Page 17 - 2023-Mar-Apr-Journal
P. 17
Continued from page 13
the period of restoration. The typical used for the electronic prescribing of
Cyber Liability Insurance timeline for a waiting period, before the controlled substances. The shutdown
The common risk transfer mechanism insurer will pay for any interruption loss, lasted more than a week and interrupted
to pay the direct and indirect costs of a can be hours or days. The restoration services to approximately 1,500 health
cyber incident is to maintain privacy and period, when digital assets are repaired care providers. Hundreds of physicians
security liability coverage. Most cyber or replaced, can be 120-180 days and thousands of patients were affected.
insurers offer broad first-party coverage or more. Many of the affected providers were
and third-party coverage for the loss or small physician groups that had
damage of ePHI, personally identifiable to revert to paper records and
information, and private information, manual processes to mitigate the
including human resources and interruption of patient care .
3
accounting information. Business Therefore, it is important
interruption coverage can encompass II. Contingent/Dependent Business to investigate whether a third-
three distinct types of losses. Interruption Coverage party vendor maintains suitable cyber
I. Non-Physical Business Cyber incidents can occur on- or liability coverage, has enterprise-grade
Interruption Coverage off-premises, including “in the cloud.” security, and is in compliance with
2
Business interruption coverage pays Most physician practices today use cloud federal, state, and local privacy and
the indirect costs from loss or damage to computing technology to host patient security standards to ensure the security
data resulting from a “covered cause of and billing data, which is a relationship of sensitive information.
loss” or “system failure”—as in imbued by contingency or dependency. III. Business Continuity/
the case of a medical practice losing Despite promises of greater security Reputation Coverage
revenue because they are unable to and encrypted connections and storage, A physician’s failure to properly
access their patients’ ePHI after a moving data to the cloud does not safeguard patients’ medical and personal
ransomware attack. eliminate cyber risks. data from unauthorized disclosure
A “covered cause of loss” typically A health care provider that is may result in reputational harm, as one
means accidental damage or destruction to entirely dependent upon the computer commentator noted, “You can back up
electronic data and computer hardware; networks run by third parties, such as a your data, but you can’t back up your
administrative or operational mistakes cloud service provider (CSP), to store brand.” . The practice may also
4
that damage data; and computer crime and access patient information, can also experience a reduction in revenue due
that impairs data processing operations suffer an unexpected suspension of to new and existing patients having
or results in unauthorized access or use. operations, even when it is not their diminished confidence in the provider’s
A “system failure” typically means the business that experiences the cyberattack. cybersecurity infrastructure. Even
complete or partial failure of an insured If the CSP’s on-demand access is down short-term reputational damage can
computer system from a denial-of- due to an unplanned outage, interruption, be painful and create substantial
service attack, hacking attack, computer failure, or degradation of their computer financial stress.
virus, or malware infection. system, this downtime could result in a Business continuity coverage will
Essentially, if a medical practice is simultaneous business interruption for reimburse the projected loss of revenue
partially or completely interrupted due the provider also. from a security or privacy breach after
to a covered cause of loss or system Dependent business interruption a waiting period has been met and up
failure, the insurer will pay the practice’s coverage will reimburse the practice’s loss to a specified period of indemnity that
projected loss of net income, plus of income and pay continuing expenses results from an adverse media report or
extra expenses incurred to continue to minimize the suspension in notification—such as a website, press
operations and to avoid or minimize operations. Coverage begins after a release, article, or news segment. This
the interruption. Extra expenses can specified waiting period and is type of “brand loss” coverage typically
include the costs to employ contract reimbursed up to a specified period of goes beyond the insurer paying the costs
staff or pay overtime to employees to indemnity or until gross revenues are for crisis management, such as public
continue operations, the use of restored to their pre-loss level. relations and notification expenses. The
rented computing equipment, and In most cyber incidents, the length expenses can also include the costs of
other third-party services. of a third-party vendor’s interruption advertising and marketing efforts to
Some cyber liability policies include will not be protracted, but there are rehabilitate the practice’s reputation.
coverage for special expenses to always atypical situations. The Allscripts Insurance is Not a Substitute for
provide emergency healthcare treatment ransomware attack in January of 2018 is Loss Control
to patients through a third-party a prime example of an atypical incident Most health care providers will
provider due to the inability to provide with three victims affected by the attack: experience a cyberattack—it is not a
patient services as a direct result of a Allscripts; its customers/physicians; and matter of if, but when. Insurance
system failure. the patients of those physicians. This coverage is not a substitute for a
It is important to know—before a cyberattack shut down two data centers comprehensive cybersecurity program,
business interruption occurs—the that hosted Allscripts’ electronic health
duration of the waiting period and record (EHR) systems and the software Continued on page 25
TCMS 2023 March • April 17
