3 minute read
The Problem with Cyber Insurance
The Problem with Cyber Insurance
It’s always a good idea to consult with an expert before signing any document requiring you to divulge technical information about your practice.
Mitchell Rubinstein, D.M.D.
WITH CONCERNS MOUNTING over cybersecurity, HIPAA and dentistry’s increasing exposure as a profession, many doctors have purchased cyber insurance riders to their business and general liability insurance policies. These riders protect holders from losses specifically incurred from damage to their information systems, ransomware and data loss.
Some of these policies also protect from claims made against doctors for HIPAA violations, and for mitigating the financial and reporting burdens a HIPAA claim can bring. Dentists must be very careful, however, when applying for these policies. The applications often ask specific and technical questions about the procedures in the office regarding information technology and cybersecurity. If you answer the questions incorrectly or incompletely, there’s a strong chance this will be uncovered in the event of a claim, resulting in cancellation of the policy or denial of coverage. Just recently, the Travelers Insurance Co. sought to rescind a cyber insurance policy it issued to International Control Services (ICS) because of alleged misrepresentation of its use of multifactor authentication (MFA).
Multifactor authentication, or MFA, is commonly used in everyday life. It is like using two locks instead of one to protect something important. Imagine you have a password to log into your practice management system, but you also need a special key (like a fingerprint or a code sent to your phone) to allow access. This way, even if someone guesses your password, they still can’t open the second lock without the special key. This is familiar to all of us and is standard for any type of secure communication. When logging into your bank account from a new computer, for example, you might be required to enter your password first and then receive a special code to your phone that must be entered as well. MFA adds an extra layer of protection, making it much harder for unauthorized people to access your accounts and personal data.
Travelers alleges that ICS falsely claimed in its application that it used MFA for administrative access, but later discovered that MFA was only applied to its firewall. This is a subtle distinction, and it might be easily missed on an insurance application. Travelers is declaring the insurance contract void, rescinding the policy and denying responsibility for any claims or costs incurred by ICS, including those resulting from the ransomware attack.
This case is relevant to dentistry because multifactor authentication is incredibly important for the secure storage and communication of health information. Any offsite access to your practice management system should be protected by MFA. This case also contains a warning for all of us. It points out some of the risks in answering technical questions without adequate background knowledge. It is highly recommended that before submitting any application for insurance, you run it past someone at your IT company, or anyone else you rely on for advice regarding information technology.
As always, the NYSDA Information Technology Committee is available to provide education and support for dentists struggling with issues surrounding information technology and cybersecurity. To reach the committee contact Jacqueline Donnolly at NYSDA, jdonnolly@nysdental.org.
Dr. Rubinstein is chair of the NYSDA Information Technology Committee. He can be reached at Dr.Mitch57@gmail.com.
