In the first part of our “Danger from the Internet” series, you read how criminals can attack your practice with so-called ransomware attacks, encrypt IT systems and blackmail you with ransom demands if you have not taken appropriate precautions. In this episode, you will find out how you can protect yourself against losses with special cyber insurance.
Let’s get straight to the point: If you want to be on the safe side and protect yourself comprehensively against any damage caused by cyber attacks, ransomware and the theft of sensitive data, you need more than just public liability insurance. This is because these forms of cybercrime are not covered by the standard cyber protection sections.
Although standard business liability insurance covers minor aspects such as liability cases in the event of data protection breaches, “when it comes to financially covering a hacker attack combined with business interruption and cyber extortion, reputational measures and crisis management, you need special cyber insurance,” explains Peter Wirthner, financial advisor at the Swiss insurance company Baloise. Cyber insurance offers tailor-made cover in this respect.
Particularly sensitive data
Unlike a painting company or a bakery, for example, medical practices store highly sensitive data that is subject to confidentiality and medical secrecy. This data is therefore particularly worthy of protection. However, doctors are neither IT nor insurance specialists. So what exactly should practice owners look out for?
“Taking out insurance is always at the end of the process and is the last step,” says the expert. Before that, the first step is to maximize IT protection on site in order to minimize the likelihood of a hacker attack. Reputable providers therefore come to the practice, hold preliminary talks, identify weak points and try to rectify them. This not only involves working with the practice owner and their team, but usually also with their IT service provider. The consultation alone therefore creates added value for the medical practitioner. The practice does not necessarily have to have an IT service provider who has special expertise in this area. Many insurance companies also offer their own support and a 24-hour assistance service here, if desired.
The cost of cyber insurance depends on several factors, including the practice owner’s deductible. The higher the deductible, the lower the premium to be paid. The size of the practice and number of employees are also decisive, as are the active preventive measures in the practice: it makes a difference to the insurer whether data backups are created monthly, weekly or daily.
| medizinonline-Reihe «Gefahr aus dem Internet» Die Reihe «Gefahr aus dem Internet» stellt in 3 Teilen die Bedrohungen und möglichen Folgen von sowie Präventivmassnahmen gegen Cyber-Angriffe vor. In der kommenden Ausgabe dieser Publikation können Sie im dritten Teil lesen, was juristisch auf Sie zukommen kann, wenn das eigene IT-System gehackt wurde: Sollte man bei Lösegeldforderungen zahlen oder nicht? Wen gilt es zu informieren, wenn sensible Daten gestohlen wurden? |
“People no longer break in through the door”
Claims usually range between CHF 10,000 and CHF 50,000, explains Peter Wirthner. “The biggest factor is the loss of operating income if the company can no longer work because the practice IT is blocked.” There are also additional costs, such as overtime, which are incurred when the lost work can and must be made up again. The restoration of the computers plus compensation for reputational damage are also significant cost items.
In Wirthner’s experience, ransomware is used from time to time. Small to medium-sized companies are blackmailed for an average of CHF 10,000 to CHF 20,000. Whether a payment makes sense always depends on the individual case. In any case, it should first be checked whether the stolen data can be restored via backups and how much effort is involved. “Nowadays, people no longer break in through the door,” explains the expert: “These are all professionals from India, Pakistan or Russia. They are business people. Where ransom money was demanded, it was usually smaller sums and the payments were made without any problems.”
Ransomware is currently still an issue that is covered by cyber insurance in Switzerland. In other countries, this topic is more sensitive: if you pay a ransom to a blackmailer from Russia within the European Union, for example, you make yourself liable to prosecution due to the existing sanctions. “But as a doctor in Switzerland, you don’t have to worry about this,” says Peter Wirthner.
| 10 important cyber insurance coverages |
| – Protection against data loss and cyber attacks in general |
| – Business interruption and loss of sales |
| – Reputation protection and crisis management |
| – Claims for damages by third parties (third-party damage) |
| – Notification of affected persons |
| – Costs for data protection violations/fines |
| – Ransom demands |
| – Costs for IT forensics/loss assessment |
| – Defense costs in a legal protection case |
| – Prevention and security advice on site |
Compared to the risks that practice owners face, the insurance premiums are still moderate: A small to medium-sized business in Switzerland should expect to pay around CHF 1500 per year from a reputable provider, after adjusting for all factors. – If the IT service provider has to set everything up again on site after a successful hacker attack, the premium has already paid for itself in terms of costs. In return, you receive all-round protection that comprehensively covers the costs incurred in the event of an incident (box).
HAUSARZT PRAXIS 2024; 19(11): 41 (veröffentlicht am 25.11.24, ahead of print)
InFo ONKOLOGIE & HÄMATOLOGIE 2024; 12(6): 39
