Why Cyber-Liability Coverage Is Essential for Medical Review Organizations
As ransomware and other types of cyber crime grow increasingly prevalent, it is paramount that organizations in the medical review and utilization review space know how to best protect their business and client operations with adequate levels of cyber-liability insurance.
A growing area of coverage – yet one that can prove challenging to obtain or afford – cyber-liability insurance doesn’t prevent ransomware attacks and data breaches from occurring, but it provides a high level of defense against downstream risks. Most cyber-liability policies provide network security and privacy liability, limited protections against network business interruptions, media liability provisions and limited coverage of legal expenses.
Because medical review organizations (MRO), independent review organizations (IRO) and utilization review organizations (URO) work daily with personally identifiable information (PII), including patients’ protected health information (PHI), the possibility of a data breach carries heightened risks. The increase in cyber crime activity, which experts believe has been fueled further by the COVID-19 pandemic and the soaring rates of internet usage and remote work environments, has made obtaining cyber-liability insurance even more of a challenge.
“It has been front and center, especially the last two years,” says Valerie Aiello, Vice President of Healthcare with Healthcare Quality Strategies Inc. (HQSI), a URAC-accredited IRO and quality improvement consulting firm. “The cost is going up; the limits are going up,” Aiello says.
Some analysts report a “hardening rate environment” in the cyber-liability insurance market and expect costs to continue to rise, and coverage increasingly more difficult to obtain, in the coming years. Some carriers are dropping cyber coverage altogether, which further adds to rising premium costs as the number of suppliers is reduced.
“Cyber insurance policies have been responding so often that cyber insurance carriers are now facing unprecedented losses under these policies,” writes Dan Burke, Senior Vice President, National Cyber Practice Leader with Woodruff Sawyer, an insurance brokerage and consulting firm. “This has resulted in a hard market, including higher prices, more scrutinized review of security controls, or limitations on coverage in the form of co-insurance or sub-limits for ransomware.”
Widespread Expansion
Industry reports from cybersecurity leaders paint a dire portrait of the issues confronting tech-focused companies. Global cyber crime damages are expected to increase by 15 percent per year through 2025, when they are projected to top $10.5 trillion, up from $3 trillion in 2015, according to Cybersecurity Ventures. Ransomware attacks alone were expected to surpass $20 billion in 2021.
Multiple factors are fueling the cyber crime wave. Hackers are using increasingly sophisticated attacks, and they are highly motivated as more companies pay out ransoms and the digital currencies like Bitcoin that hackers use to collect those ransoms soar in value. Previous solutions that organizations used to prevent an attack, such as hiding a Wi-Fi network location, generally aren’t strong enough defenses anymore, notes Mark Anthony Germanos, Chief Information Security Officer with Cyber Safety Net, who spoke at NAIRO’s 2022 Symposium, March 29-31, 2022, at Kiawah Island Golf Resort on Kiawah Island, S.C.
“After the pandemic hit, entire workforces migrated from working in an office, where cyber security was more controlled, to working from home,” Burke writes. “This presented immediate challenges, as cyber criminals took advantage of new security and human vulnerabilities. Major challenges included bandwidth and unsecure connectivity, employee access issues and phishing, social engineering, and other ‘human’ cyber risks.”
Also, particularly in healthcare, organizations are using digital tools, such as telemedicine platforms and other virtual services, more than ever. Those factors all contribute to healthcare remaining one of the top targeted industries, placing sixth on a list of most-targeted sectors, according to Cognyte’s Cyber Threat Intelligence Research Group.
Healthcare entities, from facilities to payers, rightfully fear a data breach, given the sensitivity of PHI, potential fines and loss of public trust. In a special report, Top 10 Health Technology Hazards for 2022, ECRI stacked cybersecurity at the top of the list.
“ECRI ranked cybersecurity as the top health technology hazard this year due to its proven ability to disrupt patient care and its potential to cause harm,” says Juuso Leinonen, Principal Project Engineer, Device Evaluation with ECRI. “Many clinical workflows today rely on the exchange of data between systems to deliver care. A sudden disruption to the availability of these clinical systems can impact care and lead to delays. In the worst case scenario, this could lead to patient harm.”
