The more your healthcare practice relies on technology, the more risks you incur. That’s the difficult lesson business owners learned on July 19, 2024, when all systems were down from the CrowdStrike outage. The cyber security company’s coding error caused the catastrophe it was designed to prevent –– a complete technology shutdown.
While many businesses incurred immense financial losses that day, the damage caused by a healthcare organization’s inability to provide patient care continues to inflict lasting damage.
“We’ve become so dependent on technology, and in many ways, it’s a blessing. But when a cyber event happens, certain medical practices don’t have a backup,” says Peter Reilly, HUB North American healthcare practice leader.
Critical lessons for small practice owners to take from a massive cyber event
Unlike a cyber breach, this incident wasn’t caused by malicious intent but still led to significant disruptions for healthcare businesses worldwide. For small allied health practice owners, Reilly shares four critical lessons in risk management, insurance coverage and operational preparedness.
Understand the limitations of insurance coverage
When it comes to insurance to cover your allied health practice, one type of coverage doesn’t fit all. “In the United States, every state has its own healthcare laws for medical professional liability, so one of the real challenges behind healthcare is knowing what coverage is right for your organization,” says Reilly.
All states require practices to have medical malpractice insurance, but that policy often is not enough. The right policy depends on factors like your business size, location and type of services.
It’s important to understand precisely what your policy covers. For example, some cyber policies cover business interruptions, like those in the Crowdstrike outage, but not all do. Many organizations will likely have cyber policy claims that aren’t covered because the incident was not triggered explicitly by a breach. “If you cannot perform your basic function simply because an update crashed your system, that’s a big price to pay for a heavy reliance on technology,” says Reilly.
Key considerations include:
- Policy details: Ensure you know what your insurance covers. A cyber policy might cover data breaches but not necessarily events caused by technical errors.
- Business interruption coverage: Find out if your cyber policy includes business interruption. While these are often part of property insurance, they can also be included in cyber policies to cover losses from operational downtime.
- Avoiding minimal coverage: While budget constraints are real, opting for the cheapest policy might leave you exposed. A more comprehensive policy can provide greater peace of mind and financial protection.
“Every policy isn’t alike, particularly for healthcare organizations, so you need to understand what’s in yours. If you don’t understand it, ask that your agent, broker or carrier explain it in detail,” says Reilly.
Do you have a robust backup plan?
The CrowdStrike incident is a stark reminder of the necessity for a reliable backup plan. Because technology is integral to every healthcare organization, its failure can abruptly halt services.
You’ve likely experienced times when your computer needs to restart to update the patch, and you do it without thinking. “This is a reminder that before you have that automatically run, make sure you backed up any data you need and can function should something crash,” says Reilly.
Consider these steps to ensure your practice is prepared:
- Regular data backups: Implement regular data backup protocols to safeguard critical information. Ensure backups are accessible even if primary systems fail –– ideally on an external drive or with an external organization.
- Operational redundancy: Develop contingency plans for essential operations. For example, maintain paper records or alternative methods to continue patient care during IT outages.
Cross-departmental collaboration for large healthcare organizations
Risk management requires enterprise-wide collaboration when technology outages affect every part of an organization. Following are ways to foster communication between IT, risk management and finance teams:
- Integrated discussions: Regularly convene meetings that include IT, clinical risk officers and financial officers to discuss potential vulnerabilities and mitigation strategies.
- Vendor contracts: Review contracts with third-party vendors to understand their obligations during service disruptions. Ensure these contracts provide clear paths for compensation or assistance.
Dependence on technology means many business owners have no idea how certain essential systems operate. Someone in the enterprise needs a general understanding of every part of the organization, says Reilly. “Understanding your organization inside and out becomes important. We all saw how a failure to do so has all sorts of unintended negative consequences.
Regular risk assessments and stress testing
Many people focus on the drive for growth and revenue, while a robust risk management plan can be less attractive. However, conducting regular risk assessments and stress testing your systems can identify potential weaknesses before they lead to significant disruptions. “The practice of medicine comes to a screaming halt when technology doesn’t work,” says Reilly.
Consider the following risk assessment recommendations:
- Technology stress tests: Work with your IT team or an external vendor to perform stress tests on your systems, identifying potential failure points.
- Policy reviews: Review insurance policies with your broker to ensure coverage aligns with your practice’s specific risks.
Leveraging the expertise of your insurance agent
Small practices often operate with limited resources, making external support vital. Your insurance broker is not only a way to cover losses in a crisis. Good insurance helps you prevent crises in the first place by helping you explore available tools and resources. Your agent can provide valuable insights into mitigating risks and maximizing policy benefits.
“Lean on those professionals who can offer help. This is part of the service you’re already paying for as part of your insurance premium,” says Reilly.
The CrowdStrike outage is a wake-up call for all businesses to reassess technology dependencies and risk management strategies. But preventative effort and investment can help protect your small allied health practice’s business continuity and safeguard patient care.
Peter Reilly, HUB North American healthcare practice leader. Learn more about CM&F Group’s professional liability insurance.
