Presenter: Welcome to today’s episode of True To Form with your Host, CEO, and Founder of Crystal Clear, motivational speaker, and three times Inc 500 Entrepreneur, Adam DeGraide. True To Form is a podcast that highlights leaders making headway in the aesthetic, anti-aging, and elective medical industry. Learn from the experts to discover the secrets of success and pitfalls to avoid when growing all aspects of your elective medical practice.
This week’s episode is brought to you by TouchMD, the all-in-one aesthetic technology hub that educates your captive audience in the waiting room and consult room, consistently captures and manages photos, provides digital charting and consents, and allows patients to take their experience home to share what they learn with friends and family via the practices patient app. Please join me in welcoming your host the fearless, the outspoken, Adam DeGraide.
Adam DeGraide: Hey everyone, it’s your host Adam DeGraide. Today for True To Form, so glad to have all of our regular listeners here. I have a very special guest, full disclosure, she is my sister-in-law. I married her sister and she is dear to my life. Her name is Tami Pickens from ISU Armac Insurance here in California but licensed in many states. Tami, welcome to True To Form.
Tami Pickens: Thanks for having me.
Adam: It is so great to have you here and it’s so great to know you. I was actually chatting with Tami for the listeners out there just yesterday about a program that I went through over the week-end here in Los Angeles. And they were – our lawyers were discussing the risks and challenges associated with medical spas and medical practices covering in their insurance needs. And one of the big topics of discussion Tami was a lot of the breaches that are happening as you know with HIPAA and Cyber Liability insurance, so what I thought would be really, really good is to get right into some of the things, obviously you guys have insured many hospitals and many medical practices. First of all, give a little bit of background on ISU Armac. And then second of all, what do you typically try to do when you’re looking at insurance needs at a practice to make sure that they’re covered properly.
Tami: Well, ISU Armac originally started with my grandfather back in 1962. And he was mostly at the time a personal lines insurance agent and then my father took over several years later. He really started when he was 18. And growing up, my brother, and my sister – your wife, and I lived in a household where our dad worked very hard and was gone most of the time selling insurance during the day and at night. And all three of us said, we would not go into insurance, and all three of us ended up in the insurance industry, and I kind of fell into it. I went to culinary school to get my Culinary Arts degree which I did. But I had a very tragic car accident, which pretty much took that career away from me.
So I really had to search my soul and find something different. And I really feel there are certain careers that just run in the blood and this is one of them. I was meant to do this. I enjoy every minute of it. I do learn something new every day. And now my daughter is in the insurance industry too. So this is four generations going down the line here and I’m so proud of her. But for me personally when I take a look at an account I like to get all the policies upfront. An insurance agent can really assess the account and really check to see if there is gaps and coverages if I have everything. If someone is going to give me their general liability policy, their auto policy, but not let me look at their professional or their workers’ comp, there could potentially be gaps and coverages there.
Tami: Yeah, very interesting. It’s super important that we review all the products because there will be something that needs to be listed on the general liability policy to back an organization up if they make an error on their employee benefits. So if they’re making an error on the employee benefits, if you don’t have employee benefit liability on your general liability, then anything that happens with that employee will come out of your pocket. So that’s just an example of a gap and coverage.
Tami: So when it comes to the medical profession, I really feel that it’s important that because they’re protecting so many assets and their businesses and their employees and their patients that we look at every line of business that they have in place and look to see what could possibly be [indiscernible] [00:05:13]
Adam: You know, it’s interesting because obviously even at CCDM we have seen a lot of changes in insurance even in our own lives, obviously there’s professional liabilities, there is — and I don’t know if it’s the same as EPLI, I’m not an insurance agent by any stretch of the imagination, but I’ve also known that not only do we need general liability, but we have spent thousands and thousands as you could imagine with our software protecting patient data and making sure that we have a great cyber liability programs. And this weekend at the AAFE conference here in Los Angeles their attorneys were talking about some of the breach examples that have happened in medical practices and what kind of penalties those can actually lead to from a medical practice perspective, and they were highly recommending cyber liability insurance.
And you would think Tami that in today’s electronic world that every business would have it, however, there are still many practices and many businesses in general that a) don’t understand what it is in, and b) don’t have it or understand the value of it. Would you help our listeners understand what cyber liability is for and how it can help protect a medical practice specifically?
Tami: Certainly. So cyber really came on the scene about 15 years ago. It was not a popular product. Nobody knew anything about it, including most of the insurance industry. And Armac Insurance purchased a product that was specific to insurance agents. It was written for insurance agents several, several years ago. We’ve had it in place for probably 12 or 15 years and never thought we would use it. It really was just one of those types of coverages that’s in the back of your mind. It just helps you sleep at night. Well, in the last three to four years as you can imagine with all of the media publicity on accounts and servers being hijacked and people’s information being held for ransom, there have been stories all over the United States of this taking place.
And cyber has become a very much talked about product in the insurance industry in the last two years that I have seen it all over the board in just the last six months. And with the medical practice it’s super, super important because they’re dealing with HIPAA information and that has to be protected. So with that being said and with a lot of industry professionals now for Armac, an example, Armac no longer has servers and help servers; everything is done through Amazon workspaces. So although we feel that we have all those protections in place to avoid a cyber attack it actually has happened this year. And so being a victim of that, our cyber policy immediately stepped to the play and so I got to see firsthand what takes place in a cyber attack. Ours was specifically a phishing email that –.
Adam: Yeah, which is a major problem all over the world right now.
Tami: That is the number one because these criminals can get into your system, right, and they’re not there very long. They’re just looking for, okay how do I snag the person at the other end of the email to open this document and type in a user ID and password so that I can get access to their system and demand funds, and that’s exactly what’s happening. And so — and they’re not huge amounts, these are smaller amounts. There was a real estate agency in our local area that had a $96,000 cyber claim that took place and the FBI got involved because it was seniors that wired their down payment on a housing transaction.
And when the FBI looked into it the email came from escrow, title, the real estate agent, the listing agent, and all the information looked 100% valid. And so a lot of times there isn’t that red flag that tells you this is a phishing email. So there are a lot of insurance companies now that are doing testing with their employees so they will create a phishing email, put some sort of indication in that email that is the red flag, send it to all of their staff and then see out of all their staff how many open it and give them as an organization a grade as to whether or not they’re paying attention.
Adam: Yeah, exactly.
Tami: Yeah, one large insurance company recently we met with and they said that their grade was like a 42% or 43%.
Adam: Oh my God.
Tami: About 60-plus percent of their employees opened the email. So that’s the number one because it’s very easy to doing it so common and –.
Adam: I had a question in regards to like employee breaches as well too. I was wondering if cyber covers this or this something different that covers it. A lot of times in the medical community and obviously companies in general employees will leave and go to a competitor in some cases. We’ve actually had several examples of believe it or not, people are trying to work with Crystal Clear and they would tell us during the actual sales process that they grabbed the patient list from their previous place of employment and that’s what they were going to use to market to their existing patients.
And I’m thinking to myself first of all, we’re not ever going to work with that person obviously because we don’t do that. But second of all, what kind of insurance would protect that practice from an employee downloading their list or taking it to another place or breaching HIPAA in that way?
Tami: Well, that would be cyber. So we did – I was involved about four or five years ago in a very, very large situation with a local hospital. And what happened with that was they had an employee who took home a laptop and they also took home some hard copy files. In that particular situation that employee never went back to work. They basically walked off the job with that information. The laptop had about 170,000 patient files on it but had 70 personnel files for the hospital. So when that particular situation happened, there is two things that they have to do. First of all, they have to notify their employees immediately hey, your information has been taken and then they have to think about okay now we have to notify 170,000 patients whose information including their medical history, their social security numbers, date of birth, everything that can hijack their identity they need to notify them.
So there are several steps that have to take place. But I will tell you that the companies that are involved in that they have these forensic investigators, these forensic computer investigators that can really track things down. And I actually got to see one of those reports this year with our situation and it’s a lot of numbers. I mean, Adam you’re a computer genius, so you would look at it and go, oh, yeah I get that but me I didn’t. It was literally a graph of just numbers and tracking and where the email originated and who it hit. And then there was another graph that they gave us where they had scanned through six months’ worth of emails to see okay, what was compromised, are there any socials in these emails, are there any dates of birth, resident addresses, so they looked for all kinds of factors.
And that is what’s really costly is you’ve got to hire someone who knows what they’re doing. And the cyber insurance takes care of all that for you. You don’t have to worry about it. They immediately start with their checklist, okay, this is our first thing we have to do. Here is the next thing we have to do. Okay, here is the list of things we have to do to be in compliance with the State of California. Here is the things that we have to do to be in compliance with federal law. And it’s a fascinating process. Now that I’ve been involved in a firsthand cyber claim, it’s a very fascinating process but it’s long, it takes a while to get all of that stuff done.
