Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 542: Cybersecurity Insurance for Your Practice. What to Know.

 

Liath Dalton 

Yes, this is a big topic, because it comes up so frequently in our office hours, in consultations, in emails we receive. And that question is, do mental health practices actually need cybersecurity insurance?

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

And if so, what does it really cover? That’s the clincher there. So the short answer is really straightforward. It’s that cybersecurity insurance is not required by HIPAA, but it’s become a very smart layer of protection, especially as cyber incidents increase across the healthcare sector in particular. Now, of course, insurance doesn’t prevent incidents. It doesn’t replace compliance, but it is an important component of risk management, because it helps limit financial and operational fallout when something does go wrong. And we also have to know that things will go wrong even in an otherwise well secured practice, like something we talk about with HIPAA all the time.

 

Evan Dumas 

Yeah, yeah. But speaking to that required aspect, you may find it’s required by the insurance companies you’re paneled with. We’re hearing more reports of if you join a panel, they have a requirement for you as someone who bills them, etc, gets paid by them, having cybersecurity insurance at varying amounts of coverage value. So check with them and know that that may be a component of just requirement.

 

Liath Dalton 

Yeah, and I think that increasing appearance of that requirement is one of the things that has precipitated why PCT has been getting this question more frequently. And just in terms of like risk landscape, and why the insurers are asking for it, I think it’s particularly predominant with group practices and with telehealth only, so online practices, because that does mean more cybersecurity risk, want to see that there are protections and safeguards in place there.

 

Liath Dalton 

So essentially, cyber insurance really is functioning just as a safety net, though, work around and emphasize that it pairs with your HIPAA security, compliance processes and safeguards. It’s not a substitute for them.

 

Evan Dumas 

No.

 

Liath Dalton 

And this is something Evan, as our resident risk analysis expert, and the person who goes through risk mitigation plans with folks, will be speaking more in depth to this, is really important to to be mindful of when you’re considering cybersecurity insurance and how how to incorporate it into your overall practice risk management sort of approach.

 

Evan Dumas 

Yeah, because cybersecurity insurance, it’s a safety net, but if you want to file any claims with it, you already need to have documentation of a secure practice, because they’ll say, okay, so these bad things happened. What did you do to prevent them? And if you say, I don’t know, nothing, they’ll say, well, that’s on you, that is your fault. But if you’ve already done your due diligence and mitigated your risks by having, like, multifactor authentication on strong passwords, you know, updated systems, things like that. Then you can say, hey, I did my due diligence, this still, things still happened, and now I would like help with coverage and the costs. And they’ll say, great, yeah, totally, you did your thing, and that’s exactly what cyber insurance is for. So think of this as like an add on, not a replacement for a secure practice.

 

Liath Dalton 

Absolutely. So, as we already alluded to, in terms of why it matters, why you might actually find yourself utilizing it, or how, there’s this component of risk exposure that, we would use that phrase to describe the current context, because cyber incidents affecting small healthcare entities, including mental health practices, are rising. And even when practices have implemented the strong safeguards like Evan was just describing, events like vendor breaches, email compromise, ransomware, lost devices can still occur, right? Things happen.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

And insurance is meant to help with the impact of those events, not the prevention. So just to put that in a nice little snippet, it reduces the cost and chaos. And then what HIPAA Security Compliance practices address is reducing the risk and likelihood that you’re going to need to use that insurance, while also having you positioned to be able to make use of that policy that you obtain.

 

Evan Dumas 

Mhm, mhm, right.

 

Liath Dalton 

So now, how does this apply to solo versus group practice? Because, technically speaking, unless, as Evan said, you are paneled with an insurer that requires that you have cyber insurance, it is technically optional, because it’s not a requirement under HIPAA security compliance regulations or under your licensure, right?

 

Liath Dalton 

So then it’s worth considering what your risk exposure is based on factors like your client volume. What is your actual workflow for handling client information? How tech reliant is that, and for the reality is, for most practices, it’s extremely tech reliant, right?

