Thinking of buying data breach insurance? Here are some things to consider
■ A practical look at information technology issues and usage
A new type of insurance is designed to protect health care organizations from a crippling financial loss in the event of a data breach. The stand-alone insurance policies would cover the expenses a practice can expect when a data breach occurs. And those expenses are rising each year.
The per-patient costs associated with a breach have risen to more than $200 for notification and loss of income, according to the Ponemon Institute, a research firm in Traverse City, Mich. And the government now has the power to impose hefty fines against health care organizations that fail to protect their patients' privacy. A policy covering these costs may offer peace of mind to practices that would be devastated if a worst-case scenario happened, say sellers of data breach insurance.
Peace of mind comes at a price, however. Practices are left to wonder if buying a policy is a small price to pay for protection from a breach that could cost the practice millions. Or is that money better spent on beefing up data security? Data breach insurance doesn't absolve practices from complying with federal rules on ensuring data privacy and security.
Security and liability insurance was created about 10 years ago for the financial industry after the Gramm-Leach-Bliley Act, passed in 1999, included mandates for financial institutions to protect their clients' private information. Typical business insurance policies cover loss caused by events such as fire and floods, but not by breaches.
It wasn't until six years ago, as health care institutions started to become more digitized, that the insurance industry realized that, like financial institutions, health care organizations had a lot to lose.
Stakes on protecting patient privacy were raised even higher with the passage of the Health Information Technology for Economic and Clinical Health Act, part of the 2009 federal economic stimulus package. This strengthened the regulations of the Health Insurance Portability and Accountability Act.
The HITECH Act not only required notification of any breach involving 500 or more patients to those affected, the Dept. of Health and Human Services and the local media, it also imposed penalties for noncompliance that could reach $1.5 million per violation.
Selling physicians protection
Agents initially started looking at hospitals, thinking their exposure was greater because of their size, said Tracey Vispoli, vice president and global cyber security manager for the Chubb Group of Insurance Companies, a group of property and casualty insurance underwriters who have created a security and liability policy geared toward small practices. But the company came to realize that physicians might be a better sales target.
"The smaller you go with an organization, you think the less exposure you have," she said. "In fact, it's the opposite in many respects. Those are the entities that don't necessarily have an information security person on staff or resources to put around information security."
Howard Bergstein, an insurance agent in Maywood, N.J., who has worked with the financial sector for several years, started focusing on the physician market a year ago when he learned that few small practices carry data breach coverage.
Bergstein said premiums for a policy covering a practice of five or fewer physicians averages $5,000 annually for $1 million worth of coverage. The policy includes the cost of notification and credit monitoring for those affected, a PR agency to perform reputation rebuilding, an investigation into the breach, legal defense and any compensatory damages, judgments and settlements. The policy covers breaches caused by both the practice and third parties.
Robert Tennant, senior policy adviser for the Medical Group Management Assn., had never heard of this coverage. But for a practice to analyze the potential benefit of buying such a policy, he said, it needs to have a full understanding of what potential damages a practice faces in a breach.
It's not just stamps and postage to conduct notification, he said. The biggest challenge is calculating the monetary loss from the damage to a practice's reputation.
He said he's not sure he would advise practices to buy coverage without considering if the money could be better spent on securing their systems and strengthening their data protection procedures and processes.
Does it pay for fines?
Demand for the policies will depend on the actions of the government in terms of fines they decide to levy and whether the policies will cover these costs, Tennant said.
Boilerplate policies do not include coverage of fines that could be levied by state agencies or HHS, Vispoli said. That coverage could be added, however, as an amendment to the policy, and additional fees would apply. She expects coverage of penalties and fines to be included in future policies.
Though Vispoli believes proactive planning is a good practice, you cannot erase risks entirely.
"There's a very good chance that [an] organization has taken proactive steps to make sure their buildings don't burn down by fitting them with sprinkler systems, and yet they still buy a property policy," she said.
A December 2010 survey by information technology company CDW found that many practices haven't even taken small proactive steps to protect themselves as they prepare their for adoption of electronic medical records. The survey of 200 practices that have not yet installed EMRs found that 30% do not use anti-virus software, 34% do not use network firewalls and 28% do not encrypt their networks.
Tennant said encryption is the simplest solution for a practice to protect itself. Under the HITECH Act, the practice isn't obligated to take further action if lost or stolen data are encrypted. Nearly as secure, he said, is a policy preventing mobile devices carrying sensitive data from leaving a practice.
Tennant believes the mere existence of insurance such as this will, at the very least, get physicians to pay more attention to data privacy. Whether practices invest in the insurance or not, they still need a plan for what happens in the event of a data breach.