Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it's important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy. Here's why: A) You'll have to do it anyway, B) The safest approach is to avoid a breach in the first place, C) Your risk profile will enable a better tailored policy.
Third party Business Associates are now accounting for nearly 40% of data breaches of protected health information. This is an alarming uptick.
The HIPAA Security Rule now applies to Business Associates. Make sure your security testing extends to them as well.
Managing vendors and business partners is hard in any industry, but when the data is sensitive ePHI, you are trying to achieve EHR meaningful use and there are penalties like the HITECH Act's breach notification requirements, it can be even more daunting.