Healthcare IT consultants’ work involving health records may expose them – and their provider and payer clients – to regulatory, legal, financial, and reputational risk. These risks are potentially higher in the COVID-19 era, with many of their employees working from home and accessing sensitive records and networks from remote locations. According to the US Department of Homeland Security (DHS), there is a heightened risk of phishing, SMS phishing and other attacks using COVID-19 themes, and increased attacks on newly deployed remote access and teleworking infrastructure. Managing these risks requires a clear understanding of what a consultant’s potential exposures are, adopting best practices for mitigating risk, and considering appropriate insurance coverage to cover potential liabilities.
How big is your risk?
Too often, cyber risk analysis is conducted with simplistic estimation methods based on broad assumptions. These methods may not tell the full story and may leave an organization uninformed about its true exposure. In my practice, we can use sophisticated scenario analysis to estimate cyber exposure – efficiently defining cyber event scenarios and estimate resulting losses using cost models tailored to specific impacts. Calculating the risk environment related to COVID-19 is part of this analysis.
Consultants and other vendors who have access to personal health information are organizations typically considered “covered entities” under HIPAA. As such, the consultants are “business associates” under HIPAA and subject to HIPAA requirements and penalties. These consultants may also be subject to claims and legal actions by affected patients who believe their personal health information privacy has been violated.
Because of the value of health records and the size of many of the clients, the average claim for a security or privacy breach can average $3.4 million for larger healthcare organizations, according to NetDiligence. Consultants are also subject to the risk of claims and legal actions from their provider or payor clients for damages arising from data breaches and other cybersecurity incidents, interruption of service, and other problems. And whatever the merits of these claims, the cost of defending can be very high.
Best practices for risk management
Best practices for risk management in the COVID-19 era start with employee education and ongoing communication. Focus on safeguarding personal health information, following your organization’s data security policies, proper management of emails that may include malware/ransomware, protecting mobile devices and sensitive paper documents in transit, and other measures. In an era of mass telecommuting, it means enhancing security controls around Security Application Gateway or VPN to access corporate systems and ensure multifactor authentication, where applicable. It also includes following best practices for virtual meetings, including the National Institute of Standards and Technology (NIST) Virtual Meetings Best Practices.
An updated, regularly tested and reviewed, business continuity and incident response plan is essential – with copies of the plan available offline and off-site. This plan should include the contact information for incident response vendors who have been approved by your cyber insurance carrier(s). The incidence response plan should, at a minimum, follow HHS guidance.
How much insurance do you need?
It’s a good idea to evaluate your insurance needs at least once a year, and perhaps more often if your business is rapidly changing. Some organizations acquire insurance early on in their company history, just enough to meet the requirements of clients, lenders, investors, and other interested parties. As time goes on, there may be inefficiencies where you’re paying too much for some coverages, or not scaling up coverage for the current size of your business and the potential exposures. Also, coverage should specifically meet the nature and size of current threats. For example, ransomware demands have increased 33% on average to $111,605 from Q4 2019 to Q1 2020 according to a recent Coveware report. A regular review, coupled with accurate risk assessment, will help you determine appropriate coverages.
Review your cyber liability insurance policy to ensure how it will respond to security/privacy infiltrations within a remote desktop employee environment. Most updated policy forms affirmatively cover unauthorized access into the organization’s network/system/environment when the software is managed by the insured organization, such as via a mobile device manager (MDM). However, each policy differs in coverage. Remind employees to report suspected activity or infiltrations of their home network to their IT/information security team in accordance with your incident response plan and cyber liability policy.
With the expanded use of technology, such as cloud utilization and EMRs, the healthcare industry is more interconnected and dependent on service providers more than ever before. The impact of the pandemic further stresses this reality and can cause implications that can pose numerous liabilities around the confidentiality, integrity, and accessibility of the data within your organization. Reviewing your vendor contracts and audit procedures of such critical vendors can be valuable in maintaining supply chain resiliency and limiting legal and incident response costs when security or privacy incidents occur. Cyber insurance may be an afterthought within some organizations. However, it is a crucial response mechanism that should be known and tested with various simulations to understand the adequacy of coverage and limits.
Mario Paez, RPLU, CIPP/US is Director, Cyber & Technology E&O, with the Minneapolis office of Marsh & McLennan Agency LLC. He can be reached at Mario.Paez@MarshMMA.com.
Disclosure: This article is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisers.