Because criminals recognize that access to patient data and practice management systems are essential for healthcare organizations, they target these vulnerable organizations and expect rapid payment of their demand. Many smaller healthcare organizations do not have sophisticated IT support staff and the criminals know that they are more likely to get paid, rather than have the organization invest the time and money to rebuild their system based on backed-up data.
To Protect Your Organization…
Conduct a Risk Assessment
Risk assessments and analysis are the foundation to mitigating the risks above and preventing an unpleasant experience with the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”). Failure to conduct a risk analysis is the most common HIPAA violation found during the OCR’s investigations. Analyzing the organization’s risks is the starting point to determining a proper information security program and appropriate risk mitigation measures.
Employee training is another key element of HIPAA compliance and mitigating associated privacy and security risks. HIPAA Rules require that the organization’s workforce is properly trained on the HIPAA Privacy, Security, and Breach Notiﬁcation Rules.
Implement Policies & Procedures
HIPAA’s Privacy and Security Rules require healthcare organizations to have data security policies and procedures addressing a multitude of risks. Inadequate policies and procedures are a frequent violation cited in HIPAA enforcement actions.
Manage Vendors Appropriately
Vendor risks have become one of the top data security concerns for healthcare organizations. As OCR holds business associates and covered entities liable for HIPAA compliance when it comes to vendor relationships, it is important for healthcare organizations to have a vendor management program in place to maintain control of their business associates processing PHI.
Prepare an Incident Response Plan
The best way to handle a cyber attack is to be prepared well in advance. When responding to a cyber incident, critical decisions must be made in a condensed time frame. Notiﬁcation deadlines apply to all healthcare organizations, the most notable of which is the 60-day notiﬁcation deadline to OCR and affected individuals. Any mistakes can be costly and have a lasting impact.
MICA’s e-Med Protection Coverage provides Cyber Liability limits of $100,000 per claim/$100,000 aggregate and Medefense® coverage limits of $25,000 per claim/$25,000 aggregate at no additional premium. Higher limits are available subject to Underwriting approval.
For more information regarding programs and services available to MICA members, or to become a MICA policyholder, contact Sarah Storms at 602.808.2135 or firstname.lastname@example.org.
Reference: NAS Insurance Services. (2019). Healthcare Cyber Security and Ransomware 2019. [Brochure]. Los Angeles, CA: NAS Insurance Services.
All new and renewal insurance policy coverage is subject to underwriting review and approval.
e-Med Protection Endorsement form number: MPL-0144
This is a general description of coverage. This policy has limitations. For costs and complete details about MICA’s e-Med Protection insurance, please contact MICA or your MICA broker.
MICA has partnered with NAS Insurance Services to administer and provide claims services.