Our Healthcare Symposium speaker John Southrey, CIC, CRM speaks about the total cost of a cyber risk in the following article.
To hear more from him and other great speakers, register for the Healthcare Symposium November 13 at Amegy Bank here.
The financial impact of a data breach can be much greater than expected. Businesses often underestimate the probability, prevalence, and severity of cyber-attacks. The actual costs for remediation and damages can be significantly higher than anticipated or what is likely reported.
To determine the total cost of cyber risks requires a health care organization to engage in the fundamental processes of risk management:
- risk identification
- risk analysis
- risk control
- risk administration
- risk financing
Risk financing involves assessing the potential direct costs from an organization’s cyber exposure, as well as assessing the indirect costs associated with breach incidents that could interrupt normal operations. Interruptions could result in disrupted patient care, lost productivity, lost income, and extra expenses to continue operations.
Potential direct costs may include:
- legal fees
- IT forensics
- data restoration
- patient notifications and credit monitoring
- public relations and media releases
- call-center support
- regulatory fines and penalties
- third-party damages
Potential indirect costs may include:
- business interruption (e.g., your cloud-based EHR vendor is hacked and service goes down)
- patient churn and reputational harm
When conducting a comprehensive risk analysis, an organization must also vet its third-party vendors’ data security controls. Breach events can arise from the actions of any person or entities an organization interacts with who can access its sensitive personal information. (Your responsibility for patient privacy is not eliminated when one of your vendors stores ePHI on your behalf; it is your patients’ data and you may be held responsible for its security.)
Many health care organizations invest in cyber insurance or what is commonly called “cyber liability coverage” to mitigate the direct and indirect costs of a breach event. Purchasing this coverage should be included as part of the organization’s business contingency planning.
Cyber insurance is a distinct insurance policy that provides both first-party coverage for your losses and third-party coverage for damages arising from your legal liability to others. Cyber insurance coverage forms are not standardized and as threats evolved, so will the coverage.
When purchasing cyber insurance consider the following three questions:
- What limits of liability of coverage does your organization need?
- What is the scope of coverage? What is and is not a “covered loss” and constitutes a “claim?”
- How will you calculate your cyber exposure to loss (e.g., using loss modeling or online “breach calculators”)?
It is also vital to know who is insured within the insurance policy. For example, the person insured can also include any subsidiary, officer, director, trustee, employee, agent, independent contractor (while acting on behalf of the person insured); and any person or entity the person insured is contractually obligated to provide such coverage.
As the forms of connected technologies used in healthcare increases — so will the cyber risks. Therefore healthcare providers will need assistance in mitigating the proliferation and diversity of their cyber vulnerabilities, including help with their risk assessments, hardening their IT systems, workforce data security training, and with procuring the proper cyber insurance.
About the author:
John Southrey, CIC, CRM is the director of consulting services. John leads the development and marketing of TMIC’s standalone cyber liability and technology errors & omissions liability insurance for medical groups, Health Information Exchanges, health IT firms, and law firms at TMLT. He also administers TMLT’s corporate insurance program, including our cyber insurance and speaks about cyber liability insurance issues throughout Texas.
John has been with TMLT since 2004 and he previously worked in the claims department as a claims supervisor and in the sales department. John has more than 37 years in the commercial insurance industry, including 20 years as a commercial insurance agent and sales manager, and he is also a certified insurance counselor and certified risk manager. John has written numerous articles and blogs on cyber insurance-related topics, including developing a 1-hour CME accredited program titled “Do You Know Your Cyber Risks?” and authoring the monograph "Complete the Circuit: Insuring Electronic Data Processing Exposures" for the National Alliance for Insurance Education and Research.