Cyber-attacks are one of the most significant risks facing optometrists, and every practice has cyber risk. Whether it’s ransomware, phishing emails, or other cyberattacks, it’s becoming more prevalent every day. The two most common incidents in private practices are:

1. Ransomware attacks: This happens when malware gets added to your system, denying users access to files. It most commonly occurs when someone mistakenly clicks on a malicious file, giving the bad actor access to the system.
2. Cybercrime social engineering: This occurs when bad actors gain the trust of an employee, causing an employee to provide sensitive information.

Risk

The healthcare industry accounts for almost 40% of all cyber incident claims, with the majority of those due to human error and rogue employees ^(Chubb)

And claims can be expensive, the average cost of a cyber claim is $161,000, and the average ransomware loss is $265,000 with 40% of cyber-attacks originating from email. (Coalition)

Cyber insurance

Cyber liability insurance can cover expenses related to a patient data breach at a doctor’s office. This policy can pay to notify your clients about the breach, cover fines, and pay data breach expenses. (Insureon)

Coverage

Cyber insurance can provide assistance in 3 general areas (depending on the type of plan and coverage)

1. First-party cyber liability coverage

• Data Breach Response Costs: This includes expenses for investigating the breach, engaging forensic specialists to understand how it happened, securing systems, and notifying affected patients as required by regulations like HIPAA.
• Regulatory Fines & Penalties: It can help cover fines and penalties that may be imposed by regulatory bodies like the Office for Civil Rights (OCR) for HIPAA violations resulting from data breach.
• Credit Monitoring & Patient Support: In the event of a breach, providing credit monitoring services to affected individuals and offering support is often necessary, and cyber insurance can cover these costs.
• Public Relations & Crisis Management: Cyberattacks can damage a practice’s reputation. Cyber insurance may cover the cost of hiring public relations firms to manage the crisis and mitigate negative publicity.
• Data Restoration & Repair: If data is corrupted or lost due to a cyberattack, the insurance can help cover the expenses of restoring data from backups or reconstructing damaged systems.
• Cyber Extortion & Ransomware: This coverage addresses the costs associated with ransomware attacks, including potential ransom payments (where legally permissible) and the resources needed to respond and recover.
• Business Interruption: If a cyberattack disrupts the practice’s operations and leads to lost revenue, some policies offer coverage for business interruption, reimbursing for lost income and extra expenses incurred to restore operations.

2. Contingent Business Interruption (CBI)

• Third-Party Disruptions: Healthcare practices often rely on various third-party vendors, such as Electronic Health Record (EHR) providers or billing services. Contingent Business Interruption (CBI) coverage protects against financial losses if one of these critical vendors experiences a cyberattack or system failure that impacts the practice’s operations.

3. Liability coverage

• Third-Party Lawsuits: If patients or other entities file lawsuits against the practice following a data breach, claiming negligence or harm, cyber insurance can help cover legal fees and settlements.

Overall, cyber insurance offers a safety net to manage the financial and operational fallout from cyber incidents that compromise patient data and disrupt operations.

General Liability Insurance

Some general liability insurance policies may include cyber insurance, but even when it does the limits are generally minimal.

Cost

The cost of cyber insurance for a healthcare practice can vary significantly depending on several factors, but medical professionals pay an average of $79 per month, or $952 annually for cyber insurance.

The healthcare provider’s responsibility

It is very important to note that insurance providers won’t willfully pay claims without proof that the organization took appropriate measures to prevent risk. In fact, many cyber insurance providers have stringent requirements that an entity must meet to receive a payout.

Insurers generally require providers to mitigate the risk by doing things like a security risk assessment, establishing security and privacy policies, and training staff.

1. Security Risk Assessment

Conducting periodic security risk assessments (SRA) is a core practice for maintaining HIPAA compliance. these assessments should be conducted annually to identify and analyze gaps in cybersecurity and compliance programs.

Many practices turn to automated compliance software to conduct assessments that meet all the necessary criteria, and many insurance companies recommend this as a safe and effective options. (Mattila)

2. Establishing security and privacy policies

Although the SRA is usually conducted annually, the best way to align with your own policies and show proof of effort is to establish policies and remediate minor issues throughout the year.

There are monthly, quarterly, and yearly remediation actions you can take to protect your practice with a strong foundation of practical cybersecurity and compliance measures. These actions include:

• Updating firmware on network devices
• Conducting incident response testing
• Reviewing network/system inventory
• Test and train employees against phishing threats (Mattila)

3. Staff Training 

One critical piece of evidence that an insurance provider will look for is the strength of your organization’s training program. Remember that up to 58% of incidents are caused by employees, so providing HIPAA training to all staff with access to sensitive data at least once a year is essential for mitigating risk and keeping employees informed of best practices.

Training should cover everything from the basics of HIPAA to how to spot a phishing scam. Practices should document each employee’s training status and progress so that in case of a security breach, the documentation can be used as evidence to support the notion that the entity took necessary steps to try and avoid incidents. (Mattila)

Recommendations

If you need a policy, Practice Performance Partners recommends:

• Tower Street Insurance
• Lockton Affinity (also AOA recommended)

If you have questions, feel free to reach out to us at info@PracticePerformancePartners.com

References

Chubb. (2022, Dec). Cyber-insurance-for-the-healthcare-industry. Retrieved from www.chubb.com: https://www.chubb.com/au-en/articles/business/cyber-insurance-for-the-healthcare-industry.html

Coalition. (n.d.). Cyber insurance for the healthcare industry. Retrieved from Coalition Inc: https://www.coalitioninc.com/industry/healthcare

Insureon. (n.d.). Healthcare Professionals Business Insurance. Retrieved from https://www.insureon.com/: https://www.insureon.com/healthcare-professionals-business-insurance/cyber-liability

Mattila, S. (2024, October 10). Cyber Insurance for Healthcare: Are You Compliant with Your Own Cyber Policy? Retrieved from https://intraprisehealth.com/: https://intraprisehealth.com/cyber-insurance-for-healthcare-explained/