Network Risk Insurance: 4 Points on Protecting Yourself in the Digital Age

Health Information Technology
Michael J. Sacopulos is the CEO of Medical Risk Institute -

This article is written by Michael J. Sacopulos is the CEO of Medical Risk Institute (MRI) MRI seeks to reduce liability exposures faced by healthcare providers.

You may be playing a high tech game of Russian Roulette with your practice and not even know it. The past several years have seen a growth of claims against providers for the accidental release of patients' private health information. Whether a system is hacked by Eastern European criminals or a laptop is left on a metro train, the consequences for both patient and provider can be expensive. The days of warnings and remedial action plans have been replaced with a new era of fines and penalties for this privacy breaches. Earlier this year the South Shore Hospital in Massachusetts paid $750,000 to settle a claim; a box of backup tapes from the hospital was lost while in route to a company the hospital had hired to erase and resell the tapes. In Atlanta, Emory Healthcare is at risk of being fined $200 million for losing 10 discs that contain personal data such as social security numbers for about 315,000 patients. Several months ago the State of Utah announced that its systems had been hacked by individuals based in Eastern Europe. The State estimates that approximately 750,000 patients' confidential information could have been compromised.

The claims against South Shore Hospital alleged the failure to: implement appropriate safeguards, policies and procedures to protect the information; have a business associate agreement in place with Archive Data; and properly train its work force on health data privacy. Healthcare providers should realize, it may not just be a governmental agency coming after them. Lawsuits can arise from a single patient or from a group of patients — Emory Healthcare's alleged data breach has given rise to costly class action litigation. Litigation of this nature is outside of coverage provided traditional medical malpractice insurance.

Understanding Your Options


Health care providers have several options for addressing their cyber risks. Many providers try to be cautious and hope for the best. To these providers I say "best of luck." Other providers realize Health and Human Services (HHS) is not firing blanks anymore and take a proactive approach by securing an insurance policy to cover this exposure. These policies generally come in two varieties: Cyber Liability insurance and Network Risk insurance.

Cyber Liability policies provide coverage for liability that arises out of unauthorized use and unauthorized access to your electronic data within your network or business.

Network Risk policies provide coverage for liability that arises out of negligent use of your electronic data within your network or business.

The coverage typically includes:

1. Liability of the insured arising out the of failure to protect private data
2. Remediation and response following a data breach
3. Fines and penalties that are incurred to investigate and defend claims.

Other areas of coverage are available but may not be typically provided. These areas of coverage include: malicious code, extortion, unintentional acts, mistakes, errors, omissions, virus, security breach, personal and advertising injury, loss of use, copyright infringement, trade and service mark infringement.

The events that trigger insurance benefits under a Network Risk or Cyber Liability policy vary. These events usually include a failure to secure data, losses that may be caused by employee acts, sometimes acts by a third party can be included and losses that result from theft or disappearance of private property that could comprise network security. All policy forms are different and may not contain each of these elements. Policy coverage should be selected to meet the needs of the healthcare provider.

Policy Exclusions


Exclusions are varied and each policy should be examined closely. Julie Davis, the Vice President of Heffernan Insurance Brokers, says most policies do exclude patent infringement, willful acts and certain types of fines.

“Over the past year there has been an expansion of carriers and coverages offered. The marketplace is competitive. Some carriers now offer pre-negotiated breach response costs coverages and other types of risk management services that complement the policy. They could include crisis management services, notification of affected customers and credit monitoring. The size of the business, number of customers and type of data will affect the costs of these policies,” Davis said.

Coverage varies for EMR Systems


The growth in the use of Electronic Medical Record systems has increased the need for cyber insurance. Depending on the size and functionality of a provider's electronic medical record system the coverage and cost of a policy may vary.

Ms. Davis recommends that providers secure a HHS Safe Harbor Certification. “Obtaining HHS Safe Harbor Certification is helpful in reducing the cost of a breach, reducing the likelihood of a data breach, making an actual breach more defendable if a company has Safe Harbor Certification. Also, this can reduce the cost of insurance for selected firms,” Davis said.

Strategies to Minimize Your Cyber Exposure


Healthcare providers have never been exposed to great cyber liability risks. To avoid a costly breach, healthcare facilities and companies should adopt the following objectives:

• Assess your privacy and security policies and make sure they comply with state and federal laws and regulations
• Train your staff annually on HIPAA related compliance
• Perform routine assessments to identify any potential holes in its HIPAA related compliance
• Secure insurance to cover yourself in the event of a data breach


By focusing on HIPAA and HITECH compliance efforts, a healthcare facility greatly reduces its chance of a data breach. Unfortunately, no degree of planning and effort can completely eliminate all cyber risks. For these risks, it is wise to protect yourself with cyber liability insurance.

Michael J. Sacopulos is the CEO of Medical Risk Institute (MRI) MRI seeks to reduce liability exposures faced by health care providers. Sacopulos also serves as General Counsel for Medical Justice Services, Inc. He may be reached at msacopulos@medriskinstitute.com.

Related Articles on Business Office / Accounting / HR:

Study: Most Patients Reluctant to Disagree With Physicians
5 Reasons to Improve Surgery Center Quality and Efficiency With Automation
Editorial: Why You Shouldn't Copy and Paste in EHRs

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.