Healthcare Organizations Face Significant Cyber Risks in 2012

By Amy Elizabeth Stewart

Healthcare providers are turning to technology to improve the efficiency of their practices—from collecting and monitoring patient data in a digital environment to managing the information avalanche confronting modern practitioners seeking to provide state-of-the art care. Known data breaches affecting the healthcare industry suggest that privacy policies may not be keeping pace with the cyber risks of the new technology.  

Based on survey responses gathered by the Ponemon Institute, healthcare organizations experienced increased data breaches in 2011—up 32 percent from 2010. The widespread use of mobile devices—smartphones, tablets and mobile applications—to collect, store and transmit patient data is a leading cause of breaches because most healthcare providers do not have adequate patient privacy protections in place. Id. The devices can be lost, stolen or accessed by unauthorized users, putting patients' health information at risk. Business partners of healthcare providers are another leading cause of data security incidents. Data breaches have resulted from the conduct of rogue individuals, like the Johns Hopkins employee who stole patient information and used it to charge up $600,000 on fraudulently procured retail credit. Misdirected faxes, misplaced reports, improper disposal of records, and discussions about (or worse, photographs of) patients on social media sites round out the risk portfolio.

The Ponemon Institute reports that 80% of healthcare organizations have experienced a data breach. These health-related breaches cost healthcare organizations $6.5 billion annually. Data breaches and patient lawsuits are expected to increase in 2012, as more patient information is transmitted online and via mobile devices.  

Because commercial general liability (CGL) policies will typically not cover the types of losses caused by a cyber security event, the demand for cyber insurance products is on the rise. Although cyber coverage will not prevent data breaches, it can help alleviate the astronomical costs associated with such incidents. In addition to insurance for liability to third parties, many cyber policies also provide coverage for patient notification requirements, fines and penalties (such as those imposed by HIPAA), and crisis management costs. Many of the major property and casualty insurers offer cyber liability coverage and, because standardized policies have not yet been developed, the coverage can often be customized to the insured’s particular needs. Given the numbers, it is no surprise that healthcare organizations have shown an increased interest in cyber security and data breach insurance.