Cyberinsurance: A breach savior for healthcare providers, but read the fine print

Cyberinsurance can be instrumental in weathering a security breach of a provider's electronic health record system, but purchasers should review policies carefully since they vary widely, according to attorney Scott Godes, with Barnes & Thornburg in the District of Columbia.

"Unlike many other insurance policies, where you can predict what's in them before you open the cover, a cyberinsurance policy varies from carrier to carrier," Godes warned, speaking on a recent webinar held Aug. 22, by the American Bar Association's Health Law Section. "It's a different animal entirely," he said.

One of the few bright spots in the recent breach of Community Health Systems' computer systems, in which information for 4.5 million patients was compromised, is that the organization has cyberinsurance to cover much of its losses, Godes added. Still, the total bill for the breach could run as high as $150 million, according to Forbes.

Unfortunately, healthcare entities are at particular risk of cybercrime, and cloud providers, which store patient records for many providers, are a prime target, warns Gary Githens, with Portland, Oregon-based Brown & Brown Northwest, who also spoke on the webinar. The average cost to deal with a breach of patient records, he said, is now about $233 per record, including the cost of notifying patients and the government, legal fees, forensics, credit monitoring, manning a call center and crisis management.

Several of the provisions that healthcare entities should look for in a cyberinsurance policy, according to Godes and Githens, include:

  • Data breach notification and investigation costs
  • Policy limits. "Pay attention to how much coverage and what the deductible is," Godes says
  • Coverage for regulatory inquiries
  • Exclusions, such as for failure to maintain security
  • Business interruption and data restoration
  • What service providers the healthcare organization can use in the event of a breach

Healthcare entities also should review their relationships with their cloud vendors. Most contracts between the provider and the vendor favor the vendor when it comes to protecting the provider in the event of a breach. Moreover, many business associate contracts are poorly written and neglect to specify that the insurance coverage should be for data breaches, not just general commercial liability coverage, which does not provide the same protection, according to Githens.

To learn more:
- check out the presentation (.pdf)