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

So that’s where the exposure comes in, your tolerance for business interruption. And then a big factor is also whether you’re remote. And telehealth, a telehealth only based practice, hybrid or in person.

 

Liath Dalton 

So when it comes to solo practitioners, it is often the case that a simple rider on your business liability policy will be sufficient for solo practitioners with low risk and strong security practices. It may not be essential for those who are really highly tech dependent, and we know that’s a lot of you or who simply just want the peace of mind, it can be a smart move.

 

Liath Dalton 

We I would, I would say the PCT stance is, because our approach is manage what risks you can and control the things that you can, and this is,  and also obtain peace of mind where you can.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And where that will free up just emotional and cognitive bandwidth when you reduce worry. And I find personally that having really great insurance for all the things that I can have insurance for, both personally and professionally, reduces my worry.

 

Evan Dumas 

Right.

 

Liath Dalton 

So the peace of mind alone can be valuable, even if you ever, never have need to utilize the policy,

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

What about group practices, Evan?

 

Evan Dumas 

That’s where you need it. That’s where you know your responsibility, that you know, I do risk assessments with those solo folks and group folks, and your responsibility as a group practice is way greater. There’s a lot more moving pieces, as in people. There’s a lot more services shared, there’s a lot more moving parts. And so that is really where you want just a much bigger safety net. And we really recommend it.

 

Liath Dalton 

Exactly. Because you’ve got more exposure. So having a policy in the event that you need to utilize it is going to help buffer operational disruption, meet legal requirements, help with recovery needs, and usually the cost is typically modest relative to the size and scale of the risk that you have which is which is good. So in both practice context, solo and group, we are recommending it. But I would say for any group that we’re working with, we would say it really is essential and needs to be factored in.

 

Evan Dumas 

Yeah. I mean, it’s support when you need it. Say the worst thing happens and you end up being sued for data breach or using some services that are untrustworthy, whatnot you want, or service interruption, even. You want support and you want to be able to be like, Okay, sweet, I’ve been paying into this. I can actually have someone help me cover these costs.

 

Liath Dalton 

Mhm. Exactly.

 

Liath Dalton 

So let’s now that we’ve said all the reasons why you should have it. Let’s talk a little bit about how it relates to your full compliance program. Because cyber insurance is not a compliance shortcut, and the companies increasingly require baseline security controls to be in place before they will approve or pay for a claim.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And what are some common claim denial reasons that that we are aware of, Evan?

 

Evan Dumas 

Oh yeah, yeah, I briefly mentioned those earlier, like not having two factor or multi factor authentication turned on, not having encrypted devices or devices in Safe Harbor, even not doing a risk analysis. We saw that brought up a long time ago, which is why we developed ours, and also not having any of this stuff written down in policies or procedures, because, you know, documentation or it wasn’t done. So if you can’t demonstrate that you’ve done any of these things, then they can’t just take your word for it. They’re like, no, please, please. Have some policies to say you’ve updated things, and things are encrypted.

 

Liath Dalton 

Right. And that you have ongoing, you know, security activity logs that show that you’re doing the things that your security policies and procedures say you are doing. And that’s also one of the reasons why the PCT materials include all of those security activity logs and and documentation pieces, so that the implementation and maintenance of the implementation is both occurring and documented. That’s what they want to see.

 

Liath Dalton 

So the takeaway for that is really that the insurance only works when your baseline security is both real and documented, and the insurance is a companion tool to your risk mitigation plan, but not a replacement for it, like you don’t do a risk analysis. See, you have a high number of risks that require mitigation, and then say, I’m just going to get insurance right?

 

Liath Dalton 

Okay, so question, the next sort of set of questions that we get related to cyber insurance are like, what do I need in the policy? Is this a good policy or or not? And the reality is that the policies can vary dramatically.

 

Evan Dumas 

Exactly.

 

Liath Dalton 

It’s not standardized whatsoever.

 

Evan Dumas 

Nope.

 

Liath Dalton 

So different policies, even different tiers within the same carrier, can offer wildly different coverage. And so we’re not going to tell you what you specifically need for your practice, because that’s going to vary as well. What we’re going to kind of go over are the six major areas where policies differ. But Evan, you, before I dive into this, you have really good guidance that I know you give folks and that I appreciate about how to approach determining whether the policy contents meet their needs and understanding of the what those policy contents actually mean in like, practical application, right?

 

Evan Dumas 

Yeah. Talk to your agent. Like, you know you’re listening to us talk right now, but this is not a, not a dialog. This is a monolog. But if you can get your agent on the line saying, Listen, you recommend this, what does it actually do? How do people actually use it? How is it going to help me as a mental health professional? And they can give it to you in plain English, and if they can’t, find another agent. It’s kind of their job to help you understand these things and not like, beat you over the head with fancy terms and say, oh no, it’s all in the policy documents, you can read those. I’ve read things like that, and it makes my eyes glaze over. So get them on the line, talk to them and see exactly what’s covered. Because yes, you want in writing, and you’ll get it in writing, but you want it explained, and you want to know how you’re going to benefit from it.

 

Liath Dalton 

Right. And I love that tip, Evan of asking them to describe how you would actually use that in your practice.

 

Evan Dumas 

Mhm, yeah, yeah. Applicability is huge.

 

Liath Dalton 

And what, okay, what circumstances might I encounter where I would be able to use this, where this would actually be of benefit, because we don’t want it to just be sort of performative or not, I mean, it’s not even performative. It’s like, if you have a policy that has, you know, high coverage numbers on the headline, but then all of these carve outs where you wouldn’t actually be able to use it, or there would never be a circumstance that applies to your practice, then that’s a waste. And can, if you don’t know that there are these carve outs, or these, all these things that would make it not really applicable to be able to utilize the policy, then that can provide a false sense of security as well.

 

Evan Dumas 

Yeah, definitely. Yeah. You don’t want to just looking good. You want to know actually, how are you going to benefit from it?

 

Liath Dalton 

Yes. And again, that talking to an agent is a great way to to get that. And I know it can be increasingly difficult to speak to a real person. But, on a sort of like more on the basis of principle and also how we can combat some of the takeover of everything just being conducted electronically and not having the ability to speak to another person when obtaining a crucial service, selecting an insurer where you can speak to someone, giving giving them your hard earned money for the policy is a way to tell with that right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Vote vote with our dollars.

 

Liath Dalton 

So I’ll just kind of go over the six major areas where policies really differ, so that you know the kind of basic categories to be thinking of when you are having that conversation with an agent.

 

Liath Dalton 

So first of all, types of incidents covered. Coverage can include things like ransomware attacks, email compromise incidents caused by vendors, meaning your third party service providers, lost or stolen devices, insider errors or insider wrongdoing. So that would mean like workforce, if we’re talking about a group practice context, accidental PHI disclosure, social engineering and phishing attacks, regulatory investigations and legal defense. So these are coverages that can be included but aren’t necessarily. So we want to, you want to see if they are, and think about the ones that are most important to be covered when you’re evaluating a policy. So it’s also really, really important to note that lower cost policies often exclude the most common health care incidents.

 

Liath Dalton 

This is where I’m going back to talking about the carve outs. I’ll say, for PCTs, professional liability insurance for our consulting services, we had to get a whole separate policy and rider, because typically the general professional liability insurance for consultants excludes anything related to HIPAA and healthcare. You can buy the policy to be like, oh, great, we’re covered. And then had we not done our due diligence in vetting the policy, would have seen that it absolutely wouldn’t meet our needs because of the content of what we’re doing. So analogous to make sure that the policy you’re getting doesn’t have carve outs that basically would render the policy, you know, null and void or ineffective for your practice.

