If you pay for HIPAA compliance services, you may already be protected.
|By: Tod Ferran|
That’s where cyber insurance can help.
The HHS says their fines are meant to hurt, not kill, but they aren’t taking into account the other costs that affect healthcare organizations after a data breach.
The average cost per patient record compromised in 2013 was $359. At 5,000 records lost, that would be more than $1.7 million.
Let’s break down what the cost of a data breach might entail:
- HHS fines: up to $1.5 million/violation/year
- Implementation of new systems and processes: Depends
- On-going credit monitoring for affected patients: $10/individual
- Federal Trade Commission fines: $16,000/violation
- Class action lawsuits: $1,000/record
- State attorney generals: $150,000 – $6.8 million
- Patient loss: 40%
These estimates could exceed or decrease, based on the size of your breach. For example, one woman filed a $5 million class action lawsuit against Anthem Blue Cross Blue Shield for their data breach that could affect 80 million current and former customers.
Those exorbitant fines are why cyber breach insurance exists.
How much is cyber breach insurance?Depending on how much financial assistance you would like to receive after a breach, your size, your annual revenue, and your industry, HIPAA cyber insurance premiums can cost healthcare providers from $650 to $120,000 annually.
But you might not need HIPAA breach insurance, or you might already be covered.
You might already be protectedIf you have a vendor that helps you with HIPAA compliance, you might already be protected up to a certain amount. Let me explain.
Some HIPAA compliance vendors have a limited guarantee on their HIPAA compliance services. If their services don’t help protect you from data breach, you may be reimbursed up to $100,000 for specific costs associated with the breach Instead of costing you a premium, it’s wrapped up as an assurance in the services you’ve already purchased.
What can you spend it on?Most companies offering this protection won’t limit you to what you use it on, as long as it helps financially cover your breach. Here’s an example list:
- Forensic investigations
- HHS fines
- Lawsuit fines
- Health Insurance Portability and Accountability Act (HIPAA) fines
- Customer notification costs
- Regulatory fines/penalties
- Upgraded device for future security
- Post-event consultation
Which is better? Cyber insurance or a HIPAA service guarantee?For large health organizations handling an exceptionally large quantity of patient data, it may make sense to pay the premium for cyber insurance…especially if you don’t have a robust IT security team and you have not had a 3rd party validate your HIPAA compliance, since you are at greater risk of a large data breach in your future.
But remember, you might already be protected through your HIPAA vendor through a HIPAA breach services guarantee.
Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.