Overview: 

A 2013 survey released by McAfee found 45 per cent of surveyed small-medium businesses (between 25 – 250 employees) had been the target of an electronic attack in the prior year and 46 per cent had suffered a data or security breach perpetrated by disgruntled and current employees. Medical practices store sensitive patient information, so are a clear target for hackers.

 If your systems are connected to the web (whether you use a server or are cloud based) you are potentially exposed. There are many steps you can take to reduce your risks, such as having an IT security audit/review of your systems completed annually. Go our risk management page and the below FAQs which discusses privacy risks – and why privacy should be on your ‘top 10 risks’ in running a medical practice.

 Having a Cyber Liability & Privacy Protection policy can provide cover for the following risks:

  • Your costs to deal with a cyber breach (e.g. Forensic investigations, lawyers, IT security experts, notifying patients and the regulator, public relations costs, costs to restore data, programs and networks)
  • Your lost revenue following a cyber attack
  • Liability and fines you incur – the office of the Australian information commissioner can now seek fines against organisations of up to $1.7m and against individuals of $340,000. Patients, suppliers and others can bring civil claims against the entity.

 Below are Questions and Answers. Please contact us if you would like to discuss, or request a quote

It depends. For example you can buy a cyber extension to some management liability covers for around $300. These extensions provide a low limit of $50,000 or $100,000 and are not as broad as a specialist policy (for example they won’t cover lost revenue following a cyber attack). For a specialist policy, premiums generally start at around $1,000 for a $250,000 and go up from there depending on the limits selected, the size of your practice and the quality of your IT security.
Yes, it’s likely not a question of if, but when. Not only does the insurer assist with costs, it brings in a team of experts to make critical decisions such as whether to notify impacted customers, suppliers and the Office of the Australian Information Commissioner. We has a client who elected not to hold cyber cover and they were hacked. The legal and IT costs for what was a very minor breach (which did not breach patient data) was over $20,000. But the true cost was far higher as it consumed the owner for several months as they worked their way through the privacy laws and obligations.
Speak to an IT security expert who may recommend:

  • Put cyber security and patient privacy on your Risk Register and in your ‘top 10 risks’
  • develop a business continuity plan/disaster recovery plan for system downtime;
  • develop a data breach response plan;
  • Test your back-up/recovery system and your disaster recovery plan annually
  • make sure you are aware of all regulatory requirements (is your Privacy Policy updated to address the 13 Australian Privacy Principles;
  • conduct employee training to ensure your staff are aware of risks the company faces;
  • develop appropriate policies such as a ‘bring your own device to work’ policy and internet usage while connected to the company network;
  • review contracts with third party vendors providing data storage and other IT services. Are there limitations of liability? Where are they storing your data.
  • conduct an external penetration test to highlight potential areas to address;
  • review system protection you have in place, such as anti-virus, firewalls etc. and update regularly;
  • keep all your systems and software patched and up to date.
This is likely a Yes and No answer. While a patient bringing a civil claim for breach of privacy would likely be covered by medical indemnity (refer to your own policy terms and conditions) there are numerous other risks which may not be covered, such as:

  • The costs to investigate the breach and restore the IT system/data;
  • The legal fees to manage the data breach response, for example, whether there is an obligation to report the incident to the Office of the Australian Information Commissioner (OIAC);
  • The costs to provide support to patients such as credit monitoring services, public relations firm to help repair damage to your brand; legal costs for notifying your affected customers;
  • The potential fine sought by the OIAC, which from 1 March 2014 is up to $1.7 million for companies and $340,000 for individuals for serious or repeated invasions of privacy;
  • The loss of revenue the practice may suffer in the event the practice is unable to trade due to, for example, ransomware.

Broad specialist cyber and privacy protection policies are designed to cover the above risks.