Michigan’s largest healthcare system recently announced a data breach that may have compromised 6,000 patients’ protected health information. The breach reportedly occurred after six employee email accounts were exposed in a phishing scam in January.
The eight-hospital network with 167 outpatient locations, notified patients on July 28 of a “data security incident” that could have exposed patient names, dates of birth, diagnoses, procedures and treatment information. The health system reports the number of patients involved in the breach reflect less than 0.3 percent of its 2.3 million patients.
Healthcare systems are experiencing a severe increase in data breaches in today’s world. Breaches are growing in size as additional patient records are being exposed in attacks
The health system concluded its investigation on June 3. Though officials said they have no evidence compromised data was viewed or acquired by a third party, it notified patients “out of an abundance of caution” and asked them to monitor their insurance statements for care they did not receive.
“Healthcare systems are experiencing a severe increase in data breaches in today’s world,” said Derek Kilmer, Manager, Professional Liability, Burns & Wilcox, Detroit/Farmington Hills, Michigan. “Breaches are growing in size as additional patient records are being exposed in attacks.”
That increase comes as healthcare organizations also face unprecedented difficulties in other areas. Hospitals have struggled financially amid the COVID-19 pandemic, with some losing millions of dollars per day from delayed elective procedures and many laying off staff.
“The lack of elective procedures has created a deep hole to dig out of,” said Karl Olson, Vice President, Professional and Management Liability Practice Leader, Burns & Wilcox Brokerage, San Francisco, California. “Utilization rates have plummeted. A large percentage of hospitals may be financially insolvent by the end of the year.”
Healthcare breaches are uniquely expensive, require specialized protection
Healthcare data breaches are on the rise in both the U.S. and Canada, with ransomware attacks and phishing scams causing a significant percentage of breaches. “Cybercriminals have not taken a break,” Olson said. “Healthcare entities are targets because of the large volume of data that they store, process or have access to. Many also struggle to adequately fund their data security.”
The number of healthcare data breaches involving 500 or more records increased 196 percent from 2018 to 2019, according to HIPAA Journal. In February alone, 1,531,855 individual health care records were breached.
While the average total cost of a data breach has increased from $3.54 million in 2006 to $8.9 million in 2019, the average cost of a breach for healthcare organizations can run much higher. A data breach cost per record in many industry sectors is less than $300 per compromised record, Kilmer explained, but heavily regulated industries, such as healthcare, pharmaceutical, financial, energy, and education, have a per capita data breach cost of well over $400.
Cybercriminals have not taken a break. Healthcare entities are targets because of the large volume of data that they store, process or have access to. Many also struggle to adequately fund their data security.
“Costs can add up quickly, especially if each incident impacts thousands or potentially millions of records,” he said, noting that the number of data points contained in a single patient’s record adds to the complexity of recovering from an attack. “Healthcare records can include Social Security numbers, name, address, phone numbers, and more. The information a hacker can exploit within an individual’s health record is potentially quite large and can take an immense amount of time to track down, leading to additional expenses.”
As more breaches occur, particularly during the pandemic, healthcare organizations rely on Cyber and Privacy Liability Insurance to help mitigate their losses and maintain operations. Cyber and Privacy Liability Insurance policies can include coverage for paying or negotiating ransoms, such as in 2016 when a California hospital paid hackers $17,000 after a ransomware attack that held its computer network hostage. Such policies can also help mitigate the costs of bringing in specialized cybersecurity attorneys and forensic teams to assist in the response.
According to the 2019 American Medical Association-Accenture Medical Cybersecurity Survey, 36 percent of healthcare institutions were rendered incapable of providing care for at least five hours following cyberattacks. The 2020 IBM Security Cost of a Data Breach report indicated that the healthcare industry had the longest average breach lifecycle of any industry—329 days.
“It can take years for medical fraud to be discovered,” Kilmer said. “Healthcare organizations should have a plan in place that allows them to get up and running as quickly as possible after an attack with the lowest possible number of patient files exposed.”
Beyond the direct costs of a cyberattack, the bulk of data breach expenses are related to reputational damage and customer turnover in the aftermath of an incident, according to Kilmer. “Healthcare breaches continue to push customers away,” he added. “Given the current financial hardships hospitals are having due to absence of elective surgeries, a breach can set back these institutions even further.”
When an organization is hit multiple times it can have a negative impact on its insurance underwriting options, Olson noted, adding that “underwriters are asking for much more in-depth information than they have in years’ past.”
Telemedicine, equipment shortages among other growing healthcare liabilities
Even as medical professionals stand on the front lines of the COVID-19 pandemic, hundreds of U.S. hospitals face bankruptcy and some, especially in rural areas, may close. Hospitals laid off 1.4 million workers in April alone and a record number of nurses have lost their jobs. These conditions could add to already rising medical liability costs at a time when 34 percent of physicians are sued at some point in their careers. Beyond cybersecurity risks, healthcare entities expect a wave of lawsuits related to the pandemic as well as the corresponding rise in telemedicine. While some providers may think they have coverage under certain liability protections, Professional Liability Insurance and Medical Malpractice Insurance are essential for all healthcare organizations, Kilmer said.
It can take years for medical fraud to be discovered. Healthcare organizations should have a plan in place that allows them to get up and running as quickly as possible after an attack with the lowest possible number of patient files exposed.
“The healthcare industry is evolving rapidly,” he said. “There is going to be a continued need for telemedicine, which brings additional cybersecurity concerns.” He added that Professional Liability Insurance for healthcare organizations needs to account for changes in technology, especially if the organization is providing telehealth.
For employers in the healthcare industry, potential lawsuits over personal protective equipment (PPE) shortages, layoff procedures or overall handling of the pandemic make Healthcare Management Liability Insurance — including Employment Practices Liability Insurance (EPLI) and Directors & Officers (D&O) Insurance — a key priority.
“There is expected to be no shortage of employment practices liability lawsuits related to COVID-19,” Olson said. While an organization may be forced to reduce its workforce, he said, it can benefit from providing proper guidance and being transparent.
Addressing allegations of fraud or abuse related to Medicare and Medicaid billing and its management are other significant risks facing healthcare systems. Medical Liability Insurance that includes coverage for regulatory audits and investigations is recommended to help mitigate the costs involved with such disputes. “It is an elective coverage that is becoming more relevant than ever,” said Olson.
Security protocols, insurance are crucial to healthcare risk management
Healthcare organizations can strengthen their cybersecurity by using proper data architecture, Olson said. For example, a nurse signing in at a station should not have access to the entirety of a patient database. In addition, employees should be trained on properly securing records and how to recognize phishing attempts. “Employee education is paramount for identifying nefarious activities,” he said.
There is still a reasonable method for renewals and insuring new healthcare businesses or new business activities. It just takes someone with experience to know the appropriate markets and how to present the new risk.
“While a healthcare organization can never be completely protected, the more that an employee knows what to look out for, the more they can safeguard patients’ privacy and potentially save the organization from a breach,” Kilmer added.
Smaller healthcare companies are particularly vulnerable to cyberattacks and, without Cyber and Privacy Liability Insurance, may not be able to cover the cost of a proper response. “There are limited resources in the healthcare sector for cybersecurity,” Kilmer said. “A small healthcare organization may struggle to protect their network because of a lack of safeguards and funding for cybersecurity.”
Cyber and Privacy Liability Insurance, Medical Malpractice Insurance and other Professional and Medical Liability Insurance policies should be customized to each organization’s particular needs. “Make sure that you are consulting a trusted source about coverage options,” Kilmer noted. “Work with a broker who can address limits based on your organization’s size, revenue and protected health information.”
As the healthcare insurance marketplace hardens, the renewal process for all insurance types should be started early due to greater underwriting scrutiny, longer turnaround time on applications and requests for COVID-specific supplements. “There is still a reasonable method for renewals and insuring new healthcare businesses or new business activities,” Olson emphasized. “It just takes someone with experience to know the appropriate markets and how to present the new risk.”
As the healthcare industry continues to change, risk management is critical. The current pandemic is likely not the last of these situations we experience. “Healthcare organizations need to make sure they are protected on all fronts, especially when economic realities make it unlikely that they could absorb the costs of the evolving risks they face,” Kilmer said.