 

Liath Dalton 

Another big area of variation relates to vendor breaches. So your service provider breaches?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And it’s really important to consider, because in the vast majority of therapy practices, almost all of your PHI, if not all of your PHI, meaning the Protected Health Info, the client info that you’re responsible for safeguarding, lives inside third party provided services like your EHR. So policies really differ in whether they fully cover vendor caused breaches, or cover only if the vendor refuses to indemnify, or exclude vendor cause breaches entirely. So you want to just know how what the specifics are and how that would apply to your utilization, and then compare that with you know what the vendors themselves provide too.

 

Liath Dalton 

Another area of variation is breach response report, because policies can include or exclude the practical support pieces like legal assistance, forensic IT support, notification services, credit monitoring for affected clients, public relations or crisis communications and hands on incident response teams. So some policies will provide a coordinated response team, others will only reimburse after the practice manages the crisis alone. So this distinction really dramatically changes the tangible value of the policy. So you want to be aware of what the details are there.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Another big one are coverage limits and sub-limits, because the headline limits can be really misleading. Because a policy can state something like coverage up to $250,000.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

But, but, the sub-limits can tell a really different story, like $10,000 limit for ransomware, $25,000 for business interruption, zero for social engineering without an add on. So the sub-limits are really what often are going to determine whether a policy actually helps you during a real event. So check those out.

 

Liath Dalton 

And then we’ve got two more main areas to look at. One is first party versus third party coverage as that’s another area of variation, right? So Evan, what does first party coverage include?

 

Evan Dumas 

Yeah, so that’s your that’s coverage for you. You are the first party. So your costs, downtime, recovery needs, your legal expenses, anything you incur.

 

Liath Dalton 

Right and third party coverage is not that.

 

Evan Dumas 

No.

 

Liath Dalton 

But it impacts you.

 

Evan Dumas 

It does.

 

Liath Dalton 

So you hear about it. So what is third party coverage?

 

Evan Dumas 

Yeah, yeah, those are claims made against you by other people, say, your customers, your clients, any partners, any regulators, pretty much anybody else who makes claims against you. Those are third parties. And so you want coverage for that, and so you can get a great policy, and you realize, oh, this is all of our third party coverage. This isn’t for anything first party. And that’s a terrible carve out to witness in a time of need, right?

 

Liath Dalton 

And vice versa as well. So not all policies include both, and a lot of folks will assume that they do, but you don’t want to make that assumption. So check the first party and third party coverage and know what each means.

 

Liath Dalton 

And then this is a huge one, right? What are the required safeguards and eligibility conditions?

 

Evan Dumas 

Yep, yeah, yeah. And it’s so funny because they’ll sell you a policy, and not say, hey, do you have all these things met ahead of time? They’ll just say, oh, yeah, we’ll sell it to you, and you better have these things met, because you may unfortunately miss something. And when it comes time to file a claim, they’ll be like, sorry, you aren’t eligible, even though we sold it to you.

 

Liath Dalton 

Exactly, exactly. So Evan already kind of went over the safeguards, but we’ll just repeat them super quickly, because they they bear repeating, because they include the things that we are talking about all the time. And I’m hoping that part of the takeaway from from this might also be an understanding of why we talk about the things we do as much as we do.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So, of course, multi-factor authentication, device encryption, a documented risk analysis, written and implemented policies and procedures. And if these safeguards and documentation components are missing, the insurer may deny coverage even if the policy is active.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So basically, your cyber insurance is only going to pay out when you can demonstrate the underlying security practices that are required are actually implemented.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

How to choose wisely before selecting a policy? It’s really worth evaluating whether vendor breaches are covered, the strength of the breach response support requirements to maintain eligibility, whether the sub-limits meaningfully address your actual risks, and whether both first and third party claims are included. Do not choose based on price alone, or the headline coverage number. Choose based on the real and operational relevance.

 

Evan Dumas 

Yeah, yeah. You know, if you’re spending $5 on a little trinket or a mug or like something for your office, that is maybe sub 50 bucks, you don’t have to do a ton of research. You can be like, you know, my gut says this is cool. That’s great. Do not follow your gut when it comes to buying cybersecurity. There’s a, this is going to be an ongoing cost, and this is going to be the literal safety net beneath you when something happens. So make sure that net is well inspected.

