Healthcare organizations are increasingly looking to cyber insurance as a safety net to cover expenses in the event of a data breach—but as evidenced by the high-profile spat between California healthcare provider Cottage Health System and its insurer, Columbia Casualty, it's important to read the fine print.
Cottage inadvertently disabled security on one of its servers, exposing tens of thousands of patient files to anyone searching the internet, and they remained exposed for about two months in 2013. The company and its third-party vendor, inSync, were sued as a result.
That accidental exposure of patient data at Cottage Health led to a subsequent claim for coverage that Columbia refused to cover. Columbia argues that the provider failed to follow the "minimum required practices" for security detailed in the policy. In other words, the data breach was a result of the provider's own negligence, so they're out of luck.
For healthcare providers, this should be a wake-up call. It's widely reported that negligence is prevalent throughout the industry: "It's one of the most common exposures that healthcare organizations have," says Beth Strapp, vice president and global healthcare specialty lines segment manager at Chubb Group of Insurance Companies.
"Even for the biggest organizations that have the most sophisticated IT security measures in place, they still experience and are still concerned about employee negligence," Strapp told Healthcare Dive.
Strapp points toward a 2015 survey by the Ponemon Institute that asked healthcare organizations what type of security threat concerns them most. The highest scoring category was employee negligence at 70%, followed by cyber attackers at 40%. "So from an employer's perspective it's a huge threat," Strapp notes.
Interest on the rise—but buyer beware
Cyber policies have been growing in popularity ever since HIPAA was amended by HITECH and healthcare organizations were first required to make notification to the government, Strapp says. That growth continued as more and more data breaches were made known, and recently jumped following the massive breach at Anthem.
However, organizations need to understand exactly what their policies cover and what their own responsibilities are to meet the requirements of their policy.
Strapp notes that Chubb's coverage is among those that responds regardless of the cause of a data breach. "It's at the insured's discretion whether to report the claim to us and then the policy can be used at their direction to help cover privacy notification costs even if notification is not required by any state or federal statute," she says. She notes that some carriers, particularly those that are very small or that offer very aggressively-priced policies are providing more limited coverage.
How should insurance fit into a data security strategy?
Healthcare organizations need to go further than developing a response plan and conducting tabletop exercises and start discussing how particular scenarios would match up with their insurance plan and when they would contact their insurer, Strapp says.
"I can't emphasize enough being proactive and making this a top priority," Strapp says. "The organization who puts their head in the sand is definitely going to have a problem at some point because it's not if, it's when."
That said, cyber insurance is only one piece of the puzzle in managing a data breach, notes Lysa Myers of IT security company ESET. Insurers are aware that healthcare organizations are in a risky and delicate position because they are targets for hacking and likely to incur high costs due to regulatory fines and claims.
"As a result of both the higher risk and cost, healthcare businesses are going to need to be much more diligent about creating a thorough risk assessment and security plan to make sure they can get coverage at all, and to make sure the rates are not astronomical," Myers says.
Addressing internal negligence
Given the high level of concern around accidental exposure of patient data, numerous IT insiders sent in their tips for handling internal breaches to Healthcare Dive.
Matt Crawford, Director, Healthcare Solutions Marketing, Citrix:
Outright willful negligence is pretty rare, but we can't forget the human element. Mistakes can happen. Some of the best security technologies can be made irrelevant by staff who fall for phishing attacks or other social engineering techniques, for example. So deploying technologies must also go hand in hand with staff training. They need to understand what they're working with and the reasons behind security measures.
Amit Trivedi, Healthcare Program Manager at ICSA Labs:
In our opinion, this issue is not 'negligence.' We think that most people in health IT understand the sensitivity surrounding patient information and know that privacy and security is very important. The bigger issue may be from a governance or organizational perspective in terms of the percentage of an organization's budget that is actually allocated to developing and maintaining an adequate security infrastructure and enforcing privacy policies. That, coupled with a lack of available resources for monitoring and properly training end-users/developers, paints a more dire picture. That said, it is similar to other industries, given the issues with major retailers and their problems maintaining properly patched and secure point of sales systems, and the issues utilities have securing embedded systems. However, when we talk about health data, the issue becomes more personal.
Michael Bruemmer, vice president of Experian Data Breach Resolution:
Although healthcare providers have increased focus on security protocols against external hackers, employees continue to be the leading cause of security incidents. This includes simple human error such as employees sharing passwords, misplacing a flash drive, falling for a phishing scam or opening a harmful email attachment. According to the 2013 Cost of Data Breach Study: Global Analysis by the Ponemon Institute, employee negligence represented 59 percent of security incidents in the last year. Reported incidents may continue to rise as electronic medical records and consumer-generated data adds vulnerability and complexity to security considerations for the industry.
Muddu Sudhakar, CEO of Caspida:
Negligence is not uncommon—you are dealing with human beings after all. Most of the HHS standards generally prescribe common sense requirements, but healthcare organizations need to consider new approaches in light of a growing and more evolved cyber threat, as recently made evident by a higher caliber and larger number of health insurer data breaches. There is also a considerable difference between being compliant and being secure.
Nat Kausik, Bitglass CEO:
I think this is very common. HIPAA did not accrue fines until just recently and, until those fines start adding up, the security posture of the typical healthcare organization will remain quite poor. Some of the largest and most prestigious organizations have the weakest security posture, as they feel that the patients will keep coming regardless of a major security incident.
Nigel Johnson of Zix Corporation:
Something that is constantly overlooked when it comes to security responsibilities is the power of email and the data it contains. Most employees don't think twice about sending an email because it is second nature. As the Woolworths breach on Monday showed, an email hiccup could turn into a massive data breach with the click of a mouse. Similarly, a lack of attention to email could come back to haunt healthcare organizations.
Andy Nieto, health IT strategist, DataMotion:
Negligence in clinical healthcare is, more often than not, the result of a culture within the organization that does not place significant value on privacy and security. A great example of this is a hospital where I was participating in a HIPAA audit. While standing in the elevator, I listened to two nurses discuss in detail a patient, including the patient’s name, condition and even complained about the patient’s spouse… by name. The hospital did not have a culture of security or privacy. This "casual" ignorance has been decreasing in healthcare, but it is not gone.
On the IT side, negligence is rather rare and usually appears as "negligence by assumption" because the staff believed that a device, application or appliance performed some function but never confirmed.