Adam: Yeah, it’s amazing, it’s amazing. Tami, I can’t tell you how many times I’ve even heard from our existing clients that their previous employees have taken their data or at least they think they might have taken their data. And all those challenges if that actually happens and actually has an impact on their existing patients and also their practice. What was really interesting to me in listening to the attorneys, I mean, and also I think insurance agencies don’t speak enough at a lot of these conferences. I’ve been saying that for a while now because I know it’s not an exciting or a sexy topic. But when you’re thinking about not only needing malpractice insurance but EPLI, professional liabilities and now cyber is a big piece of it, coverage is really, really important.
And one of the things that I realize is that as a vendor to medical practices and this is really important for medical practices that are listening. Whoever your vendor is that is hosting your patient data man, not only do you need to make sure you have a business associates agreement in place with them, but you want to make sure that there being a HIPAA compliant as well and to see if they’re even doing HIPAA assessments on their own business. One of the things that we try to do and it helps us every year even with our cyber coverage is we do a HIPAA assessment Tami, where we have a third-party independent firm, try to attack our servers, they come in and look at our people and our procedures, our password, process the way we actually lock our facility.
And we could provide a report to our practices that says here is how we scored, here is the areas we’re trying to work on, you would be amazed Tami at how many businesses that work with medical practices don’t even do that and how many medical practices themselves don’t even do that. And that’s a good thing for cyber to be able to protect them right. Is there a way to get better rates if you are doing things like that or what is the typical process and how can a practice get the best rates on cyber coverage?
Tami: Absolutely. Well, as you know I handle your cyber insurance, and last year we had to provide the report that showed all the steps that you are taking to prevent any cyber attacks and your insurance company was very impressed with the process that you were doing, and so as a result you were able to get a better product. A lot of the professional liability carriers now are offering what we call packages that will include professional liability, cyber liability, employment practices liability, and directors and officers liability. So there is a couple of really, really good products out there that they can be your one-stop shop for all the professional lines of business. And depending on what steps you’re taking to prevent these attacks and prevent employment practices liability suits and they look at all of that will ultimately determine your rate and whether or not they’ll write you.
Adam: Yeah, I can imagine that they don’t want to write everyone, especially if they’ve had problems in the past if that becomes a problem, so you have to show people not only are you reactive but more importantly you’re proactive in obviously protecting your data, protecting your patients’ information, protecting the way you work with your employees. I mean, I would imagine that definitely has an effect on a) the quality of carrier because not all carriers are created equal that’s something that I’ve learned with you guys over the years and being in the family. But more importantly just because you have a coverage doesn’t mean it’s necessarily going to cover you, correct?
Tami: That is correct. And I think the biggest misconception with cyber insurance is everybody assumes it’s going to happen to the big boy, the big corporation. Well, yes it does happen to the big corporations. But the most common lawsuit in the State of California right now that is involving cyber is under 45,000 and it’s happening to small businesses because small businesses are not the ones who are really taking those extra steps then say the banks like the Wells Fargo, the Bank of America. Those large corporations have a whole cyber team. Small businesses don’t and so a lot of the companies don’t take those extra steps so they’re a target.
And small businesses they’re the ones that are getting hit the most when it comes to these phishing claim. And if you don’t have those steps in place to prevent cyber or even educating your employees here at Armac we’re constantly telling our employees hey, if you get an email from an insurance carrier and it says click here to access your documents, have our IT people look at that before you click here because the minute you click on something especially if it’s asking for a login and a password that’s a red flag.
Adam: Yeah, it’s definitely a red flag and it’s amazing to me how many people still fall forward but it definitely I can see, if you’re busy during the day and you’re trying to get stuff done and all of a sudden you’re waiting on something and if something looks like it’s what you’ve been waiting on I can see how that will absolutely happen. Another area that we’ve been telling our clients to be really concerned about is the ADA compliance, Americans with Disability Act on their websites believe it or not in their digital presence. We’ve seen a rise in lawsuits with doctors for not having what they call accessible digital websites or information on their practice.
