the right investment. Officials and administrative leaders from a variety of the hospital departments — representatives from clinical, IT, legal and executive areas — should be involved.
4. Determine financial resources available for breach response. When officials identify how much of the hospital's finances they are willing to use for data breach costs, the negotiations for premiums and deductibles are more worthwhile. Since data breaches can cost close to $471 per exposed patient record, the premium and deductible discussion is extremely important. For instance, if hospital officials decide on a deductible of $1 million but only experience a few small data breaches the next year, the hospital would not reach its deductible and would have to cover the data breach costs independently. This would only be a problem if the officials had not analyzed the hospital's financial resources and prepared accordingly.
5. Understand insurance coverage options, evaluate carefully. It is important for a hospital to understand insurance options and evaluate them carefully because no carrier offers exactly the same insurance. Limitations on the coverage can vary widely based on the carrier and the hospital's risk profile. According to Christine Marciano, president of Cyber Data Risk Managers, an independent insurance agency specializing in data privacy and cyber liability risk, there are approximately 30 different insurance companies offering cyber risk insurance, such as Wells Fargo Insurance Services, S.H. Smith & Company, Kiln Group and INSUREtrust. "All the companies vary in the coverage they offer. The insurance is on a policy-by-policy basis right now," says Ms. Marciano. For instance, limitations could include third party or contractor breaches; offline or non-technical breaches; and breaches from lost devices including laptops, flash drives, tablets or mobile phones. "A hospital needs to look at fine details of the data breach insurance policy so limitations and response procedures are clear," says Doug Pollack, chief strategy officer at ID Experts.
6. Find a knowledgeable broker. The ID Experts report recommends a broker who has experience with the healthcare industry as well as data breach insurance carriers. A broker who understands the industry and the insurance can break down and compare offerings from different insurance carriers. Brokers often offer services that can help a hospital identify and mitigate its risks as well as validate its need for a data breach insurance policy.
7. Take advantage of value-added services. According to ID experts, some insurance brokers and carriers offer value-added services to help reduce breach-related risks, which hospitals should evaluate as part of the overall insurance offering. Value-added services could be free consulting or legal advice, access to portals with security resources, educational webinars and policy templates.
8. Approve preferred vendors before policy is final. Mr. Pollack recommends negotiating vendor options before a policy is final. If a hospital uses a vendor for their data security tools, they may want to use the same vendor to mitigate a data breach. However, some insurance carriers may prefer to dictate the vendor a hospital uses. "If a vendor list is open, the insurance company will recommend a certain vendor for data breach coaching, for forensic analysis and for call center set up etc.," says Ms. Marciano. "If the vendor is not on the insurance company's list, it would need to be preapproved," says Ms. Marciano. A hospital needs to know if they want vendor choice before they select an insurance company.
9. Understand how to integrate the insurance claims process with hospital processes. Hospitals should understand how and when to involve the insurance carrier if a data breach occurs. A data breach insurance policy could change the way the hospital internally manages data breach incidents. According to ID Experts, a hospital should look at documenting and reporting procedures as well as response timelines to identify any differences in protocol.
10. Resolve any conflicts to avoid pitfalls. Pitfalls most often occur when insured hospitals do not fully understand the policy. For example, as mentioned above, the flexibility in vendor options is often a point of contention once a data breach occurs. According to ID Experts, it is best to resolve these conflicts before binding the policy.
Changes in federal regulations and the onslaught of health information technology have brought data breach insurance to the forefront of the healthcare industry. Like any insurance plan, the terms and costs of the policy depend on the healthcare organization and its needs as well as the insurance company itself. A hospital or health system that can carefully understand and evaluate options will have an advantage in choosing data breach insurance.
More Articles on Data Security: