"I sell more cyber insurance than malpractice at this point," says Kay Brasfield with Mag Mutual, a medical liability provider. Currently, 95 percent of their Alabama policyholders also carry a cyber policy.
"I'm a big fan of cyber insurance," says Nic Cofield, a vice president at Jackson Thornton Technologies. "Because there's no such thing as being 100 percent secure. And if a cyber event happens, that policy is really going to help you."
Last year, 37 percent of companies reported ransomware attacks, according to the Sophos survey of 5,400 IT decisionmakers across 30 countries, including 328 healthcare respondents. More than a fourth of those who fell victim paid a ransom, with the average amount for a small business totaling $6,000.
But the cost of a cyberattack goes far beyond the ransom. The 2021 survey found the average bill for rectifying a ransomware attack, including expenses for downtime, people time, device cost, network cost, lost opportunity, and ransom paid, was $1.85 million.
"It's the IT expenses, not the ransom that you're generally paying for," Brasfield says, since many attacks never result in a ransom payment, especially if clean back-up data is untouched.
Healthcare entities, though, incur additional expenses caused by the breach in patient information. The practice must notify every patient in two different ways, which costs postage, stationary and time, plus pay for credit monitoring for each person for two years.
"Insurance pays for that," Brasfield says, along with the forensics to uncover the source, investigations and legal counsel if criminal action is required, and the IT labor to clean the system and retrieve the data to get the organization back in business. "It's very expensive," she says.
"Your cyber insurance gives you level of counsel above and beyond what your IT provider can do," Cofield says. "They can define whether the cyberattack qualifies as a breach that requires protocol notification or whether there is a need for criminal charges. Those are the type of things they can help determine for you."
Most malpractice insurance includes a small amount of coverage for cyberattacks. Mag Mutual policies cover up to $50,000. But physicians should not rely solely on that. "That $50,000 isn't going to go very far," Brasfield says, considering the array of costs and losses from downtime.
Cyber insurance even covers loss from business downtime. "Cyber insurance can cover business interruption expenses, but their business office policy also kicks in for business interruptions," Brasfield says. "You submit a separate claim for a whole different kind of policy for that."
Recently, a local internal medicine practice fell victim to ransomware. "They got an email from hackers who wanted a $1 million ransom because someone in their office had clicked on a link and the hackers immediately infiltrated their computer system," Brasfield says. "They called us, and we told them not give the ransom, because they had a secondary backup. They shut off that patient database and uploaded their backup. They resumed operations in two days.
"But they still had to notify patients of the breach and provide several years of credit monitoring because they have no idea what the hackers did with that information, and they had access to the whole database."
There are attacks cyber insurance may not cover. "I've seen situations where staff got an email impersonating someone in the organization requesting money to be wired," Cofield says. "They trusted the email was legit, wired the money, and it ended up being fraudulent. Their insurance carrier, however, would not cover the loss because it was a willful act of their own employee. It's important to make sure your policy covers those types of incidents.
Third-party vendors also present ambiguous situations for coverage. "A lot of medical practices are working with hospital systems, and third-party vendors touch their data," Cofield says. "Ask the insurer if their policy kicks in if you lose business or get hacked through their system, so you don't have gaps."
With cyberattacks continuously becoming more creative and sophisticated, ask your carrier how your policy keeps pace with the threats. "It's an ever-changing landscape," Cofield says. "Make sure your policy evolves to align with what we have to defend against today."
Despite the hefty coverage needed to handle cyberattacks, the insurance can be very affordable. Expect premiums to expand with the number of physicians in the practice, though, since more physicians equates to more enticing patient records and larger ransoms. "For one doctor, it's less than $700 to $800 a year for $1 million in coverage," Brasfield says. "There's no reason not to have cyber insurance."