Stacy Moorhead, CPCU, AAI, ARM
KAMMCO, Healthcare Facilities Manager
smoorhead@kammco.com

Cyberattacks continue to be a primary concern to medical practices of all sizes. Criminal actors exploit environments rife with cyber security risk. They profit from increased sophistication of cyber criminals, a growing base of connected devices and human vulnerability.  KAMMCO Cyber Security Insurance provides protection for a broad range of network privacy and multimedia related exposures. This article will help you understand cyber risks, the associated costs of responding to a data breach and how you determine the amount of coverage your practice needs.

Each cyber breach is different, but you can rest assured that KAMMCO Cyber Security Insurance offers comprehensive coverage designed to protect your practice. 

Five Steps to Determine How Much Cyber Insurance is Enough:
Step 1:  Understand your practice’s data storage, usage and systems.
Step 2:  Determine what would happen if your system went down.
Step 3:  Identify how many patient and confidential records are stored on your system.
Step 4:  Understand the importance of reacting quickly to a data breach.
Step 5:  Understand the causes of data breaches and network outages. 

Step 1: Understand your practice’s data storage, usage and systems.

Gain an understanding of your practice’s data management risks by asking key questions such as: 

• Where is my personally identifiable information (PII) data stored?
• Is it backed up? If so, is it secured/encrypted?
• Who has access to the data?
• Do business associates have access to my systems/data? (e.g., accountants, IT service providers, etc.)
• Is protected data making its way out of the office?
• How many employees have laptops or smart phones that can access the practice’s network?
• Am I using services like Dropbox or other networked file storage apps?
• Is sensitive information stored or transferred on USB flash drives? 

Step 2:  Determine what would happen if your system went down.

Understand your network and what systems you rely on to run your practice.​ 

• If my system went down, would my practice still be able to maintain operations?
• What financial loss would an outage lasting longer than eight hours cause my practice?
• Would a ransomware attack stop my practice from operating?
• Would I be able to pay the ransom, or could I successfully remove it from my system?
• Do I rely upon third parties to keep my practice running?
• Have these third parties agreed to cover any costs or losses I incur if they have an outage that affects my practice?
• How long would it take me to restore operations if downtime occurs? 

Step 3:  Identify how many patient and confidential records are stored on your system.

A crucial step to managing risk is to know and understand the amount of records your system contains and processes. The cost to respond to a data breach is directly proportional to the amount of records compromised. Based on industry research and expert advice, data breach response costs are approximately $10 per record. However, this estimate does not include costs derived from lawsuits, regulatory fines or penalties, or lost revenue due to damage to your practice’s reputation.

Step 4:  Understand the importance of reacting quickly to a data breach.

The value of Cyber insurance become clearer when the cost of a data breach is understood. It is imperative to act quickly and professionally when a data breach occurs. The financial costs of a data breach will increase drastically if your practice must be defended against a lawsuit or regulatory action.

Should a data breach occur within your practice, a KAMMCO representative will work with you to begin the steps necessary to mitigate the impact of the breach. These steps may include: 

• Consulting with an experienced attorney
• IT Forensics
• Customer Notification & Credit Monitoring
• Interruption Expenses and Income Loss
• Public Relations Expenses and Special Expenses

​

Step 5:  Understand the possible sources of data breaches and network outages.

These threats are real and increasingly commonplace. Five common sources of breaches and network outages, include:

1. Negligence: This is the most common cause of a data breach. It is also the most relatable. Examples include: a laptop stolen from a provider’s car or sensitive files thrown into a dumpster by a well-intended employee.
2. Social Engineering: The art of deception. Consider this: an employee receives emailed instructions from who they believe to be the CFO. They are asked to wire money to a new vendor. Even the most detail-oriented employee can fall victim to a fraudulent email.
3. Rogue Employees: An unfortunate, but all too real possibility. Imagine an employee is disgruntled. They may seek to retaliate. Should they have access to secure systems, they can pose a potential risk to your practice. Even the most advanced network security system is vulnerable to an employee with your system’s passwords. Private or confidential information can be sold online for substantial sums.
4. Business Associates: Your practice may have excellent security procedures and state-of-the-art encryption, but does your practice’s data flow through any of your vendors’ systems? Does the payroll firm practice safe data management? Is your email service ‘in the cloud’ and secure? Do your contracts with business associates indemnify them for any breaches caused by business associates?
5. Hackers: Entities of all sizes are subject to hackers. Hackers are known to break into the FBI and other highly secure networks. For a technically proficient hacker, your network would be a walk in the park. Recognize also, a practice doesn’t have to be specifically targeted by a hacking group to be affected. Small practices are especially vulnerable to automated malware, designed to steal data from multiple sources at once. 

Select the Appropriate Level of Cyber Insurance for Your Practice
Once you have reviewed the potential risks to your practice of a data breach or network outage, you can evaluate what level of Cyber coverage you may need. KAMMCO provides Cyber Insurance coverage as a benefit to all of our valued policy holders. KAMMCO’s Cyber Insurance is available at competitive premiums with varying limit options. Reach out to your KAMMCO representative for more information. Call 1.800.232.2259 or email underwriting@kammco.com.
​
KAMMCO Cyber Security Resource Center
​In addition to your Cyber coverage with KAMMCO, you have access to KAMMCO’s Cyber Security Resource Center. The Resource Center provides timely information to keep you informed of risks and to you reduce your practice’s risk of a data breach. There is also guidance on responding to a breach with access to 24/7 online training courses, best practices, compliance and incident response guidelines, sample policies, vendor agreement templates and more.

The Cyber Security Resource Center can be accessed HERE or via the Cyber Security Portal on the KAMMCO website. Just click on Insurance at the top of the page, then select Cyber Security Resource Center from the dropdown menu. Click on the Cyber Security Portal button to enter the Cyber Security Resource Center. If you need access credentials, please email your request to: underwriting@kammco.com.