Cyber Insurance: Mid-Market Healthcare Providers: Endpoints, Medjacking, Security Budgets & HIPAA
An attack surface is the sum of all the endpoints of entry that an attacker can breach your environment. In a healthcare setting, endpoints go well beyond workstations, laptops, PDA’s and cell phones to include digital medical devices and software. “Medjacking” is the hijacking of biomedical devices that create backdoors to hospital networks. Malware has been found on imaging equipment and blood gas analyzers, as well as in software that manages surgery and treatment schedules, power systems, and the administration of medicine. Reimbursement uncertainty leads to tight budgets for information security. This means a custom designed cyber insurance policy is a necessity to minimize financial and reputational costs of isolated cyber events.
Many small to medium providers don’t view HIPAA fines & penalties as a significant threat due to the limited number of patient records maintained. A review of HIPPA settlements for 2016 confirms that even breaches involving less than 50,000 records can result in catastrophic financial loss. For example, Raleigh Orthopedic Clinic, P.A. of North Carolina incurred a breach of 17,300 records erroneously released to a business associate. The HIPAA settlement was $750,000. The settlement is just one component of breach costs. The cost of the corrective action plan, computer forensics, breach event costs, loss of revenue and other expenses that accompany a cyber breach event involving medical records likely tipped this claim over $1,000,000. The annual premium for a 20-physician practice is around $5,000 for $1,000,000 in coverage.
The latest firewall or anti-malware products will not prevent employee errors or a determined attacker. Too many small to medium sized providers rely on “short” cyber insurance limits included in a medical malpractice policy. These limits can range from $25,000 to $100,000. As indicated above, such limits are not remotely adequate to protect providers from isolated catastrophic cyber breaches that need only affect a small number of patients. A well-crafted, stand-alone cyber insurance policy is a low cost solution to a potentially devastating financial risk.