Cyber-attacks are one of the most significant risks facing optometrists, and every practice has cyber risk. Whether it’s ransomware, phishing emails, or other cyberattacks, it’s becoming more prevalent every day. The two most common incidents in private practices are:
Common Cyber Incidents in Private Practices
- Ransomware attacks: Malware denies users access to files, often occurring when someone clicks on a malicious file.
- Cybercrime social engineering: Bad actors gain the trust of an employee, causing them to provide sensitive information.
Risk
The healthcare industry accounts for almost 40% of all cyber incident claims, with most caused by human error and rogue employees (Chubb). The average cost of a cyber claim is $161,000, and the average ransomware loss is $265,000, with 40% of cyber-attacks originating from email (Coalition).
Cyber Insurance
Cyber liability insurance can cover expenses related to a patient data breach at a doctor’s office, including notifying clients, covering fines, and paying data breach expenses (Insureon).
Coverage
Cyber insurance can provide assistance in three general areas, depending on the type of plan and coverage:
1. First-party Cyber Liability Coverage
- Data Breach Response Costs: Forensic investigation, securing systems, and patient notifications (HIPAA).
- Regulatory Fines & Penalties: Coverage for fines from regulatory bodies like the OCR.
- Credit Monitoring & Patient Support: Providing affected patients with credit monitoring services.
- Public Relations & Crisis Management: Covers PR firm expenses to manage reputation damage.
- Data Restoration & Repair: Helps restore corrupted or lost data.
- Cyber Extortion & Ransomware: Addresses ransom payments and recovery costs.
- Business Interruption: Reimburses lost income and recovery costs if operations are disrupted.
2. Contingent Business Interruption (CBI)
Protects against financial losses if third-party vendors (such as EHR providers or billing services) experience a cyberattack that impacts the practice.
3. Liability Coverage
Covers legal fees and settlements if patients or entities file lawsuits following a data breach.
General Liability Insurance
Some general liability insurance policies may include cyber insurance, but coverage limits are usually minimal.
Cost
The cost of cyber insurance for healthcare practices varies, but medical professionals pay an average of $79 per month, or $952 annually.
The Healthcare Provider’s Responsibility
Insurance providers require proof that organizations took preventive measures. Common requirements include security risk assessments, establishing policies, and staff training (Mattila).
1. Security Risk Assessment
Conducted annually to identify gaps in cybersecurity and HIPAA compliance. Automated compliance software is often recommended.
2. Establishing Security and Privacy Policies
Remediation actions throughout the year may include:
- Updating firmware on network devices
- Conducting incident response testing
- Reviewing network/system inventory
- Testing and training employees against phishing threats
3. Staff Training
Since 58% of incidents are caused by employees, HIPAA training at least once a year is essential. Training should cover phishing recognition and HIPAA basics, with documentation of completion.
Recommendations
If you need a policy, Practice Performance Partners recommends:
- Tower Street Insurance
- Lockton Affinity (also AOA recommended)
References
- Chubb (2022). Cyber insurance for the healthcare industry.
- Coalition. Cyber insurance for the healthcare industry.
- Insureon. Healthcare Professionals Business Insurance.
- Mattila, S. (2024). Cyber Insurance for Healthcare.
