In October of 2002, The Economist magazine wrote that “total security was impossible” and that insurance would be how businesses managed the financial aspects of cyber risk. Since then, security attacks have changed and become more deceptive and complex, and cyber defenses have become more technologically dependent. The insurance market, though maturing, is not developing at as rapid a pace as the criminal industry and the technological response.
Potential insureds cannot wait for the waters to calm, and must critically evaluate cybersecurity insurance prices and coverage options. The first and most important of these coverages should be the coverage of costs related to managing breaches, to include expenses related to the investigation, remediation efforts, and patient notification. Other costs that may also be incurred are credit monitoring services, damages associated with identity theft, damages associated with recovery of data, damages incurred due to having to reset EHR systems, and damages to reconstruct or recover websites and other Internet presences. Business continuity expenses (for workarounds or loss of revenue due to a cybersecurity incident) might also need coverage, especially as most standard commercial policies now exclude cyber-related risks from their covered losses. Finally, coverage for rogue employees and insider threats needs to be a part of the insurance discussion and any available coverage needs to be understood.
What coverage a healthcare enterprise can purchase and how much that coverage costs may also change based on how the enterprise addresses these critical aspects of compliance:
- The enterprise should be able to show that it is in compliance with HIPAA, including those provisions that require security and privacy risk assessments and proof of a plan of mitigation and remediation. Insurers likely will not cover losses resulting from a gap in HIPAA compliance, especially because there is a legal obligation on the enterprise to find out what those are.
- Insurers may impose requirements for technology controls (such as encryption, for example) beyond those mandated by HIPAA. Some coverages require more secure and more robust email systems that are more resistant to phishing and spoofing, and other coverages may even require intentional phishing attacks by the insured’s IT department or vendors to gauge compliance with training.
- The training requirements for new employee onboarding and access by non-employee contractors may need to meet certain criteria beyond HIPAA workforce awareness training.
- Insurers may require that contractors providing ‘business associate’ services be separately insured as a first layer of defense against cost, and that those business associate policies explicitly cover the covered entity for losses and damages caused by the business associate.
- The purchased coverage, as with certain types of malpractice insurance, should be based on the ‘date of detection’ as opposed to ‘date of intrusion.’ It is so difficult, even with the best system monitoring tools, to determine when a breach or incident actually first occurred, so the enterprise does not want to be locked into a technical dispute with the insurer about when the hack ‘should have been’ detected.
- The policy should explicitly address whether offshore operations will be covered. Significant risks are associated with outsourcing certain data manipulation and management functions to countries or regions that have stronger privacy and data security rules than the United States.
Finally, and regardless of what specific coverage requirements your policy contains, any policy’s limits need to avoid ‘cannibalizing’ limits, in which the costs of defense reduce the limits available to pay damages or judgments. As with professional malpractice and commercial general liability coverage, the best coverage separates costs of defense from claims expenses.
Barry Herrin (barry.herrin@herrinhealthlaw.com) is an attorney and Fellow of AHIMA. He is admitted to the bar in Florida, Georgia, North Carolina, and the District of Columbia and often speaks at the FHIMA Annual Meeting.
- “Putting It All Together,” The Economist (October 24, 2002)
- Koo, “More Incident Data Needed for Cybersecurity Insurance,” Bloomberg BNA (March 28, 2016)
- Even though there is almost a universal recognition in the law enforcement and security communities that these programs do no good at all, as the sophisticated hacker knows to wait out the 1 to 2 years of service before making use of the stolen data.
As published in the November 2018 FHIMA Monthly Newsletter. Reprinted with permission.