Cyberinsurance: A breach savior for healthcare providers, but read the fine print

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.fierceemr.com/story/cyberinsurance-breach-savior-healthcare-providers-read-fine-print/2014-08-26

Cyberinsurance can be instrumental in weathering a security breach of a
provider's electronic health record system, but purchasers should review
policies carefully since they vary widely, according to attorney Scott
Godes, with Barnes & Thornburg in the District of Columbia.

"Unlike many other insurance policies, where you can predict what's in them
before you open the cover, a cyberinsurance policy varies from carrier to
carrier," Godes warned, speaking on a recent webinar held Aug. 22, by the
American Bar Association's Health Law Section. "It's a different animal
entirely," he said.

One of the few bright spots in the recent breach of Community Health
Systems' computer systems, in which information for 4.5 million patients
was compromised, is that the organization has cyberinsurance to cover much
of its losses, Godes added. Still, the total bill for the breach could run
as high as $150 million, according to Forbes.

Unfortunately, healthcare entities are at particular risk of cybercrime,
and cloud providers, which store patient records for many providers, are a
prime target, warns Gary Githens, with Portland, Oregon-based Brown & Brown
Northwest, who also spoke on the webinar. The average cost to deal with a
breach of patient records, he said, is now about $233 per record, including
the cost of notifying patients and the government, legal fees, forensics,
credit monitoring, manning a call center and crisis management.

Several of the provisions that healthcare entities should look for in a
cyberinsurance policy, according to Godes and Githens, include:

- Data breach notification and investigation costs
- Policy limits. "Pay attention to how much coverage and what the
deductible is," Godes says
- Coverage for regulatory inquiries
- Exclusions, such as for failure to maintain security
- Business interruption and data restoration
- What service providers the healthcare organization can use in the event
of a breach

Healthcare entities also should review their relationships with their cloud
vendors.Most contracts between the provider and the vendor favor the vendor
when it comes to protecting the provider in the event of a breach.
Moreover, many business associate contracts are poorly written and neglect
to specify that the insurance coverage should be for data breaches, not
just general commercial liability coverage, which does not provide the same
protection, according to Githens.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!