Caroline Clouser, executive vice president, ACE Medical Risk Group
Caroline Clouser: The healthcare industry continues to transform due to rapid advances in technology, a changing regulatory landscape, increases in the patient population and decreasing reimbursements. All of these factors contribute to the risks that the industry is currently facing, but it is the exposure to a cyber-hack or data security breach that may pose the greatest risk to healthcare organizations.
The electronic collection of patient medical and financial details are exposed to a breach whether through human error or deliberate breach. Healthcare companies are also heavily involved in electronic medical equipment that could lead to patient injury if hacked by someone trying to cause harm. Healthcare risk managers must ensure that they have controls in place to protect patient data and equipment as well as to appropriate cyber related coverages to help protect the assets of the organization.
Caroline Clouser: The Affordable Care Act or healthcare reform, as it has become known, has left the healthcare industry facing various emerging risks. This legislation has increased the number of insured Americans by about 35 million people, causing greater demand for access to physicians and medical services. Healthcare organizations open themselves up to increased liability risk as they increase their ties to physicians and transform their operational model to service patients. The CMS Shared Savings program for example has changed how healthcare organizations are reimbursed, however the rules are not entirely clear and could lead to lower than expected revenue. Healthcare reform has created a double-edged sword. As the ultimate goal is to try and provide more people with healthcare coverage, patients and the healthcare industry are now dealing with a number of new uncertainties and risks.
Caroline Clouser: Regarding the exposure to cyber hacks and/or breaches, this has transformed from almost an incidental exposure to something much more material. Before the advent of the Electronic Medical Record, typical claims included lost patient medical records or perhaps a healthcare worker sharing confidential patient information to a third party; a single event. Today, a lost flash drive containing the medical records of thousands of patients or hacking into a hospital server or system could lead to millions of potential claimants for a single incident. We encourage our healthcare customers to purchase specific coverage to protect against these types of cyber losses.
Caroline Clouser: There are a number of challenges on the horizon that we think about and are helping our customers to prepare for in the future. Some of these include the potential increase in frequency and severity of loss that we have not seen in the past decade, eroding tort reform, and increased regulation. We are also looking at trends in loss activity such as the increasing violence our insureds are facing and helping to ensure they have the right controls in place to protect their employees, patients and visitors in the face of such violence.
Caroline Clouser: I would again have to say data security breaches and cyber liability. This particular risk has the potential to jeopardize an organization’s financial stability, security and reputation. Electronic medical records are now more easily accessed by consultants, vendors and other third parties, which, if not protected properly can open the door to greater exposures.
To put some numbers around the risk, the Ponemon Institute in its Fourth Annual Benchmark Study on Patient Privacy & Data Security said that while the total number of data breaches declined slightly over previous years, almost every healthcare organization represented in the research experienced a data breach. Healthcare organizations also continue to struggle to comply with increasingly complex federal and state privacy and security regulations. A single data breach can cost a healthcare organization millions of dollars, with the average cost for organizations represented in the study estimated at $2 million over a two-year period. The potential cost to the healthcare industry could be as much as $5.6 billion annually based on the experience of the healthcare organizations in this study.
The numbers may look staggering, but healthcare organizations can take steps to mitigate this type of risk. One way to do so is by working with their insurance carrier to make sure the appropriate coverages are in place. General liability policies often do not cover cyber risks, but cyber liability insurance can address data and privacy coverage gaps. Insurance carriers can help work with healthcare organizations to ensure they have the right coverage and minimize future potential exposures.
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
