Cyber and Privacy Risks Are Bleeding Over into Medical Professional Liability Risks | Update from the Cayman Captive Forum

Background

Health systems, large medical practices, and other healthcare organizations have long realized the value of establishing their own medical malpractice insurance companies in domiciles such as Bermuda, the Bahamas, and the Cayman Islands.  More recently, domestic domiciles such as Vermont, Tennessee, and Montana have come to serve these organizations.  Historically, these so-called “captive” insurance companies have provided medical professional liability (MPL) and hospital professional liability (HPL) coverage as an alternative or supplement to using commercial carriers.

Over November 27th to 29th, the 26th annual Cayman Captive Forum was held in Grand Cayman.  Over 1,400 specialists including captive directors, CFOs, CROs, service providers and captive managers from around the world met to discuss the issues most pressing to the captive insurance industry.  One of the key topics discussed was the apparent evolution from what started out as “HIPAA compliance risk” to “cybersecurity risk” to a “patient safety risk” and now “medical professional liability risk”.

Clearwater’s Value-Add to the Event

Clearwater attended as thought leaders and subject matter experts. Bob Chaput, Clearwater Founder, and Executive Chairman moderated a panel discussion entitled “How Captives Can Develop Cyber Strategies by Using MPL Lessons Learned”Rebecca Cady, Vice President, Chief Risk Officer at Children’s National and Charles Kolodkin, Executive Director, Risk & Insurance at Cleveland Clinic were the panelists. Key lessons learned that were discussed included these general topics:

  1. Demand to know and understand what the exposures are
  2. Work with operational leadership and board
  3. Fund smaller levels of risk (modest retentions): Learning Curve
  4. Hone ability to manage and be transparent about the event
  5. Hone ability to manage the claim
  6. Create grant programs
  7. Gain access to actual risk bearers
  8. Leverage risk management work to reduce commercial rates

For each topic, practical, actionable steps to apply to cyber risk based on MPL risk were presented.  Click here for a copy of the background slides used to facilitate the discussion.

Cyber Risks and MPL Risks Are Converging

The three elements of a medical professional liability lawsuit also known as a medical malpractice lawsuit are:

1) A deviation from or failure to follow a standard of care

2) Harm or loss to the patient

3) Proof that the failure to follow a standard of care resulted in harm or loss. Failure to follow a standard of care often results from a lack of good process, lack of training or failure to implement certain controls. These failures represent exposures and risks.

As the result of a tsunami of digitization of healthcare data (forget terabytes, count petabytes and exabytes of data) AND the deployment of billions of biomedical devices, a huge, ongoing challenge in healthcare organizations is that they have not identified and prioritized all their cyber exposures. Failure to identify and understand one’s exposures is a major inherent risk in and of itself. How is one to undertake sound risk management without understanding one’s exposures? How can one make informed “accept, avoid, mitigate or transfer” decisions without a prioritized risk register? Among other lessons learned from MPL that the panel underscored is the criticality of identifying and understanding one’s cyber exposures just as healthcare organizations completed extensive risk analysis work in their clinical settings to better manage medical malpractice risks.

Cyber Risk Can Become MPL Risk

The three critical causes of cyber loss or harm emanate from the compromise of:

  1. Confidentiality – consider a medical identity theft resulting in a provider believing wrongly that a patient has received a certain medication or procedure and fails to provide needed care; the result could be patient injury.
  2. Integrity – consider a hacker changing a patient’s blood type in an EHR system and the patient needs a transfusion in surgery; the result could be death.
  3. Availability – as has happened, think about a ransomware attack that takes down a hospital’s networking and computing infrastructure resulting in a critical surgery not being performed; the patient may sustain further injured or dies

As an example, consider the hacker changing a patient’s blood type ultimately resulting in death.  An argument could be made that there was a failure to follow an appropriate standard of care.  There was clearly harm. The harm occurred clearly as the result of this compromise of the integrity of the blood type.

How to Understand Your Cyber Risks and New MPL Exposures

What is your organization’s standard of care when it comes to cybersecurity?  As with any risk management opportunity, the journey begins by understanding all your exposures. That is, what are all the possible ways in which there can be a compromise of confidentiality, integrity or availability… which, in turn, may result in patient injury or death?

The only way one can identify and understand all one’s exposures is to conduct a comprehensive, enterprise-wide risk analysis. Doing so is not only a foundational step for optimizing risk management decisions, for healthcare organizations, it is required by the HIPAA Security Rule. Healthcare’s track record completing risk analyses is poor based on the Department of Health and Human Services’ Office for Civil Rights’ enforcement actions. OCR data shows that 9 out of 10 healthcare organizations are not performing comprehensive, enterprise-wide risk analyses.

Consider Clearwater the Healthcare Industry Leader in Enterprise Cyber Risk Management

Cyber and privacy risks are bleeding over into patient safety and MPL risks.  As we’ve discussed, many lessons learned to emerge from the management of MPL risk over the last several decades.  Understanding your unique exposures starts with a comprehensive, enterprise-wide risk analysis. Clearwater has earned the confidence and trust of many of the country’s largest health systems, has supported numerous organizations through OCR enforcement actions with successful outcomes, has been designated Best in KLAS for cybersecurity advisory services for 2018 and was rated highest in Compliance and Risk Management Solutions in Black Book Market Research LLC’s annual poll of cybersecurity products, services, outsourcing and consulting clients.

For additional information about Clearwater’s work with industry leaders the convergence of cyber risks and MPL risks, you may wish to consider these additional materials:

Recent interview:

  1. UI Health’s Michelle Johns and Clearwater’s Bob Chuput Discuss Insurance Captives: Innovation & Cost Savings for Providers

Previously recorded interviews:

  1. Cleveland Clinic’s Charles Kolodkin and Clearwater’s Bob Chaput Share Crucial Steps in Developing a Hospital Cyber Risk Management Strategy
  2. National Children’s Rebecca Cady and Clearwater’s Bob Chaput discuss Managing Cyber Risk through an Insurance Captive
  3. Banner Health’s Becky Havlisch and Bob Chaput on Nimble Cyber Risk Management

Recording of 2017 Cayman Captive Forum Panel:

  1. Cyber Risk, Patient Safety, and Captives

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

Navigating the HIPAA Privacy Rule for Reproductive Healthcare: Compliance Essentials Before the December 2024 Deadline

In an era where the privacy of reproductive healthcare has become a topic for debate, healthcare organizations face growing fears and challenges over the potential misuse of sensitive patient data. Recent legal developments, coupled with the shifts following the Dobbs v. Jackson decision, have shown the urgent need for robust safeguards. Notably, the December 23, 2024 compliance deadline for the HIPAA Privacy Rule Final Rule to Support Reproductive Health Care Privacy offers a pivotal moment to address these concerns.
The Health Care Cybersecurity and Resiliency Act of 2024: Key Takeaways and Implications

The Health Care Cybersecurity and Resiliency Act of 2024: Key Takeaways and Implications

The Cybersecurity and Resiliency Act (HCCRA) of 2024 is yet another proposed bill aimed at strengthening the healthcare sector’s cybersecurity posture and resilience. It focuses on improving coordination between government organizations, updating cybersecurity standards, increasing breach reporting requirements, and providing grants to rural healthcare organizations that lack both financial and human resources needed to address growing cybersecurity vulnerabilities and increasing threats.

Connect
With Us