Cyber Liability Concerns for Healthcare Facilities

May 7, 2019

It is no secret that technology has transformed the healthcare industry. From patient tracking to developing innovative treatment protocols and managing facility providers, staff, and assets, technology has been behind some of the most dramatic advances in healthcare delivery. With more and more healthcare facilities relying on computer-based systems, however, the potential risks have evolved. Among the chief risks is that of cyber liability. In fact, healthcare cybersecurity is one of the top safety issues for today’s healthcare providers. U.S. Risk Underwriters, one of the nation’s leading providers of specialized insurance solutions, knows that cyber liability concerns can wreak havoc on a healthcare facility and its operations. In this guide, we will explore some of the liability issues revolving around cyber exposures, then present tips for defending facility staff members and financial assets from loss.

Data Breaches: A Growing Healthcare Problem

Over the past decade, cyber criminals have been responsible for billions of dollars in business interruption and lost revenue. These criminals target the data that is crucial to business operations. The healthcare industry has not been immune to the onslaught of cyber crime; in 2018 alone, over 500 incidents were reported, compromising the personal health records of over 15 million patients. It is estimated that on average, each of these attacks cost about $3 million in fines, lost business, stolen funds, and forensic analysis after the incident. Attacks take several forms, with the most prominent being known as ransomware attacks, which hold sensitive data hostage until a ransom is paid by the organization to the criminals responsible for the attack. In worst-case scenarios, cyberattacks have made healthcare providers utterly unable to access records, severely limiting patient care and putting patient health at risk.

Electronic patient records have been adopted by most healthcare systems across the United States. These digitized records allow for more efficient handling of patients, from the treatments they have received to their insurance billing records and personally identifying information. Privacy of these records is paramount, and electronic patient records are addressed by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Unfortunately, electronic patient records are a lucrative target for cybercriminals. To make matters worse, an industry survey conducted in 2017 revealed that only about 15% of healthcare organizations have a dedicated information security officer on staff, and less than half of all polled organizations perform routine security assessments. Those shortfalls have improved somewhat since 2017, but the major takeaway is that many healthcare facilities are woefully underprepared for cyber attacks.

Protecting Sensitive Patient Records: Reducing Cyber Liability Exposures

What can healthcare organizations do to fight back against cyber criminals? There are many possible solutions, but it is important that healthcare facilities adopt a multi-level cybersecurity approach to ensure that sensitive records do not fall into the wrong hands.

Risk mitigation strategies for healthcare facilities include:

• Having IT security professionals on staff. There is simply no excuse for a healthcare organization to not have specially-trained computer security specialists, especially as more computerized patient care systems are adopted. Barring in-house staff, third-party security vendors are available to protect sensitive records from breaches.
• Performing routine and regular system maintenance, including updating hardware and software, applying security patches, and probing for vulnerabilities.
• Creating and implementing a cybersecurity action plan, which provides stakeholders with a roadmap for reacting to and recovering from a cyber attack. Good action plans contain policies and procedures for all potential cyber threats, including ransomware attacks, data breaches, and disaster recovery.
• Creating backups of all sensitive computer information. Backups assist in instances of data recovery as well as ensuring access to critical information if a system becomes compromised in any way.
• Providing regular cybersecurity training to all staff members, especially those who have access to vulnerable or sensitive data management systems. With appropriate training, the risks of a cyber breach drop dramatically – staff better understand their individual roles in keeping data safe from intrusion or loss.

Ensuring adequate cyber liability insurance coverage. U.S. Risk Underwriters and many other insurance brokers offer specialized insurance packages, each designed to protect business assets from the exposures and losses associated with cyber crimes. ◼