Messageboard

Unhappy Camper (Vol. 1, Issue 16)

I was perusing through one of my favorite professional journals, Medical Economics, this week when my eyes caught sight of the ad on the last page for The Doctors Company.  Therein, they proudly announce that they are the first medical malpractice insurance company to offer cyber liability protection as part of their core coverage.  See: http://www.thedoctors.com/WhyChooseUs/Coverages/CyberGuard/index.htm for more details.

This is not some minor perk—this is a major upgrade.  Medical cyber liability is the fasting growing threat to physicians in the realm of medical liability.  Until this ad came out I was unaware that physicians could buy cyber-breach liability coverage through any insurance provider, whether malpractice or general liability companies.  I have long bemoaned on the site about the desperate need we have for breach liability protection, preferably legislative, but if not, at least some form of insurance to protect us from this very real risk .  See:  http://www.docehrtalk.org/messageboard/2010/07/30/hie-and-data-security-... . This cyber-breach liability coverage offered through The Doctors Company makes eminent sense coming from a medical malpractice insurance liability carrier, one of the biggest such players in the nationwide market, alas unfortunately, not here in Rhode Island.

As a malpractice carrier owned by physicians, The Doctors Company has listened to the concerns of their insured members, and is likely able to manage the issues involved. Moreover, they give real support to their insured physicians by presenting access to cyber breach risk reduction tools. I called up the company in an attempt to get access to this suite of tools¬—but they’re considered proprietary and so I was denied permission.

Representatives at The Doctors Company were otherwise helpful though, and hinted that at least one malpractice carrier for Rhode Island docs will be launching something similar to CyberGuard next year.  If not, they also clued me into NAS, which offers a standalone e-MD product that provides higher limit cyber breach protection policies, albeit somewhat pricey at $1500 per physician.  See: http://www.nasinsurance.com/index.php?stage=categories&mode=displayCateg...

Here in Rhode Island we seem to have been asleep at the wheel in formulating any coherent cyber risk reduction or analysis program.  Such programs are mandated under HITECH for each medical practice and health agency that uses EHR.  Lifespan has one called IS-209 that seems unique to them, but it has not been updated apparently since 2006 — an eternity in the computer world.  I have previously posted a draft list of EHR Security Best Practices at this site but got only one additional comment, so I've reposted an updated version as an attachment .doc file here.  Again, I ask readers to look it over and add, revise, or comment on what we need to be doing.  A coherent breach security policy for EHR users should be one of the primary tasks of an organization such as RIQI and its subsidiary RI Regional Extension Center.

We also need to be asking our malpractice carriers that serve Rhode Island to match what The Doctors Company is providing to their members — real leadership in physician liability concerns and keeping up with the times by issuing innovative coverage enhancements such as CyberGuard.

Attachment: 

EMR IT Security Best Practices DRAFT 2 11-2010.doc