- Data breaches are among the most brand-damaging incidents a hospital or health system can face. While medical malpractice can often be blamed on a few individuals, the inability to secure sensitive patient data is seen as a failure of the organization as a whole, and can leave patients feeling personally betrayed. Cyber insurance is becoming an increasingly popular way to defray the costs of a breach, but is it a sound investment for healthcare organizations?
In a new report by the Ponemon Institute, concern over data breaches ranked higher than worries about fires, floods, and physical thefts. While insurance providers have been pushing coverage for these incidents for decades, data breaches are a fairly new phenomenon. But 76% of organizations that have experienced a breach rank the danger higher than natural disasters, and 70% say that the aftermath of the breach has led them to consider insurance as a future safety measure. With more than 1.5 million patients affected by medical identity theft at a cost of more than $30.9 billion, it’s easy to see why security professionals are looking for help.
“We are reaching a tipping point where the majority of companies we surveyed now rank cyber security risks as high as other major insurable business risks,” said Michael Bruemmer, vice president at Experian Data Breach Resolution, in a statement. Experian sponsored the Ponemon survey. “We anticipate that demand for cyber security insurance is likely to increase in response to evolving breach response policies.”
Negligence and human error are the top causes for healthcare data breaches. While property and casualty policies might cover the cost of replacing a laptop left in a taxi, the data stored on the computer falls into a gray area for traditional insurers. Seventy-six percent of respondents to the Ponemon survey said human error is covered under their cyber security policies, with 72% purchasing coverage for external attacks by criminals and 61% covered for system or business process failures.
Insurance also typically covers the notification costs to patients, legal defense costs, investigations, and regulatory penalties and fines. With thousands of patients often affected by a single lost USB drive, cyber insurance can help defray the costs involved in setting up information hotlines, credit monitoring services, and revenue losses associated with unhappy patients leaving the system.
However, only 29% of healthcare and pharmaceutical organizations have adopted cyber insurance so far, as compared to 41% of technology corporations and 37% of financial services. But with the likelihood of purchasing a policy increasing after experiencing a breach, and the number of healthcare organizations affected by breaches growing at an eye-popping rate, that percentage might not be stagnant.
Healthcare organizations that have cyber insurance coverage are highly likely to recommend the coverage to others, which may be a key indicator of the value of protecting a health system against the damage of a lax security net.