The financial impact of a data breach can be much greater than expected. Businesses often underestimate the probability, prevalence, and severity of cyber-attacks. And the actual costs for remediation and damages can be significantly higher than anticipated or what is likely reported.
To determine the total cost of cyber risks requires that a health care organization engage in the fundamental processes of risk management: risk identification; risk analysis; risk control; risk administration; and risk financing.
Risk financing involves assessing the potential direct costs from an organization’s cyber exposure, as well as assessing the indirect costs associated with breach incidents that could interrupt normal operations. Interruptions could result in disrupted patient care, lost productivity, lost income, and extra expenses to continue operations. As Mary Chaput the CFO of Clearwater Compliance stated: “If you don’t know your [cyber] risks, you’re extraordinary vulnerable — and the financial costs of a data breach can be staggering.”
Potential direct costs may include:
- legal fees;
- IT forensics;
- data restoration;
- patient notifications and credit monitoring;
- public relations and media releases;
- call-center support;
- regulatory fines and penalties; and/or
- third-party damages.
Potential indirect or opportunity costs may include:
- business interruption (e.g., your cloud-based EHR vendor is hacked and service goes down); and/or
- patient churn and reputational harm.
When conducting a comprehensive risk analysis, an organization must also vet its third-party vendors’ data security controls. Breach events can arise from the actions of any person or entities an organization interacts with who can access its sensitive personal information. (Your responsibility for patient privacy is not eliminated when one of your vendors stores ePHI on your behalf; it is your patients’ data and you may be held responsible for its security.)
Many health care organizations invest in cyber insurance or what is commonly called “cyber liability coverage” to mitigate the direct and indirect costs of a breach event. Purchasing this coverage should be included as part of the organization’s business contingency planning.
Cyber insurance is a distinct insurance policy that provides both first-party coverage for your losses and third-party coverage for damages arising from your legal liability to others. Cyber insurance coverage forms are not standardized. As threats have evolved, so has the coverage provided within the policy forms.
When purchasing cyber insurance consider the following three questions:
- What limits of liability of coverage does your organization need?
- What is the scope of coverage. What is and is not a “covered loss” and constitutes a “claim?”
- How will you calculate your cyber exposure to loss (e.g., using loss modeling or online “breach calculators”)?
Regarding the last question, the breach cost variables can include:
- industry class (health care is among the highest in breach incident costs);
- likely causes of cyber losses;
- adequacy of your cyber risk management;
- your organization’s revenue size; and
- amount of sensitive personal information/records at risk.
It is also vital to know “Who Is Insured” within the insurance policy. For example, “Insureds” can include not only the applicant (“Named Insured”) but also any
- independent contractor (while acting on behalf of the Named Insured); and
- any person or entity the Named Insured is contractually obligated to provide such coverage.
In terms of the latter, liability assumed under contract is often a consideration if your organization has contractual liability for a third-party’s damages that has been assumed in a written hold-harmless or indemnity agreement, such as a Service Level Agreement.
As the forms of connected technologies used in healthcare increases — so will the cyber risks. Therefore; healthcare providers will need assistance in mitigating the proliferation and diversity of their cyber vulnerabilities, including help with their risk assessments, hardening their IT systems, workforce data security training, and with procuring the proper cyber insurance.
If you have any feedback or questions on any of the above, please contact TMLT’s PDCS team at ConsultingWebmail@tmlt.org.
About the Author
John Southrey is the Director of Cyber Consulting Services at TMLT. John can be reached at firstname.lastname@example.org.More Content by John Southrey