By Julie Danna – Last November I read an article on cyber attacks in healthcare that broke down the price of data on the black market. It estimated that a credit-card number is worth $1, a Social Security number is worth $3, and a medical record is worth $200. This really caught my attention and I wondered what the “value” differential was all about.
I did some casual research on what exactly “cyber thieves” wanted from the healthcare world. As it turns out, a medical record with personal health information (PHI) is not only data rich, but it could be years before the victim knows their information has been compromised.
Cyber thieves use PHI a number of different ways. With the lab results, medication records, insurance numbers, and even the PINs and security questions that patients use to protect their information, they are able to file fraudulent insurance claims, receive medical treatments – including surgeries, and obtain prescription drugs or medical equipment. In addition, they can sell your identity on the black market.
A recent survey of healthcare organizations found that 90% reported at least one data breach within the past two years, with an average economic impact of $2 million per incident. According to a March 2014 report from the Ponemon Institute, cyber breaches of PHI could cost the U.S. healthcare industry as much as $5.6 billion annually.
As an insurance agent who has been working solely in the healthcare arena since 1994, this caused me great concern for the doctors and healthcare facilities that I assist. Consequently, I read everything I could get my hands on, obtained my Cyber Risk Management Certification, and aligned myself with leaders in cyber insurance. Relieved, I thought, “No problem. Healthcare providers already have coverage for any cyber attacks included on their malpractice insurance policies, so it’s all good,” although something kept gnawing at me. Just to be safe I created a spreadsheet outlining the cyber coverage on major malpractice insurance carriers’ cyber policies, and that’s when I realized that some of the important coverages were missing.
Most of you who have medical malpractice insurance with a major carrier have cyber/privacy breach coverage, typically $50,000 (one actually offers $100,000), and you can get up to $1 million for an additional cost. I would strongly advise you to check your coverage, as you may only have the basics covered. Bear in mind that $50,000 is not appropriate coverage in the event of a good-sized cyber attack, as the average cost of handling a medical practice’s data breach is $201* per patient/customer’s record.
Here are some of the costs associated with a cyber/privacy breach*:
- Customer notification: $1 – $2 per patient record regardless of whether they are a current patient
- Forensic research and data-recovery consultation: $250 – $300 per hour
- Legal fees: $400 – $600 per hour
- Credit-monitoring subscriptions: $10 – $20 per patient/person
- Credit-card reissuance fee: $10 -$30 per credit card
- Information hotlines for customer support: $5+ per call
In closing, you are not only at risk by criminals but from a severe storm causing a power surge and damaging or destroying your entire database, human error, and finally intentional criminal activity from either inside or outside of your organization.
* According to the Ponemon Institute’s 2014 annual study