When Insurance is not Insurance

Paul Fitzgerald writes for us this week on Cybersecurity and the possible effects of the new legislation that comes into effect in February 2018

Recently, I had a discussion with a medical doctor about privacy, security, insurance and other things.

For this blog, let’s call him Bob. Bob told me that he thought his insurance cover from his Medical Defence Organisation (MDO)covered him for cyber liability. I suggested that perhaps it would be worth checking. The other day, Bob sent me a message that he had checked with the MDO about cyber cover.


The Nuts and Bolts

After this discussion, I immediately thought of two songs that summed it up perfectly – “Things that make you go hmmmm” by C+C Music Factory and “How Bizarre, How Bizarre” by OMC. According to his insurer, Bob is covered for actual or alleged breaches of privacy or confidentiality. However, his policy excluded fines (such as those that may be imposed by the Privacy Commissioner), damages awarded by the courts (such as in civil claims), or repayments to Medicare.

Additionally, there are other exposures like the impact to the practice through interruption and loss of revenue (not profits), forensic investigation and remediation cost, which were also not covered.What is the potential financial impact for Bob if his practice has a cyber event?

Bob may have a regulatory fine imposed by the Privacy Commissioner. He quite possibly may incur both economic and non-economic damages. (On average the Privacy Commissioner has awarded around $15,000 to each claimant in cases of health data breaches).


New Concerns

Under the new mandatory reporting laws, just to remedy the breach, based on 1500 compromised patient records, costs could escalate beyond $1,000,000! This become law in February 2018. With fines and damages, then the amount not insured would cost most people their business, home and potentially much more. What to do, and what do I need covered?

Bob, needs to consider a specific cyber liability policy. It needs to be tailored to cover Bob’s actual risk, and risk appetite. To do so, Bob needs to firstly understand his risk profile and financial exposure, including any potential vulnerabilities.
Many healthcare practices have informal policies around privacy and cyber security, but these are often “just what we do”, as opposed to being formally implemented, in writing and practice.


Cyber Health checks

To assist healthcare providers, Cyber Health International provides practices with a comprehensive risk assessment. This includes a report highlighting any potential vulnerabilities and recommendations to remedy these. It also includes a complete set of privacy/cyber policies and procedures that you can tailor to suit your practice, and implement.

Undertaking a risk assessment is likely to provide a much higher probability that you will be able to obtain cyber insurance. Some insurance companies offer a discount if a risk assessment is undertaken. Additionally, it will help your practice with any future accreditation requirements and if you have a breach. It will help to minimise the fallout because you actually took privacy seriously and proved it by addressing any vulnerabilities (I know everyone really does take it seriously, but can you prove it to anyone?).

To start the process, get in touch with one of our health cyber experts, and we can walk you through what is required.

Then you can relax and “Don’t Worry, Be Happy” 😊


Click here to read more about CyberHealth on the website