Over 1,300 physicians were polled in a recent study conducted by Accenture and the American Medical Association on cyber security and how it affects physicians.
More than 4 out of 5 doctors reported that their practices had suffered some sort of cyberattack be it; phishing, computer viruses, ransomware, hacking, or inappropriate insider access. 74% of the physicians were concerned about the interruption these threats posed to their practices and the possibility of compromised patient records.
Despite the mounting threat and growing concerns, most doctors (85%) believed that sharing electronic personal health information is important and expect to see a growing trend in telemedicine and the adoption of patient-generated health data.
So how do physicians go about protecting themselves and their practices?
PRA's cyber security guru, Joan Kassel, weighs in:
There is no doubt in my mind that everyone-whether on a personal or business level-has been breached. It’s become more of a waiting game to find out when the breach occurred and how it has affected you.
Most physicians are under the impression that should a breach occur their Business Associate (BA) would be responsible. I encourage you to take a closer look at the Business Associate Agreement (BAA); which likely includes a “hold harmless” clause-which lets them off the hook completely-or the BA may agree to send notifications to affected parties.
The truth is, the physician is ALWAYS responsible for the protection of patients' PHI & PII. Should a HIPAA audit occur following a breach, it is likely that the physician will be the one audited. Believe me, you don't want to go through one of these without legal counsel. There are 2 choices in handling the attorney’s fee, the physician can pay out-of-pocket or, they can purchase cyberliability insurance.
Other scenarios that could put you in a position between paying it yourself or letting the insurance company handle it include; fines/penalties for HIPAA non-compliance, business interruption, and third party claims
Some data reveals that expenses affected by a breach could reach upwards of $217 PER RECORD. Multiply this by the number of records in your practice and the need for cyberliability insurance becomes more apparent.
Most medical malpractice insurance companies include limited cyberliability in their policy, however, since the amount included is often minimal our clients have the option to purchase up to $1,000,000 in coverage for less than $600 per year and no deductible (based on a solo practitioner). That is less money than you would spend on 2 phone calls to an attorney in the event of a breach.
If you already have cyberliability insurance with us, you can always refer to our ThinkHR program to learn more about HIPPA regulations and how to comply with them to protect yourself and your practice.
If you think you're covered by your commercial insurance policy, read the fine print, read all the definitions, read all the exclusions...know what you REALLY have and how to comply meet the standards!