According to the ID Theft Resource Center, 97 of the 341 organizations that sustained a significant data breach in the first half of 2010 were in the healthcare industry. By comparison, only 38 breaches were reported at banking and other financial institutions. As shown by the breach sustained by BCBS Tennessee, the direct costs for breaches can exceed $10 million. And, the repercussions for these breaches are not even limited to direct mitigation or liability expense. For example, the California Department of Health has fined five hospitals a total of $675,000 for repeatedly failing to provide adequate security for patient data.
Given the HITECH Act’s desire to increase usage of EHRs, healthcare providers are now scrambling with new software systems that leave them quite vulnerable until full tested. Moreover, the public may be losing patience with healthcare providers given more and more breaches are now being reported. This can only lead to an emboldened plaintiffs’ bar.
What’s a healthcare provider to do?
It can be argued that there is not much a healthcare provider can do to avoid a breach other than improve security and continue to train its staff. After all, how can you stop an employee from going around security protocols and stealing data? As for lost or stolen laptops, that will likely never abate — as illustrated by recent laptop thefts in Texas and Oregon. Having a robust vendor management program in place is helpful but can never fully prevent rogue contractors from losing or stealing data. In other words, the risk can be mitigated against (somewhat) but never fully removed so long as healthcare data remains valuable, healthcare providers stay in the healthcare business (and not data security business), and workers continue to make mistakes. There is a risk management approach, however, that should be seriously evaluated by every participant in the healthcare industry.
In the same manner medical malpractice insurance is standard in the healthcare industry, network security and privacy insurance should be seriously considered as a risk transfer tool. Depending on the size, sophistication, and needs of an organization, the terms can be very affordable and flexible. For example, a hospital with $30 million in revenue can now obtain a comprehensive policy that will safeguard against a breach impacting 250,000 patients for under $15,000. The bad news is that most insurance professionals or brokers are unaware of the correct pricing or terms for such coverage. Accordingly, they rely on wholesale brokers who are inundated with submissions and have a tough time qualifying leads (given they do not interact directly with insureds) — which, in turn, prevents some organizations from getting the attention they deserve. Thankfully, there are risk professionals out there with the right background to help cash-strapped healthcare organizations obtain the right protection at the right price. At the very least, healthcare providers and plans should reach out to these risk professionals to obtain a “ballpark” quote.
Armed with a ballpark quote, organizations are at least able to determine whether it makes sense to pursue coverage. Getting a ballpark quote requires minimal effort. In order to obtain a ballpark, please simply provide your revenue. We will get back to you within several days with a ballpark insurance quote for network security and privacy insurance.