What is cyber liability? This is a question that is posed to me nearly every day. The simple answer to the first part of the question, cyber liability is not really “cyber liability.” While that statement may not sound like a sane person talking, it is completely accurate. The risk commonly referred to as cyber liability in my eyes is better described as “a healthcare provider’s responsibility to protect personally identifiable information or personal health information.” The advice that I provide to my clients is to stop thinking of this risk as a cyber-crime, but think of the risk as my responsibility to protect private data in all forms hard copy, computers, mobile device, shredding bins, copiers, etc.
At a meeting this past fall, a speaker asked the following question, “What causes a breach of private information in medical practice?” The answer might surprise you:
- 50% come from employees
- 30% come from “cyber-crimes” such as virus, hacking, etc.
- 20% come from accidents – for example an employee losing a phone, laptop, or thumb drive
Why do medical practices and hospitals purchase Privacy + Network Security (cyber liability) coverage? For many businesses, a breach could be more costly than their building burning down and much more likely to happen. Additionally, almost every state has breach notification laws/requirements and if more than 500 records are breached, the HITECH Act requires specific reporting to be done. Depending on the source, the number of records breached in healthcare is staggering:
- 2009 – 19 million+
- 2010 – 40 million +
- 2011 – TBD
The cost of breach can be significant. Industry data ranges from $200 – $250 per record (patient). Typical costs include:
- Data forensics
- Credit monitoring
- Legal fees
- Postage for mailing notification letter
- Time lost by employees
- Damages from a lawsuit
- Reputational risk
- Crisis management or PR firm
- Hiring a breach coach
The need to protect secure information is challenging at best. This risk is more costly and more likely to happen than ever before. Therefore it calls for a different level of management. I advise to review current processes/procedures, identify best practices, and develop/include breach of private data in your disaster recovery plan. When applicable, finance this risk with an insurance policy.
To learn more about cyber liability and VAST’s professional solutions division, contact Kelly Reed 906.315.7227 | firstname.lastname@example.org