Money for information security is tight. According to a February 2016 survey report by IDC Health Insights, 60 percent of acute care hospitals say their current and planned technology spending is not growing. And even for the 40 percent whose IT budgets are expanding, information security came in fourth on the priority list, despite the growing risks to health information and the organizations that create, receive, transmit, or maintain it.
Any vulnerabilities that can be exploited to compromise the confidentiality, integrity, and availability of health information can have significant clinical repercussions for patients as well as financial and reputational repercussions for the organization.
The risk is growing. The average number of breaches per month reported to the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) increased by 18 percent from 2015 to 2016, and many of these breaches resulted in medical fraud and identity theft. The number of complaints, primarily related to a compromise of confidentiality, has increased by more than 30 percent since OCR implemented an online portal for submitting complaints in 2015, resulting in almost 60 complaints per day. And then there’s ransomware—the compromise of availability. Sixteen healthcare organizations reported ransomware attacks in the first nine months of 2016, and other incidents could have gone unreported or may not have been detected yet.
Despite the obvious impact such breaches can have, healthcare executives must weigh the likelihood of a breach against the potential impact. And for many, revenue-generating initiatives provide more of a draw.
Cyber insurance is one possible solution to the financial risk of a breach, but regarding such coverage, Aon’s 2016 Cyber Captive Survey notes, “The most frequently selected limit range is extremely low relative to the exposures.” The issue appears to be the vastly different policy terms and conditions across the 60 cyber insurance carriers. Sixty percent of the companies surveyed don’t buy cyber insurance. Of those that do, 68 percent do so to protect their balance sheets and to give “due diligence comfort” to their board members.
Another option is to use a captive subsidiary for cyber risk programs. Captives have long been a haven for funds used to insure against professional and medical liability risk, evolving to include medical claims from self-funded group health plans. Captives are handy when:
- Risks can’t be quantified due to variability in the statistics.
- Insurance premiums increase and capacity decreases.
- An organization’s experience is better than the risk pool.
- There is no tax benefit for retaining risk.
Healthcare organizations have been slow to adopt captives as a solution for controlling cyber risks, but captives may provide a flexible option. For example, rather than securing the funding to address the after-effects of a cyber-attack, a captive can be used to provide grants to the captive owner for reducing cyber risk and improving patient safety through training, periodic risk analyses, and compliance assessments.
Healthcare organizations also may be interested in sharing the risk with other organizations through a captive. Among respondents to the Aon survey, 94 percent said they were open to sharing the risk with others as part of a captive facility. Captive facilities also could provide healthcare organizations with proactive risk management activities as an incentive to reduce their risk or offer premium discounts for organizations that do so on their own.
Aon recommends starting with a cyber risk assessment. A healthcare organization’s ability to strengthen its cyber risk posture depends on the extent to which its leaders understand both where its vulnerabilities lie and the threats that might exploit those vulnerabilities. As the risk of breaches grows, so does the need for innovative, cost-effective ways to mitigate that risk.
Mary Chaput is CFO, Clearwater Compliance, Nashville, Tenn.