And there has been lawsuits popping up all over the country for people saying I wasn’t able to use your website because it wasn’t compliant for my disability. What insurance would cover that? Obviously they’re working with a company like Crystal Clear for practices that are listening, obviously, we can help you work on your ADA compliance and I’m sure there is other reputable website companies as well that can do the same thing for you. But it’s very much ignored and overlooked and it’s becoming more and more of a problem. Would that also fall under the umbrella of cyber?
Tami: Not necessarily cyber that falls more under the employment practices liability because it’s a discrimination issue. And there – the carriers are really looking at that more. I know that that has been pretty prominent because the lawyers they look at what’s the first thing that I can file a claim against these companies to who are the deep pockets, what am I going to find where can I file a lawsuit. And disability has become a huge issue here in the State of California.
Adam: Yeah, it’s not just California by the way Tami, it’s everywhere, it’s amazing.
Tami: Right. Well, and the physical disability issue here in California really hit a couple of years ago where they were coming around and looking at businesses making sure every business was ADA compliant and the fines were just astronomical if you weren’t. And so you had to create parking spots and all kinds of stuffs when the lives changed a few years ago, even more so than what it was before. And so I can totally understand why you’re getting this feedback and people are being sued for their websites not being ADA compliant that would just be the next step. So I would assume in most cases that’s going to be covered under the implement practices liability. Some of the cyber products may move to that to where it’s covering websites. It just depends on the products.
Adam: Yeah, interesting.
Tami: So we really have to look at the carrier. There is one that’s called NAS and they have an amazing product both for implement practices liability and for cyber. But they can really kind of intermingle those coverages depending on what product that you need. And so you can a lot of the carriers are letting you build what you need. They’re just options so when you’re filling out an application for a professional product they’ll have a whole crime section, they’ll have a whole section for cyber, they’ll have a whole section for employment practices liability.
And if you’re just filling out that application for say professional fill out the rest of it just to see what it’s going to run you to have those extra lines because sometimes you put it into a package on the professional side it’s a lot less costly than if you were to separate those out in the separate policies. And you can get some extra protection there and sleep better at night just knowing that you have it.
Adam: You know, it’s amazing Tami. What’s really scary is that a couple of practices that we work with prior to them actually coming to Crystal Clear they were sued and they lost. One of them was like a little over 30,000, one was over $60,000 settlement. So and this is by the way for ADA complaints on their website guys. I think it was out in New York. One was on New York, one might have been on California. But if you think about how much time and energy we put and being compliant on these things at our physical buildings more and more folks listening, it’s important to make sure that your digital buildings, your click in your brick are matched together and that’s where the stuff you have to pay attention to it. And I felt it was important to at least get an insurance agent’s perspective on this.
And the nice thing about having insurance agents in the family as I disclosed early on although Crystal and I have no financial interest in anyone of you ever working with ISU Armac. But at the same time I think it’s important for you guys to know that this is my sister-in-law, Tami who has been on True To Form today with me. And it’s awesome to have that person in your family because you stop and you have to take a beat. It’s like you have to say okay. We can’t ignore these things. We have to look at them. It’s your point Tami, the advice to medical practices to make sure that they’re filling it out and getting quotes on of all this is very important. If somebody did want to have you review their policies or take a look or talk to you a little more in depth about some of the concerns that they have how can they a) find out about ISU Armac and then second of all, reach you personally?
Tami: Well, our website is probably the first stop. It’s isu-armac, which is armac.com. And under our staff page you can find me and it has my email address and my direct line. But I just want to add with technology going the way it is technology cannot be ignored and that’s really what you need to pay attention to right now.
Adam: No doubt about it. So it’s isu-armac.com, go under staff, you’ll see Tami. Tami, thank you so much for joining us today in True To Form.
Tami: Thanks for having me.
Adam: It’s been a pleasure. Everyone thank you for tuning in. Remember, you never know who you’re going to hear, you never know what we’re going to talk about. Tune in soon next week for True To Form. Thanks everyone.
Presenter: Thanks for tuning into this week’s episode of True To Form brought to you by TouchMD, the all in one aesthetic technology hub. To learn more about your podcast sponsor, visit TouchMD.com. And to learn more about your podcast provider Crystal Clear visit crystalcleardm.com. Also be sure to subscribe to the show on all of your favorite music apps including iTunes, Spotify, SoundCloud and tune into stay up-to-date with the newest episodes. Thank you for listening.
For convenient listening on the go, feel free to subscribe to True to Form on your favorite music apps!