MSMS logo, to home page

Cybersecurity Insurance for Medical Practices -- the Basics

News & Media

Cybersecurity Insurance for Medical Practices -- the Basics

David J. Eismont, ARM, senior director of business development, The Doctors Company

The following provides an overview of what your practice can expect from a cybersecurity policy.

Coverages are typically split into two types -- first-party and third-party:

First-party coverage addresses the costs and expenses your practice incurs from a data security or privacy breach event, such as:

  • A physician comes to the office and logs in to the computer, but the screen goes blank and a message pops up claiming to have hijacked the data and demands payment to get it back.
       
    The "extortion threat" section of a cybersecurity policy may assist with this type of breach. Professional experts hired by the carrier will contact the cyber criminals to attempt to get the data released, including potentially paying the ransom. The business interruption section of a cyber policy may provide reimbursement of lost profits during your downtime.
       
  • A physician discovers her system has been hacked and worries her patients' personal health information may have been compromised.
       
    If you discover your system has been hacked, your carrier can provide data breach response services to work with your IT staff to ascertain what happened. If patient records are compromised, the data recovery and restoration section of your coverage could reimburse you to unencrypt, recover, restore, recreate, or recollect data.
       
  • The CEO of a company sends an e-mail to the CFO instructing the movement of funds into an account. The CFO makes the transfer, only to discover that the CEO's e-mail was a spear phishing attack in which the email address was a clever fake, and those funds are long gone.
       
    Your coverage's cybercrime section may cover the cost of the funds that were transferred. Employees who click on such phishing links could compromise your system. This section of your policy may also assist in those situations.

Third-party coverage provides protection from claims made against you by outside parties.

  • It would not be unusual to have claims brought by regulatory agencies, such the U.S. Department of Health and Human services in the case of an alleged HIPAA violation involving a breach of patient records. Cybersecurity coverage for regulatory fines and penalties may allow for payment of fines on your behalf.
       
  • If your practice accepts credit card payments and is not PCI-compliant (adhering to all the Payment Card Industry Data Security Standards), you could be subject to fines from the credit card companies. Policies with payment card industry coverage may provide payment for those fines.
       
  • Some patients may bring claims against you for violating applicable privacy laws. The data security and privacy section of your cybersecurity policy may help in providing a defense and make payment to these claimants, if necessary.
       
  • If you maintain a website or social media platforms, you might have a claim brought against you in the event someone believes your site or media content is defamatory or reveals private information about them. The cyber media section of a cybersecurity policy may also provide coverage in this case.

Download the free guide Your Medical Practice Is at Risk of a Data Breach from The Doctors Company. More resources are available on the company's cybersecurity page.