It’s no secret that hospitals and health care organizations are prime targets for a cyberattack. With an abundance of confidential patient information housed in a single place, one breach of the system can lead a cybercriminal to a goldmine of personal information.

For agents and brokers, this means that health care clients face outsized exposure. In fact, according to Experian’s 2016-2017 Data Breach Report, medical and health care breaches accounted for more than a third of all breaches in 2015, exposing more than 13 million records. And considering Herjavec Group expects information security spending to hit $65 billion by 2021, the threat isn’t going away anytime soon.

What can you do to better protect your hospital and health care clients? The answer starts with understanding the full spectrum of exposure.

New Risk Sources

While most organizations face a myriad of cybersecurity threats, health care organizations are particularly vulnerable due to the rapid increase in the number of internet-connected devices used to deliver care, which in turn create new entry points for hackers.

Consider that hospitals have achieved a 96% electronic health record adoption rate, according to the Office of the National Coordinator for Health Information Technology—and thanks to advancements in smartphones and remote VPN access, these records are now accessible outside hospital walls. While this gives physicians the ability to access patient information remotely—which can be critical in an emergency—it simultaneously introduces new cyber vulnerabilities thanks to insecure mobile devices or Wi-Fi networks.

If electronic health records are now standard in health care, wearables are the new frontier. With a global market valuation of $13.2 billion, according to Kalorama Information, wearables are changing the way hospitals monitor patients and deliver treatments both inside and outside the hospital.

But if patient data that is wirelessly transmitted to and from a wearable device isn’t protected from malware and virus attacks, a health care organization’s entire network could be comprised if the infected data is accessed on a network-linked computer.

The second critical element agents and brokers must understand to best advise their clients is that a cyber breach can cause much more than privacy liability issues related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

One of the most concerning non-privacy-related risks involves professional liability. Imagine a situation where a cyber breach knocks a hospital’s system offline, impeding hospital operations and stalling the delivery of care. Alternatively, consider what would happen if a hacker was able to alter patient data while wirelessly transmitting from a wearable device to a network-linked computer, causing a physician to make the wrong medical decision.

In the event that a patient is harmed or injured in either of these scenarios, health care organizations could face malpractice claims. Too many health care organizations have not accounted for these interfacing liabilities when thinking about their cyber exposure.

Protecting Your Clients

With a better understanding of the emerging sources behind cyber risks, along with their broader liability implications, agents and brokers can help health care clients design comprehensive risk mitigation plans.

While each health care organization requires a customized strategy based on the type of care provided, geography and staff size, among other factors, agents and brokers should always advise that:

• All employees, including both medical and non-medical staff, receive annual trainings on emerging cyber exposures and what to do if they suspect that they are being targeted.
• Organizations install and regularly update antivirus and antimalware solutions, schedule automatic scans, and conduct regular penetration tests.
• Executives build an internal response team that can be activated in the event of a breach. The team should include members from a range of departments, including HR, IT, PR, legal and customer care. A primary function of this team should be to plan for and develop protocols for handling various breach scenarios.

Finally, in the event of a breach, it is important that clients have comprehensive and end-to-end cyber coverage in place. Such policies should provide coverage for privacy liability, network security liability, data breaches, and other network and privacy-related exposures. Given that cyber breaches often result in interlocking professional liability claims, having a single carrier that understands a client’s full risk exposure can provide peace of mind and the most comprehensive protection.

Caroline Clouser is executive vice president of Chubb Healthcare.

The material presented in this advisory article is not intended to provide legal or other expert advice as to any of the subjects mentioned, but rather is presented for general information only. You should consult knowledgeable legal counsel or other knowledgeable experts as to any legal or technical questions you may have. This advisory article contains links to third-party websites and references third-party entities solely for informational purposes and as a convenience to readers and not as an endorsement by Chubb of the entities referenced or the contents on such third-party websites. Chubb is not responsible for the content of linked third-party sites and does not make any representations regarding the content or accuracy of materials on such linked websites.