HIPAA compliance and cyber liability insurance
Breaking the rules of the Health Insurance Portability and Accountability Act (HIPAA) is one of the worst blunders a health professional can ever make.
Initially enacted in 1996 to guarantee that employees had health insurance while changing jobs, HIPAA also strongly emphasized privacy and worked to stop fraud and the unauthorized use of people’s personal health data.
In order to safeguard personal health information, including healthcare, treatment, and payment information, the Privacy Rule came into effect in 2003.
Since HIPAA works to protect patient information primarily, it falls on companies involved in the healthcare sector to ensure they are HIPAA-compliant and that they are covered in case of a data breach.
This is where cyber liability insurance comes in.
What is cyber liability insurance?
Cyber liability insurance protects your company from the consequences of a cyber security breach or attacks that involve computer systems and data.
Although it’s common for businesses to get general liability insurance, it doesn’t cover digital incidents. Remember, in today’s business landscape where file creation, storage, and sharing are done digitally, it’s crucial to have cyber liability insurance – and this is true not only for companies that HIPAA covers.
In fact, through the years, cyberattacks have become increasingly common.
Last year, Identity Theft Resource Center (ITRC) research revealed that data breaches until September 2021 already involved almost 60 million victims. According to the report, the top sectors most severely compromised by cyberattacks are the following:
- Manufacturing and utilities (48,294,629 victims)
- Healthcare (nearly 7 million victims)
- Finance (1.6 million victims)
- Government (1.4 million victims)
- Professional services (1.5 million victims)
In 2021, the HIPAA Journal published a summary of the worst healthcare data breaches in 2021. Below is a list of the top five companies that were the subject of unauthorized access by cybercriminals:
- Accellion – approximately 3.51 million records
- Florida Healthy Kids Corporation – 3.5 million records
- 20/20 Eye Care Network, Inc. – around 3.25 million records
- NEC Networks, LLC dba CaptureRx – a minimum of 2.42 million records
- Forefront Dermatology, S.C. – approximately 2.4 million records
With incidents of this size, it’s challenging and expensive for a company to recover without managed cyber security services and solid cyber liability insurance. Smaller businesses face similar threats and are usually more vulnerable to cyberattacks as some don’t have cybersecurity mechanisms or systems in place.
Either way, when your company experiences a data breach, your business could face potential criminal and civil lawsuits and regulatory fines.
What does cyber liability insurance cover and doesn’t cover?
Aside from being a requirement in some vendor agreements, cyber liability insurance typically covers expenses arising from the following factors related to a data breach:
- Investigative services
- Data retrieval
- Identity recovery
- Software and hardware repair
- Regulatory penalties
- Income loss due to network interruptions
- Third-party or privacy lawsuits involving your customers, employees, or business partners (e.g., legal fees, customer notifications, settlement costs)
- Business interruption and extortion (including ransom payments to regain access to data)
- Fees involving public relations work to address reputational damage
While cyber liability insurance coverage can be extensive (depending on your plan), it does not protect your business from the following:
- Loss of property
- Criminal proceedings
- Bodily injury or property damage claims
- Social engineering (some policies may offer this as an add-on)
- Criminal activity or intentional wrongful acts involving you or your employees
- Incidents involving a subsidiary with which you’re not a majority owner or don’t have management control
- Business interruption caused by systems managed or controlled by a third party
What are the requirements to get cyber liability insurance?
Purchasing a cyber liability policy was pretty simple a few years back. Usually, you only need to answer a few questions, go through some quotes, and choose the best option.
Today, companies need to disclose specific details about their cybersecurity posture and pay a premium to get covered. Why? Cyber insurance companies are increasing their risk by guaranteeing financial support following increasingly costly cyberattacks.
If you wish to get cyber liability coverage, you need to meet specific cyber liability insurance requirements, which typically include:
- Controls for access management or proof your organization takes every precaution to prevent unauthorized or illegal network access
- Multi-factor authentication (MFA)
- Security education and training for employees
Getting cyber liability insurance is now more complex, and answering insurance company questionnaires can get somewhat confusing.
CTSI’s managed cyber security services can help you address those questions and meet cyber liability insurance requirements. We use our technological expertise and experience to help improve systems and processes, protect companies and their customers, and enable business growth.