LTC providers wrestle with data security nightmares

November 07, 2016 at 08:30 AM
Share & Print

CNA Financial is seeing more big long-term care facility liability insurance claims involving problems with health data security.

Analysts at the Chicago-based insurer talk about long-term care providers' cyber liability problems in the company's latest aging services claim report. The analysts based the report on a review of 2,617 large long-term care provider professional liability claims that closed between Jan. 1, 2011, and Dec. 31, 2015.

Screenwriters occasionally base movie plots on the idea of resourceful nursing home residents escaping from the homes and going on wild adventures.

In the new CNA report, analysts note that resident elopement continues to be a major risk both for the residents and for long-term care facility managers. For CNA, elopement has been the professional liability allegation with the highest severity. The average total paid is $325,561, in part because almost half of the elopment claims paid involved the death of the resident who escaped.

In one case, for example, a 77-year-old woman with dementia escaped from an assisted living facility. She drowned in a pond on the facility's property.

For the long-term care facility managers, data security is another growing, frustrating source of liability exposure.

Federal regulators are pushing the facilities to put more data in standardized electronic health record systems, and, at the same time, imposing stiff penalties and notification requirements on facilities that violate tough new data security requirements.

The CNA analysts found that cyber claims accounted for 206 of the 2,617 large, closed CNA liability claims they reviewed.

About 64 percent of the claims involved the loss or theft of devices or data, unauthorized system access, or accidental loss of data and documents.

Just 17 percent of the claims involved ordinary hacking, efforts by hackers to "phish" login information from facility personnel, or successful efforts by hackers to encrypt facility data and demand that the facilities pay ransom money to regain access to the data.

But the average hacking claim payout was over $500,000, in part because a single hacking claim led to a $10 million payout.

The analysts recommend that a long-term care facility choose reputable information technology systems and vendors, conduct thorough information technology vendor risk assessments, require all employees to complete a cyber security awareness educational program each year, and require full-disk encryption of resident electronic health records.

Related:

Have you followed us on Facebook?

NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Related Stories

Resource Center