 

Liath Dalton 

Yes, and as we’ve been talking about throughout this conversation, the risk analysis is a really important component of under being able to understand, based on your risks, what the cyber insurance coverage is going to be meaningful for or not and where it is most needed.

 

Liath Dalton 

Yeah.

 

Liath Dalton 

Right? So a risk based approach really helps you determine what level of insurance makes sense for your specific practice, and that requires understanding your actual risk surface. So Evan, how do you help folks with that? In case they haven’t heard before?

 

Evan Dumas 

Yeah, so if you haven’t done a risk analysis with me, it’s great. All you need is a nice cup of tea or cup of coffee. And you know, if you have policies, to have read them ahead of time, but most folks don’t, so you’re in the you’re in a good place. So it helps you by one taking a look at everything, both from a HIPAA lens and from a PCT lens, because there’s quite a few little security mishaps that HIPAA hasn’t caught up to, or maybe they’ve wanted to, but those laws haven’t been passed.

 

Evan Dumas 

So we take a look at all your risks. We say which ones do and don’t even apply to you. Which is nice, because why bother mitigating something that will never even happen? And then say, Are you doing something about it? Are you not doing something? Do you not know, if this is the first time you’re hearing about it? And so you can then show what you found, and then the mitigation plan at the end is a, what are you going to do about it? Are you going to accept the risk? Are you going to actually mitigate the risk and and how, and mark your work? Because this is a it’s a real long process. It creates, like, a year long to do list of things, but we want you to pace those out, of course.

 

Liath Dalton 

If we say you’re, I have to interject here.

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

A year long to do list, because there is no expectation that risks be, as soon as they are identified, that they be instantly mitigated.

 

Evan Dumas 

Oh no.

 

Liath Dalton 

And we want the changes that you make through the process of mitigation to be supportive rather than disruptive, to your practice overall.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And for you to maintain your sanity. So doing things incrementally and in bite size chunks is the way. It’s the it’s the key to success, success and sanity, and that’s how we approach things when it comes to supporting practices through the mitigation plan. And it’s all like prioritized as well. So we start with the highest impact pieces or low hanging fruit first, and then just take it a step at a time.

 

Evan Dumas 

Yeah, yeah.

 

Evan Dumas 

And I, I’ve been telling folks that a lot of this mitigation, some of it, are things you just do once and you document, but a lot of the rest of it is like flossing, where you’ll get recommendation to do it regularly, because it’s, it’s maintenance, it’s, it’s ongoing. You can’t just say, Yeah, I flossed once. I’m great till the next doctor’s appointment. Like, no, no, this is a, it’s a regular thing.

 

Liath Dalton 

I’m laughing now, because I’m just picturing you as like the dentist, right? Going in, the risk analysis is the teeth cleaning and –

 

Evan Dumas 

Oof, it’s not that painful.

 

Liath Dalton 

No like, that’s a terrible, terrible analogy, because it’s the opposite of that. Folks will often approach it with anxiety and concern and then leave feeling reassured and prepared and equipped, which is a wonderful takeaway, and I appreciate so much how you steward all of that.

 

Evan Dumas 

Oh yeah, yeah, I don’t like being people being stressed, like I’m a former clinician, and so it’s it stuck around with me. I try to be ethical in all my tasks.

 

Liath Dalton 

Absolutely.

 

Liath Dalton 

Well, we hope that you found this helpful, and check out the show notes, because I’ll put a document in there with the overview of the six main areas to consider and a couple of the key takeaways as well, so that you have something that you can reference when you’re having conversations with your agents.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

Or agent singular. All right, folks, thanks so much for joining us. We hope you found this helpful, and we’ll talk to you next week.

 

Evan Dumas 

Yeah, talk to me next week. Everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.