We have cyber insurance, isn't that enough?

Why is Having Cyber Insurance Important?

In today’s digital age, dental offices rely on technology more than ever before: patient scheduling, digital x-rays, insurance claims, and patient records all depend on secure computer systems. In light of these risks, cyber insurance has become an essential component for safeguarding your practice against the financial impact of a cyber incident such as ransomware, data theft, or system outages.

A comprehensive cyber insurance policy can provide coverage for expenses related to the engagement of IT forensics experts and legal support, the payment of regulatory fines or patient notification costs, lost revenue during downtime, and the restoration of damaged systems. While it is a valuable safety net, it only provides benefits after an attack, not before.

The Gaps That Insurance Doesn’t Fill

Cyber insurance does not prevent attacks, and it does not guarantee that all losses will be covered. It is important to note that most policies have requirements and limitations. If an insurer determines that a clinic does not meet these requirements, they may refuse to pay or the incident could be more costly than the policy limitations. Here are few examples of insurance gaps:

• It is ineffective in addressing cyber threats. Insurance is a reactive measure, not a preventative one. It is not designed to detect phishing emails, prevent malware from entering your network, or train your staff to recognize scams.

• In the event that control measures are found to be inadequate, coverage may be denied. Failure to adhere to certain security protocols, such as conducting regular awareness training, utilizing multi-factor authentication (MFA), and implementing regular data backup procedures, could result in an insurer's refusal to honor a claim.

• It is important to note that a strong reputation and the trust of patients are not guaranteed. While financial losses may be covered, the repercussions on one's reputation and patient confidence can persist.

• Downtime can still have a significant negative impact on business operations and revenue. While insurance may cover lost revenue, it cannot address issues such as system crashes or the restoration of years of digital records.

What Cyber Insurers Expect You to Have

To qualify for coverage and maintain competitive premiums, most insurers now require basic cybersecurity controls. Some common examples include:

• Multi-factor authentication, or MFA, is a security measure that requires users to enter multiple authentication factors to access their accounts. There is an additional verification method that will allow you to access your business systems. This method is similar to the one used by banks, in which a code is texted to your phone.

• Data Backups: Your company should maintain regular, encrypted, and tested backup procedures. These backups are stored either offline or in secure cloud environments.

• Endpoint Protection and email filtering: It is imperative that threat detection tools be installed on all company computers and servers.

• Security Awareness Training This measure is designed to mitigate the risk of phishing attacks and human errors, which are the most common vulnerabilities exploited by hackers.

• Patch Management: It is essential to ensure that software and operating systems are updated regularly to address any known vulnerabilities.

• Incident Response Plan There is a clearly defined, proven process for responding to an attack.

Building a Complete Cybersecurity Program

To ensure comprehensive protection, dental clinics should integrate cyber insurance with a proactive cybersecurity program, just like combining professional liability coverage with proper clinical procedures.

• Risk Assessment: Please identify your critical systems (EHR, imaging, billing) and evaluate how data is stored, accessed, and shared.

• Employee Training: Ensure that staff members are trained to identify phishing attempts and to handle patient information in a secure manner.

• Access Control: It is imperative to limit system access strictly to those who require it for work-related purposes. It is imperative to utilize unique logins and robust passwords to ensure optimal security.

• Data Encryption: It is essential to ensure the confidentiality of patient and financial data, both during storage and when transmitted.

• Ensure that backups are secured. Maintain off-site backups to ensure the rapid restoration of data in the event of a system breach.

• Incident Response Drills Just as an emergency evacuation plan is essential, it is also crucial to practice what to do if a cyber incident occurs.

• Vendor Management: It is essential to ensure that your practice management and imaging software and cloud providers adhere to privacy and cybersecurity standards.

The Takeaway

Cyber insurance is an essential risk mitigation tool for dental offices, providing a financial safety net in the event of a data breach. However, it is important to note that this approach does not guarantee the protection of your patients' data, maintain your reputation, or ensure the continuity of your practice during a cyberattack.

This approach can be likened to the principles of infection control in dentistry, where gloves, masks, sterilizers, and protocols are utilized in tandem to ensure safety and prevent the spread of infection. Cyber insurance is comparable to professional insurance, as it provides protection in the event of a crisis. However, it is essential to maintain the fundamentals of risk management to prevent infections.

By integrating cyber insurance with a comprehensive cybersecurity program, your dental clinic can safeguard your patients' data and maintain a positive reputation.