It's not difficult at all to think of large corporations that have been involved in major breaches of their private customer data. These organizations have had to notify all of their customers, they've had to reimburse them for the costs associated with recovering their identities, and they've had to spend millions of dollars revamping their entire computer networks' security systems. Is your dental practice prepared for those expenses should your practice be the target of a cyber crime?
You may be surprised to learn that dental practices are among the top targets for cyber attacks by criminals because they often lack adequate investment in cybersecurity both in systems as well as in staff training. Because of this, dental practices are easy prey for patient financial and medical records, which makes them prime candidates for attacks by cybercriminals. Cybercriminals may attempt to obtain patient records through phishing attacks, which involve sending an email pretending to be from a legitimate organization, but actually contains malicious code designed to infect the recipient's computer. Another common tactic is the use of ransomware where cybercriminals take control of your systems after infiltrating through a malware attack and hold your systems captive until a ransom payment is made. The financial impacts from lost time, legal expenses, and other costs associated with such an attack can be crippling to dental practices.
Requirements of A Data Breach & Cost To You
Many dentists may wrongly believe that because they do not keep "medical" information in their systems, they do not have to worry about HIPAA guidelines regarding patient information. However, in the eyes of HHS (the federal agency responsible for overseeing privacy laws) and OCR (the federal agency responsible for enforcing those laws), it doesn't matter if you're a cardiologist, a surgeon, or a dentist. If you have any protected health information (PHI) in your database, then you must comply with the same regulations to safeguard that PHI. Additionally, if a dental office were to experience a security incident, the HIPAA Privacy Rule mandates that practices must notify every patient of record who had PHI breached. Imagine the negative publicity that a dental office would receive in its local community and how uncomfortable those awkward conversations would be with patients regarding the information that was compromised. Furthermore, identity theft monitoring would also need to be offered to every affected patient. HHS and OCR are just two of the many agencies a dental office will have to deal with; 49 out of 50 state governments have stricter privacy laws than the Federal government. Finally, if a dental office treats multiple state residents, it could be required to report to each of those state governments. A security incident is about patient confidence, and once it has happened, it can be extremely hard to restore that confidence. Repairing the damage to your dental practice’s reputation and regaining the trust of your clients can take time and effort. Furthermore, the financial penalties for violating HIPAA and other state regulatory fines could be significant. The best way to mitigate expenses out of your own pocket is to purchase a cyber insurance policy.
Purchasing A Cyber Insurance Policy
First things first: While your practice's general liability insurance will offer coverage for bodily injury and property damages resulting from your operation and services. It does not cover damage caused by a ransomware attack, cyber extortions, financial loss due to malware or virus, lost income due to a breach, fines, reputation management, forensic analysis, or other expenses related to a cyber event. Cyber coverage can be included with your business owner's policy, but the limits are usually quite low and don't always cover both first-party and third-party claims. When reviewing your options for cyber liability coverage your insurance agent should review a stand-alone cyber coverage option. These policies offer much broader language and provide greater protection for your dentist's office's cyber risk. There are generally two types of cyber insurance coverages included with a cyber policy: first-party liability and third-party liability.
First-party cyber liability insurance addresses the financial fallout associated with an attack against your dental practice. A few examples of what first-party cyber coverage provides are the cost of notifying affected customers, public relations, providing forensic investigations of how the breach occurred, credit monitoring services, replacement of infected systems, and loss of income from the attack. In addition, first-party coverage can help cover expenses for the payment of ransomware to release stolen data or systems back to your practice.
Third-Party cyber liability provides coverage for the expenses related to those claims made against you, including if you are sued for a breach of your patient's personal data. It includes coverage for legal defense, paying settlements & judgments, as well as the payment of fines and penalties assessed against your practice as a result of a cyber breach.
Having both first-party coverage and third-party coverage as a part of your cyber insurance program is vitally important to make sure your dental practice is adequately insured against a cyber event. Make sure prior to purchasing a cyber liability insurance policy that you review all exclusionary wording. Common issues to pay attention to are the definition of personal data, does it include or excludes coverage for paper files, are there requirement to abide by certain security standards for coverage to apply, and does the coverage provide any protection for offsite computers. Overall the price to insure most dental offices is insignificant to the out-of-pocket costs you would be responsible for as a result of a cyber event. Pricing will vary based on the number of client records, the limit of coverage requested, and the current cyber security services and measures currently implemented by your practice.
In Conclusion
Just as with all of your business insurance policies, regularly reviewing your coverage and understanding how your cyber liability policy would respond is the first step in making sure your business does not experience financial hardship as a result of a cyber claim. At Insurance For Texans Group, we provide a no-cost vulnerability assessment of your practice using a third-party scoring system. This analysis provides you with a basic snapshot of your cyber threat assessment so that you can focus on areas in which you need to improve.
To get a copy of your cyber threat assessment please click the image below or call our office at 469-789-0220.