With all of the health data breaches reported recently, it's not surprising that more and healthcare providers have been purchasing data breach insurance, aka cyber insurance or network security insurance. While this kind of coverage won't stop anybody from stealing or losing personal health information, it could help hospital executives sleep a whole lot better.
Larry Harb, president and CEO of Okemos, Mich.-based IT Risk Managers, told FierceHealthIT that his company's revenue from data breach insurance has increased in double-digits for 10 of the 12 years the firm has been in business. Lately, with the rapid growth in digitized clinical data, sales have accelerated even more, he said.
Cyber insurance actually dates back to the late 1990s, when companies began to realize that traditional property insurance didn't cover data loss or theft. Up to that point, Harb said, insurance claims could be triggered only when there was physical damage, such as that caused by a fire or an auto accident. So insurers began writing new policies that specifically covered data and the harm caused by losing control over it.
The kind of information covered by data breach insurance does not necessarily have to be online or on electronic media. For example, Harb noted, Massachusetts General Hospital was sued in 2009 after an employee left a printout containing names of HIV-positive patients on a train. In addition, MGH had to pay a fine for a HIPAA violation.
Data breach policies cover HIPAA fines and penalties, according to Harb. They also pay defense costs if somebody sues a healthcare provider, and they may cover judgments, as well. These kinds of suits, he added, usually are class actions, which require a minimum of 20 plaintiffs. Most cyber insurance covers class action suits.
However, he pointed out, "there are no standardized data breach policies. Every policy is different. When we write a policy for a hospital, we're going to customize that policy to meet the needs of the client."
Big property and casualty insurers underwrite most of these policies, noted Harb. Among them are Lloyds of London, Chartis (formerly AIG), Hitchcock and Beazley.
Cyber insurance usually covers "third party liability" for damages to parties other than the insured. But some policies also cover the hospital itself for the costs involved in patient notification, reimbursement of victims and so forth, Harb said.
Business associates of providers cause many data breaches. Last September, for instance, Stanford University Hospital discovered that a billing contractor had inadvertently posted a spreadsheet containing information on 20,000 of its ED patients on a public website. In that case, the billing service accepted responsibility for the data breach.
Harb observed that many contracts between hospitals and third parties now contain clauses that hold hospitals harmless for data breaches by those third parties. Whether or not a hospital is able to include such a clause depends on its negotiating power, he added. Without the indemnification clause, the liability for data loss belongs to the hospital.
Healthcare providers are becoming increasingly aware of their vulnerability to data breaches. Last year, according to the Ponemon Institute, reported incidents of data loss and theft increased by 32 percent.
"Every time there's a breach, more and more people jump onboard cyber insurance, because they say, 'This stuff can happen to me,'" Harb said.