COPIC Comment: Protecting against the threat of cyber attacks

Tuesday, January 24, 2017 01:37 PM

by Ted J. Clarke, MD, Chairman & CEO, COPIC Insurance Company

Among the emerging challenges in health care, cyber liability has gained a lot of attention. A 2016 study by Ponemon Institute[1] found that health care organizations often “lack the money and resources to manage data breaches caused by evolving cyber threats, preventable mistakes and other dangers.” The study also estimates that data breaches could be costing the health care industry $6.2 billion.

Why are medical practices a target for cyber crime?
Health care entities have access to confidential and personal information, including medical records (electronic and paper), billing information (credit cards) and Social Security numbers. Compromised identities can be sold for as little as $50 each and can cost a practice at least $240 per year/per identity for the associated expenses after a data breach.

What are the key risks?

• Hackers, attackers and intruders: People who seek to exploit weaknesses in software and computer systems.
• Malicious code: Computer code that is intended to cause undesired effects, security breaches or damage to a system. This can include:
  • Viruses: This code requires that you actually do something before it infects your system, such as open an email attachment or go to a particular webpage.
  • Worms: This code infiltrates systems without user interventions. They typically start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers.
  • Trojan horses: Trojans hide in otherwise harmless programs on a computer, and much like the Greek story, release themselves when you’re not expecting it. For example, a program may claim to speed up your computer system, but it actually sends confidential information to a remote intruder.
• Lost laptops and mobile devices: Laptops contain a vast amount of personal information on their hard drives and in temporary files.

How are health care providers exposed?

• Most breaches are caused by simple negligence
• Loss/theft of mobile devices or electronic files cause 68 percent of breaches each year
• Improper disposal of patient records
• Rogue employees
• Most sensitive data is not encrypted

How does COPIC help protect against these threats?
COPIC has embedded cyber liability coverage in our policies. In addition to addressing the risks previously mentioned, this coverage also addresses incidents that involve non-electronic (print) privacy breaches and patient identity exposures as well as business interruption issues. Actual de-identified examples of incidents we have dealt with include the following:
 
A medical practice mistakenly placed one patient’s information on a prescription for another patient. A notification letter was sent to the patient whose information was disclosed, and the practice received no response from the patient. The incident was reported to the Office for Civil Rights and the practice completed an updated security risk assessment. Had the patient responded to the letter, the practice would have provided 12 months of identity theft protection.

A medical practice had a power outage occur while its computers were backing up data. It led to a loss of data and the corruption of the files being saved. The computer issues were resolved, but the practice was unable to recover two days worth of data. A vendor was hired to assist with data recovery. No personal health information was compromised, but the practice experienced some business interruption. The data was able to be recovered and the practice was able to access the affected records and fully resume operations.

In addition, COPIC Financial Service Group can offer expert assistance to review added levels of coverage and protection that may be appropriate for certain medical practices.

COPIC recognizes that cyber risks are creating a new array of challenges where health care professionals need support. We continue to invest in resources such as a special report on data breaches (request a copy at www.callcopic.com/report). Staying at the forefront of emerging risks and offering practical guidance is one of the many ways we stand beside our insureds to help them prepare for the future of health care.

1 www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data-1