The increase in cybercrime affecting the healthcare industry in South Africa is contributing to private practices turning to cyber-liability to protect themselves from data breaches and ransomware.
It pays for insurance brokers to assist clients with a cyber-liability policy, say Indwe Risk Services and MC de Villiers Brokers.
Cybercrime is on the rise in South Africa, with hackers often seeking out the health and banking data of medical practices.
"As hackers accelerate their attack, healthcare practices will need to improve their data security, especially now that many employees are working from home. They will also need to rethink their cyber-liability," the companies advise.
While cyber-liability is covered by most malpractice insurance policies, it is usually limited and contains exceptions. It is, therefore, a good idea to go for a comprehensive cyber-liability policy that covers hiring information technology experts to fix any data breach, paying a ransom to free hijacked data, compensation for loss of income from downtime or patients leaving the practice, hiring a public relations firm to handle bad publicity and hiring attorneys to deal with lawsuits filed by patients, as well as any damages awarded.
"The cost of a policy would depend on the size of the business, with an entry-level figure being around R2 000. Cyber-insurance may seem like an unnecessary extra expense, especially as doctors already pay such high indemnity fees, but not having it in place is simply not worth the risk," the companies say.
The more data is exchanged between practices, medical aids, hospitals and laboratories, the more vulnerable it becomes to cyber-attacks, they warn.
"Practices need to realise that even if they are not directly targeted, they can still be liable for data lost by a vendor or third party.
"Doctors should aim to work together with third parties like laboratories and hospitals to keep their patients’ data secure. It’s a shared responsibility; everyone involved has a duty to keep it safe," the insurance companies note.
"Cyber-criminals love targeting healthcare organisations because their databases contain patient names, birth dates, addresses, identity numbers, banking details and medical aid information. Often, smaller practices do not encrypt their patients’ information and, even if a laptop is stolen, it is a potential data breach.
"Other practices are under the false impression that data storage is the responsibility of their electronic health record (EHR) systems provider, so they’re not liable if anything goes missing or gets hacked. This is simply not true," the companies emphasise.
A smaller practice is not at lower risk of being targeted for hacking. Larger practices face greater risks and greater costs for cyber-liability policies, but smaller practices are often more vulnerable because they are mainly focused on treating patients, not ensuring they have the latest security measures in place, they add.
"The need to invest in cyber-liability cover is made more urgent by the Protection of Personal Information Act, which will be enacted from July 1. This law will bring South Africa up to date with other privacy legislation, such as Europe’s General Data Protection Regulation.
"Both emphasise the need to protect personal client data from loss, damage or unlawful access. The onus is on healthcare practices to implement reasonable technical and organisational measures to ensure the protection of their patients’ details.
"This involves identifying all internal and external risks, establishing the necessary safeguards and frequently updating them as new risks emerge," the companies say.