• Home
• About Us
• Coverages
  • Medical Malpractice
  • Physician Regulatory Insurance (RAC Audit)
  • Workers Compensation
  • Employee Benefits
  • Employment Practices
  • Property & Casualty
  • Business Office Policy
  • Errors & Omissions
  • Directors & Officers
  • Cyber Liability
  • Hospital Professional Liability
  • Provider Stop Loss
  • HMO Reinsurance
• Blog
• Contact Us
• Resource Center

     

• Home
• |
• Insurance Coverage
• |
• Cyber Liability

Check Out What
Our Clients Saved!

Online Quote Center

• Individual Physician
• Medical Group
• Medical Spa
• Surgical Center
• Urgent Care Center
• Skilled Nursing Facility
• Home Health Agency
• Hospice Care
• Teleradiology
• Hospital
• HMO Reinsurance
• Accountable Care Organization

Cyber Liability Insurance

Data Breach Security is Key

Healthcare organizations that utilize electronic records or are in the process of working towards that standard, face significant exposure to security threats and data loss. Healthcare organizations are particularly susceptible to cyber-related security breaches, which have the potential to expose vital data including medical records, social security numbers, credit card information and other confidential patient and/or business information. Healthcare Organizations can be liable for these breaches whether they are on the computer, on paper or other forms of media.

Most states have enacted laws requiring notification of security breaches involving personal information - paving the way for lawsuits against corporate board members and executive management for fiduciary breaches caused by the lack of proper cyber data protection.

Many organizations have very thorough and well planned policies for their companies, but mistakes can happen with employees and vendors that you can be held liable for, even with the best intentions.

Cyber liability insurance provides protection for risk not found in traditional insurance coverage, such as property, crime, directors & officers, errors & omissions, and other liability policies.

Cyber Liability Exposure: Where and by Whom?

• Hackers: Thieves have been trying for years, and will continue to attempt to steal other people's personal information.
• Employees: Although no one enjoys thinking of the possibility of an employee stealing, it can happen; and if it does, rest assured there won't be any warning until it's too late.
• Third Party Vendors: Outsourcing services such as the disposal of sensitive documents, cloud computing, credit card processing, or temporary staff can all pose a risk.

What Types of Data Can be Protected?

• Laptops
• Paper Files
• Wireless Networks
• Cloud Software
• PDAs/Cell Phones

The HIPAA Security Rule

Establishes national standards to protect an individual’s electronic protected health information that is received, used or maintained by a Covered Entity.

• Requires appropriate ADMINISTRATIVE, PHYSICAL and TECHNICAL safeguards to ensure the confidentiality, integrity and security of ePHI.
• Requires providers to implement security measures, which help protect patients’ privacy by creating the conditions for patient health information to be available but not improperly used or disclosed.
• Covered entities were required to comply with the Security Rule on April 20, 2005. The Office of Civil Rights became responsible for enforcing the Security Rule on July, 27 2009.

Steps to Mitigate Cyber Liability

Step 1: Determine if you are a covered entity

A Healthcare Provider*	A Health Plan	A Health Care Clearinghouse
Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies	Health Insurance Companies HMOs Company health plans Government programs that pay for health care	Entities that process nonstandard health information they receive from another entity into a standard or vice versa.

*Only if information is transferred in electronic form.

Step 2: Provide Leadership

• HIPAA requires covered providers to designate both a privacy and security officer
• Record the assignment in a new security documentation file, even if you are the officer
• Discuss expectations and accountability
• Enable your security and privacy officer to develop a full understanding of the Rules

Step 3: Document your process, findings and actions

• Faithfully record all practice decisions, findings and actions related to safeguarding patient information
• Keep them in an electronic or paper folder
• Show why and where you have security measures in place, how you created them and what you do to monitor them
• Keep them in the event you are audited for compliance by CMS, HHS Office of Civil Rights (OCR) or the State Attorney General

Step 4: Conduct a security risk analysis: What is a security risk analysis?

• Examination and Testing to assess risk and create an action plan to make your practice better
• Identifies and examines potential threats and vulnerabilities to protected health information in your medical practice
• Implementing changes to make patient health information more secure than at present, and monitoring results

Step 5: Develop an Action Plan

After your risk analysis results, discuss and develop an action plan. An action plan should be detailed steps you will take to improve your results in the following areas:

• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Policies and Procedures
• Organizational Structures

Step 6: Manage and Mitigate Risk: This step is focused on implementing your action plan, especially the below:

• Information security settings in you or your vendors HER
• Written Policies and Procedures
• Continuous monitoring of your security infrastructure

Remember the Basics

• Are passwords easily found ( i.e taped to a monitor? Easy to guess?)
• Do you have a fire extinguisher that works
• When, where and how often do you back-up?
• How often is your EHR checked for viruses?
• Who has keys to your building?
• What is your plan if your server crashes and you cannot directly recover data?

Cyber Liability Insurance can be a vehicle for some Risk Mitigation

• Security and Privacy Insurance. Coverage for online and offline information, virus attacks, denial of service, failure to prevent transmission of malicious code
• Privacy Breach Response Costs. Coverage for PR, Advertising, IT Forensic, call center, call monitoring, identity theft restoration and postage expenses
• Regulatory Fines and Penalties. Coverage for fines/penalties for violations of privacy laws including HIPAA, HITECH and Red Flags Rule
• Cyber Terrorism
• Cyber Extortion
• Business Interruption
• Multimedia Expense. Coverage for media, copyright trademark infringement, libel/slander, plagiarism and personal injury

Step 7: Prevent with Education and Training

• HIPAA requires you as a covered provider to train your workforce
• Lead by example by adhering to your own policies and procedures
• Create a culture that values patients’ privacy

Step 8: Communicate with patients: Develop a patient engagement strategy.

• Communicate regarding security and confidentiality. Go beyond your NOTICE OF PRIVACY PRACTICES
• Address their health information rights, especially the right to access a copy of their electronic medical records
• Educate patients with how information is used and may be shared outside your practice
• Prepare a proactive breach communication plan and materials
• Any electronic communication with patients should be reviewed for compliance

Step 9: Update your Business Associate Agreements

• Make sure your BA’s are HIPAA and HITECH Compliant
• If you electronically exchange protected health information with others, be sure your agreement with these vendors is up to date
• State how your business associates are accountable.
• Update your agreements as new and emerging information arises

Step 10: Review and Attest for Meaningful Use Incentives

• Register for the EHR Incentive Program
• Review requirements for security analysis and documentation
• Attest only after completion of all requirements
• Remember this is a legal statement so make sure you have met the requirements