The Office for Civil Rights in the U.S. Department of Health and Human Services put out a “quick response checklist” on what to do if an entity has its customer or patient’s data exposed. It is a great resource and I would recommend that it be a part of every Medical Practice’s Emergency Response Plan.
With client and patient’s data being increasingly digitized, having a data breach is more and more becoming a reality for most businesses. This is especially concerning for businesses and medical practices that are considered “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA).
The major reason for this is the penalties attached to the law that most other businesses do not have to worry about. That is why, according to Ponemon Institute 2017 Cost of Data Breach Study, highly regulated industries such as Healthcare, Finance, and Education were well above the average in terms of cost per record. The overall mean cost per capita was $141. For the Healthcare Sector, it was $380 per record.
This being the case, the healthcare industry has to take more dramatic steps than other sectors to mitigate the chances of having a breach. Every Medical Practice should have as part of its Risk Management Plan, a section on Cyber Risk Management to address how they are going to safeguard their customer's data and what they will do in the event of a breach.
As part of that plan, it is essential to recognize the potential costs that are associated with this risk, and create a plan for how they are going to be paid should a breach occur. This is the case whether that is going to be in house funding, insurance or a combination of the two.
One big area of misunderstanding comes from practices that have purchased General Liability Insurance Policies and assuming that these policies will cover these Cyber related events. Most General Liability Policies exclude coverage for Cyber related events. If they do have coverage, many times it is limited down to a point where it becomes ineffectual.
With the purchase of insurance, the practice has to be careful to purchase the right kind of coverage, as well as proper limits. Each practice is going to be different so an individual approach and comprehensive risk identification process can help identify where there are potential exposures. Then the policy can be built around these findings.
Medical Offices face unique consequences when it comes to protecting their patient's information. We can’t always control what happens, but we can control how well prepared we are when it does. Having a comprehensive Risk Management Plan including insurance is an integral part of being prepared for these types of events.