As providers and health plans continue to seek protections from breaches and other cyber crime, IROs and UROs are seeing increasing demands to gain adequate cyber-liability coverage. The terms are often baked into the contracts that review organizations hold, Aiello says. “Coverage is in concert with the risk level based on the contract,” she explains.
On its own, the cost of a cyber-liability plan can range anywhere from $10,000 to $20,000 or more, according to Aiello.
Dashing Myths and Misconceptions
Given the evolving nature of cyber crime and security protections, it can be difficult to stay on top of the latest intelligence, and misconceptions can crop up. Consider the following points to understand the ins and outs of cyber-liability coverage, what it does – and does not – cover, and the far-reaching effects of cyber attacks:
- It is not just an IT issue. In the clinical space, hacking incidents can become a patient safety and confidentiality issue that can cause disruption in healthcare delivery and lead to delays in care, and even harm to patients.
“While it may be harder to prove than data breaches, we are seeing more reports and research that are making the connections between security incidents and adverse patient outcomes,” says Chad Waters, Senior Cybersecurity Engineer, Device Evaluation, ECRI. One of the key reasons, Waters says, is because “we are often dependent on connected technology to make clinical decisions and provide care.”
- Having cyber-liability coverage will not prevent breaches. While it doesn’t protect against a hacking incident, coverage instead provides financial protection against penalties, supplies business continuity and mitigates fines that may be levied against breached entities. “While there is a lot we can do to minimize the risk of a security incident, we cannot eliminate it,” ECRI’s Waters says.
- Frontline staff may not understand hacking issues and threats. When unaware of the potential for breaches and the financial mayhem that may ensue, frontline staff are not equipped to provide the first line of defense against cyber criminals. Organizations across the board should work to educate their staff members – namely, anyone who works with digital information – about the risks of cyber threats, strategies to avoid hacking incidents, and what to do in the face of an incident. ECRI’s Leinonen says that staffers should understand “a comprehensive incident response plan that specifically includes medical devices and related systems.”
- One-size (does not) fit all. Just as other insurance policies vary depending on the scope of coverage needs, cyber-liability insurance should be based on a given contract and its inherent risks. Organizations should approach a cyber-liability policy on a sliding scale based on the size of the contract and the corresponding risk involved.
Assessing the Outlook
It remains to be seen whether there will be a softening in the cyber-liability insurance market. For medical review companies, a continuation of today’s challenging environment may result in increased costs and turbulence in the underwriting process.
According to AdvisorSmith, several traditional insurance companies have emerged as leaders in cyber coverage, including Hiscox, Chubb, The Hartford, and AIG. According to an Insureon study, more than half of small businesses pay annual premiums of $2,000 or less, warning, however, that “the cost of cyber-liability insurance depends on your cyber risks,” and specifically pointing to healthcare as a sector likely to face higher-than-average costs.
As the cyber insurance market has evolved rapidly in recent years, medical review organizations can expect continued change in the market with no lessening of the need to pay for coverage in order to maintain or acquire new business.
The CFO of our organization had this to say: "These attacks are getting more and more sophisticated and larger in value. The solution is not cyber insurance but preventing cyber-attacks. The Government is responsible for protecting its citizens from external and internal attacks and these attacks should be handled as war with the enemies, both foreign and domestic. Cyber insurance is tantamount to insurance against war or terrorist attack and Government should put its full weight and prevent and counter-attack. The psychological and financial toll on seniors and other vulnerable people is traumatic and sometimes it exceeds pain of physical damage." His point is well taken. While insurance is essential to mitigate the impact of attacks on a company's stability and ability to maintain services any solution to the problem will entail blocking the attacks.
These Cyber insurers could mitigate their exposure and help their policy holders if they provided guidance and information in terms of what they feel constitutes an effective minimum cyber security standards and equipment.