Cyber insurance in the healthcare sector
Published 7 July 2015
The development of the London cyber insurance market, through access to standalone and umbrella policies, is becoming increasingly important for the healthcare and life sciences sector.
In 2014, the Department for Business & Skills reported that 81% of large organisations and 60% of small businesses in the UK had suffered a cyber security breach.
As custodians of sensitive patient data, however, organisations in the healthcare sector are one of the most popular targets for cyber attacks. Large numbers of healthcare providers, manufacturers, suppliers, can have access to vast quantities of sensitive, personal data that can reveal staggering amounts of (valuable) information. Lifesciences organisations too, seeking to create new intellectual properties, are also particularly susceptible to attacks as they might hold volumes of patient and insider market data.
This year has already seen a spate of victims to cyber attacks in the healthcare sector. In March, Beacon Health Systems, an operator of large healthcare facilities in the US, discovered that the email inboxes of its employees had been unlawfully accessed – going as far back as November 2013. Inboxes had contained personal and medical information of patients, including their names, dates of birth, driver licence numbers, diagnoses, and treatment. Beacon has recommended that patients register for a credit freeze with credit reporting organisations to prevent credit being taken out in their names without permission.
A month prior to this, Anthem, a large US health insurance company, found that hackers had broken into their database in February 2015. Their database stored names, employment information, medical IDs on 80 million people – representing one of the largest data breaches in recent times.
Vulnerability of Medical Devices too
However, it is not only the more obvious digital databases held by healthcare organisations which are susceptible to attack. Medical devices and equipment utilised in the treatment of patients are becoming increasingly sophisticated and digitally capable – but with this rendering such equipment vulnerable to hacks also.
In particular in the last month, a cybersecurity expert has said that infusion pumps, which are used to dispense drugs in hospitals could be hacked because of outdated security and encryption settings. Hospira, who are owned by Pfizer, are the supplier of over 400,000 infusion pumps around the world. A cybersecurity expert has found alarming flaws in their security – and claims that the upper and lower limits for the amounts of medication that a patient can safely receive could be altered remotely.
Notwithstanding any claims that might exist against the manufacturer, it is not difficult to anticipate potential claims also being brought against the private hospital or clinic treating a patient whose medication is remotely hacked, causing injury. Would a cyber insurance policy potentially cover such a situation? Whilst not traditionally the type of loss covered by a cyber insurance policy, in a sign that the digital and physical worlds are now difficult to separate, some insurers are also expanding cyber cover to include both physical damage and bodily injury – recognising the changing face of technology and the risks that it poses within the healthcare market in particular.
The need for Cyber Insurance
Most European healthcare organisations will have a range of medical malpractice, property and public liability policies to guard against third party risks, and commonly first party property and business interruption policies. Either they may not anticipate cyber attacks, or they hope that cyber risks will be covered under their existing insurance programmes.
It is clear though that the term "cyber risk" – whether a theft of sensitive patient data, an intentional hack of digital software, a business interruption or even perhaps inadvertent disclosure of digital medical records – can result in significant business disruption. A healthcare business could experience claims for loss of patient data, claims for breach of privacy, liability for regulatory fines plus customer notification costs and investigation costs – in addition to the devastating impact on an organisation's reputation.
To mitigate these risks, cyber insurance products are increasingly available in the market, more commonly as standalone, comprehensive products. Policies offer not only indemnities for first and third party claims, regulatory fines and defence costs, but may also provide an array of experts to provide assistance in the immediate aftermath of a cyber event – such as forensic investigation teams, public relations experts and customer support teams.
Cyber attacks are not new and policies can learn lessons from a more mature US market, which has written cyber cover for over 20 years. It is estimated that the US cyber market was worth 1billion USD in gross written premium in 2013, and will have doubled in 2014. The European market, by comparison, is estimated to be worth around 150 million USD.
As still a relatively new market, the products that exist can consequently vary widely. Policies may be sold not only on the limits of cover, but on how widely defined a "claim" may be drafted in the policy, and on how broad the definition of "loss" may be drafted – in particular whether perceived add-on benefits such as customer notification and forensic investigatory experts are included or excluded. Care will in any event need to be exercised as always in how the policy will deal with the aggregation of claims and limits, where one attack may have caused multiple losses.
EU Data Protection Legislation
As if a nudge was not needed as to the benefit and necessity of cyber cover, insurers should expect further demand when eventually EU regulations are introduced following their final drafting, which will put in place a single system of personal data protections for the EU. The biggest consequence of the regulations will be to introduce fines for breaches. The level of fines are to be finalised, but discussion basing a fine on a per cent of an organisation's global turnover should be a sufficient message for organisations to start assessing their systems, exposures, and put in place appropriate insurance protection now.
It is often said that cyber cover will one day become as essential and common as public liability, medical malpractice and D&O cover. The alarming regularity and publicity of cyber exposures in the healthcare market do make clear that this is an area of business that healthcare organisations in particular cannot afford to ignore.