Providers: Don't be penny wise, pound foolish when it comes to cyber insurance
I find it ironic to read this week in American Medical News that while interest in cyber insurance has grown, many physicians are reluctant to buy it to protect their businesses in the event of a security breach of their electronic patient data because they are "overwhelmed" with installing EHRs and complying with the Meaningful Use incentive program and HITECH Act.
The article also reports that 52 percent of healthcare organizations, not just physicians, say they wouldn't buy cyber insurance because premiums are too expensive.
While the article doesn't list cyber insurance carriers or compare premiums from insurer to insurer, it does note that cyber insurance costs about $2,500 a year.
Now, buying insurance protection is a personal decision. But if I were spending many thousands of dollars to implement an EHR system and comply with the laws that govern them, spending an additional $2,500 per year would be an expense that I would seriously consider.
For one thing, EHRs arguably are more prone to data breaches than paper records. Yes, paper medical records can be lost or stolen, but it's so much easier for employees to improperly access electronic records for snooping or personal gain, for a hacker to get into the computer system or a thief to steal a laptop.
An electronic data breach also usually involves a much larger number of records. The employees at Sight and Sun Eyeworks, who earlier this year improperly accessed the clinic's EHR, compromised 9,000 patient records. It's hard to carry that many paper records, let alone the many thousands that some of these breaches have involved.
For another, the hassle and expense of having to deal with a security breach likely would warrant the cost of the insurance. According to the article, 86 percent of cyber insurance policies cover the cost of notification, 73 percent cover legal defense costs, 64 percent cover forensic and investigation costs, and almost half (46 percent) cover fines and penalties. More than one-third (34 percent) of these policies cover lost revenue. All of these are significantly more expensive than the premium costs, not to mention the burden and resources to handle the notification, find an attorney and forensics specialist experienced in this field, and the like.
Am I missing something? Or are providers just not thinking this through? Do they believe that the risk that they'll suffer a data breach is so low that it's OK to go bare? Or that their other measures to protect the data in their EHRs--such as conducting a risk analysis--will be sufficient?
This is an area where a provider just can't 100 percent control the safety of electronic patient records. There are too many variables. No one is completely safe, and no one is completely compliant. Just look at Affinity Health, which this month paid $1.2 million to resolve a security breach involving the return of a digital copier containing patient records because it had the bad luck of having the copier re-leased to CBS, of all places, which then had a field day with the story that fell into its lap. A quick look at the U.S. Department of Health & Human Services' Wall of Shame of security breaches of 500 or more patients--now up to 646--shows that many of them involved EHRs and other patient records in electronic form.
Maybe I'm more risk averse than others. While $2,500 isn't chump change, it's also less than $7 a day. That's about the cost for a Starbucks Frappuccino.