Diagnosing Electronic Health Record Liability Risks
By Trevor Williams
Healthcare providers of all types and sizes must collect, maintain and store Protected Health Information (PHI) for each patient under their care. The Electronic Medical Record (EMR), also known as the Electronic Health Record (EHR), simplifies this process and allows for instant patient information exchange between various specialty providers treating the same patient. Additionally, electronic data storage empowers utilization of in-depth research and analytics on patient populations which augments providers’ operational efficiency. Although, with these benefits in mind, EHRs act as a double-edged sword because they present an opportunity for cybercriminals to exploit human negligence or system weaknesses. Providers must understand their cyber liability risk exposures and protect themselves by examining these coverage considerations.
First Party Risks
In general, there are two broad categories of cyber liability risks: first-party and third-party risks. First-party risks lead to losses or damage to the provider’s business such as:
When servers are down because of malware intrusion, most providers are forced to shut down operations during EHR system restoration. Because the servers do not sustain direct physical damage, business interruption coverage in property policies won’t apply. Therefore, it’s crucial to ensure business interruption is included in the cyber policy at policy limits to replace the lost net income.
Data Restoration – Following the discovery of stolen data or compromised EHR systems, providers will likely need third-party data recovery specialists to retrieve as much data as possible. Depending on how much data they recover, providers may also need to hire temporary staff to re-enter information.
This type of attack refers to a scenario where a hacker delivers a virus into the provider’s system, typically through targeted phishing email campaigns, and encrypts all data until the provider pays a ransom to get the confidential patient data back. In addition to the ransom payment, providers may need to notify affected individuals and pay for related crisis management expenses. Therefore, it’s crucial to ensure ransomware coverage is included in the cyber policy at policy limits to indemnify the provider for these expenses.
Statutes like HIPAA and HITECH require providers to notify the public and affected parties after a cyberattack. In addition to costly notification expenses, providers may need to hire third-party forensic services, public relations professionals and offer credit monitoring services to mitigate the harmful effects of the EHR breach. Coverage for these services is usually explicitly defined in the policy.
Third Party Risks
After an EHR system breach, affected patients or vendors may file a lawsuit against the provider alleging negligence related to PHI confidentiality. These types of lawsuits surface third-party cyber liability risks
Legal Damages – Privacy breaches resulting in legal damages may arise from hacker infiltration, employee negligence, lost/stolen devices, subcontractor/vendor negligence, or social engineering tactics such as targeted phishing.
Defense Costs – Regardless of whether the choice of counsel rests with the provider or insurance company, the provider will be responsible for the necessary attorney fees to defend themselves.
According to the American Medical Association, fines and penalties issued by the government for violating HIPAA and/or HITECH can range from $50,000 to $1.5 million.
According to the 2017 Ponemon Cost of a Data Breach study, the cost of each healthcare record in a breach scenario is $380. This number encompasses all costs associated with a breach: unplanned customer loss, first-party expenses, defense costs, fines, etc. Therefore, EHR breaches can be harrowing experiences for providers and their patients, especially when adequate coverage doesn’t exist. A thorough review of your practice’s insurance program can uncover gaps in your cyber liability policy and help ensure that you’re prepared to recover from a breach.
Want more information on electronic health record liability risk? Contact the author, Trevor Williams, here.