Bill Gompers, CFE
By Vanessa Orr
In January 2023, T-Mobile announced that 37 million customers’ accounts had been breached by hackers, despite having gone through extensive cybersecurity measures after a previous breach had occurred. What this shows, unfortunately, is that even the largest companies can be at risk of cybercrime—which is why healthcare providers should, in addition to risk management measures, make sure that they’re covered with comprehensive cyber policies.
“When you talk about cybercrimes, healthcare is always among the top five industries targeted,” said Bill Gompers, CFE, vice president, Risk Strategies Company | Danna-Gracey. “They have a large amount of personal information, and it’s often fairly easy for hackers to get in.”
Cybercrime usually takes one of three forms, which most cyber policies cover, according to Gompers. This includes ransomware requests in which a hacker encrypts a practice’s files and won’t unlock them until paid a ransom, and wire fraud and social engineering, in which funds are transferred to someone pretending to be someone else within the company.
“For example, the chief financial officer gets an email from the company’s CEO saying that they need to pay XYZ company $50,000, with an attached invoice,” said Gompers, “only that email is not from the real CEO.”
Hackers can also gain access to employees’ emails or breach the employer network through a process known as phishing.
What many healthcare professionals do not realize, however, is that not all cyber policies are the same, and they may not be adequately covered.
“Policies have a dollar amount listed for each claim and an aggregate amount of coverage for the year, but most also have sub-limits for various exposures,” said Gompers, noting that the limits and sub-limits aggregate is usually inclusive of costs and expenses.
It’s important to look at the types of issues that are covered in each policy, and to understand what the different terms mean. Some examples, as outlined in the declaration pages of policy proposals include:
- Breach Response: The insurance company will provide specialists to come into a company and assist them following a breach. This may include providing expert forensic advice, legal advice, notifying customers, public relations, credit monitoring of affected parties and rebuilding data that was lost.
- Business Interruption and Extra Expense: This covers any financial loss from a failure of security, a data breach or system failure, as well as extra expenses to bring the company back online. Some policies will cover computer replacement if they have been damaged beyond repair by malware.
- Computer fraud: This covers the theft of funds stolen through cyber methods and the transfer of property or money to an outside party.
- Cyber Extortion: This is coverage for damages done due to a breach, which includes ransom payments to restore a system.
- Healthcare Billing Errors and Omissions: This helps to pay for an expert defense, as well as fines and penalties associated with unintentional overbilling of government or commercial payors.
“When looking for a cyber policy, you really need to go with a broker that has extensive experience in cyber insurance and security in the healthcare field,” said Gompers of the many options available. “Some carriers offer risk analysis of your existing system and will monitor your company while the policy is in effect to alert you if something is happening or if issues are imminent.
“Considering that an average breach costs in the $200,000-$300,000 range to rectify, it’s really important that you have the right kind of insurance,” he added.
How to Prevent Cybercrime
Considering what can be lost, companies need to take a proactive approach to preventing cybercrime.
“Owners and the board need to make cyber risk a priority; if it doesn’t flow from the top, nobody will take it seriously,” said Gompers. “Once top management is involved, you need to develop and define what your risk tolerance is, and then develop and implement a plan of risk management policies.”
This can include educating staff on cyber policies; limiting access to certain types of sites; implementing cyber policies and practices for staff working from home, and sometimes requiring employees to only conduct business through a company portal.
“While cybercrime is definitely on the rise, there are some things you can do to try to avoid it,” said Gompers. “And educating your employees is a big part of it.”
For more information, contact Bill Gompers at bill@dannagracey.com, (888) 777-7173 or visit www.dannagracey.com.
