In response to COVID-19, clinicians have had to rapidly change the way they administer care, and these adjustments have put providers at greater risk for certain liability exposures, namely cyber security. As the country was forced to work from home and the tele-workforce reached new highs, our computer systems have become more vulnerable than ever. And the greatest area of risk, is your Electronic Medical Record (EMR) system.
Your patients' EMRs may seem innocuous, but these sensitive files represent one of the most lucrative targets for hackers. According to a study conducted by the FBI in 2014, EMRs can be worth anywhere between $50 and $1,000 - depending on the identity of the patient. This stands in stark contrast to the $1 paid per social security number or stolen credit card. One of the reasons EMRs are so valuable is because a breach is often harder to detect and the sensitive information included in them makes it easier to commit different forms of identity fraud. A stolen EMR could allow someone to file fraudulent insurance claims or gain access to prescription drugs. And if the EMR of an infant or young child is taken, it could take years before the victim or their family catch on versus in the instance of a stolen credit card where the illicit activity can usually be detected and the card deactivated within a matter of days.
In short, your EMR system is a treasure trove of information attackers would be eager to get their hands on. It also presents a serious threat to patient safety and your practice's financial well-being.
Due to the potentially devastating repercussions of a breach, it is important to safeguard your practice. The most common way to against these attacks and find adequate coverage. Below we will review the biggest threats to your EMR system and how to find the best insurance for your practice.
Hackers gain access to your computer system in any of the following ways:
They send an email to one of your employees with a corrupted link or malicious attachment. If your employee were to click on the link or download the file, the hacker will gain access to your system.
Malware enters your system a variety of ways, phishing, downloads, software vulnerabilities, and more. The damage it inflicts varies from stealing computer data or harming the host computer and network.
Ransomware is a type of malware that lock users out of their computer systems and demands payment to regain access.
Encryption Blind Spots
Data encryption is meant to protect data as it transfers between users and external cloud applications. However, since many EMR systems are still relatively new, encryption blind spots are often exploited by hackers. Attackers will use these flaws to avoid detection while they gather sensitive data from your EMR system.
More practices and healthcare organizations are turning to the Cloud to improve care and facilitate more communication between providers and patients. However, these new systems may leave sensitive information at risk and threatens HIPAA compliance.
The greatest threat to IT continues to be the possibility of human error. Hackers rely on catching intended victims unaware and often exploit current events to craft their messages. For instance, when COVID-19 first hit, IBM reported seeing a 6,000% increase in spam attacks, many of them focusing on healthcare facilities. Some of the common themes for these attacks, included promising additional personal protective equipment making them more enticing to open in lieu of the national shortage. The most effective step a practice can take to prevent becoming a victim of a cyberattack is ensuring all employees receive regular and up-to-date training on cybersecurity.
Your patient records hold great value to hackers and that they have a variety of ever evolving methods of gaining access to those records. Most professional liability policies provide some limited coverage for cyber related attacks, but the limits of liability provided can easily be depleted when a medical practice has been attacked. Purchasing higher limits is something every medical practice should do to ensure they do not have to dip into their own resources when responding to an incident.
Professional Risk Associates currently partners with several carriers to provide additional limits up to $1M and beyond. The coverage provided in these buy-ups is evolving to ensure that new threats are addressed. In recent years, coverage has been expanded to include cyber extortion, cybercrime, and dependent business interruption.
Dependent business interruption is an added enhancement to the network asset protection coverage component that covers a business's loss of income and interruption expenses incurred because of a third-party provider's system going down. In this case the 3rd party would be your EMR system.
Imagine losing access to your EMR system for several weeks. This disruption in your service will likely result in a loss of revenue while your system is down-especially given the current utilization of telemedicine. And once your system has been restored, you will be responsible for alerting patients to the breach and the loss of records could lead to litigation, costly legal fees, and expensive reparations to patients. However, if you have dependent business interruption coverage, you may be eligible to make a claim for the loss of revenue during this time. Professional Risk works with several carriers to provide clients comprehensive stand-alone cyber policy.
One of our partners, Beazley offers this coverage at $1M limits. Their technical definition is as follows: Dependent Business Interruption Loss Dependent Business Loss that the Insured Organization sustains because of a Dependent Security Breach or a Dependent System Failure that the Insured first discovers during the Policy Period. Dependent System Failure means an unintentional and unplanned interruption of computer systems operated by a Dependent Business. Dependent Security Breach means a failure of computer security to prevent a breach of computer systems operated by a Dependent Business.
The Doctors Company Specialty Underwriters offer this coverage at $1M limits. Their technical definition is as follows: Contingent business interruption means total or partial disruption or deterioration in the named insured’s business operations resulting directly from a data security event (other than a privacy event) to an outsourced provider’s computer system.
Obtaining adequate coverage and ensuring your staff is well versed in cyber security will reduce your exposure to these claims. If you would like a review of your cyber coverage, please contact your agent today.