BreachExchange mailing list archives
Cyberinsurance: A breach savior for healthcare providers, but read the fine print
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 26 Aug 2014 19:18:28 -0600
http://www.fierceemr.com/story/cyberinsurance-breach-savior-healthcare-providers-read-fine-print/2014-08-26 Cyberinsurance can be instrumental in weathering a security breach of a provider's electronic health record system, but purchasers should review policies carefully since they vary widely, according to attorney Scott Godes, with Barnes & Thornburg in the District of Columbia. "Unlike many other insurance policies, where you can predict what's in them before you open the cover, a cyberinsurance policy varies from carrier to carrier," Godes warned, speaking on a recent webinar held Aug. 22, by the American Bar Association's Health Law Section. "It's a different animal entirely," he said. One of the few bright spots in the recent breach of Community Health Systems' computer systems, in which information for 4.5 million patients was compromised, is that the organization has cyberinsurance to cover much of its losses, Godes added. Still, the total bill for the breach could run as high as $150 million, according to Forbes. Unfortunately, healthcare entities are at particular risk of cybercrime, and cloud providers, which store patient records for many providers, are a prime target, warns Gary Githens, with Portland, Oregon-based Brown & Brown Northwest, who also spoke on the webinar. The average cost to deal with a breach of patient records, he said, is now about $233 per record, including the cost of notifying patients and the government, legal fees, forensics, credit monitoring, manning a call center and crisis management. Several of the provisions that healthcare entities should look for in a cyberinsurance policy, according to Godes and Githens, include: - Data breach notification and investigation costs - Policy limits. "Pay attention to how much coverage and what the deductible is," Godes says - Coverage for regulatory inquiries - Exclusions, such as for failure to maintain security - Business interruption and data restoration - What service providers the healthcare organization can use in the event of a breach Healthcare entities also should review their relationships with their cloud vendors.Most contracts between the provider and the vendor favor the vendor when it comes to protecting the provider in the event of a breach. Moreover, many business associate contracts are poorly written and neglect to specify that the insurance coverage should be for data breaches, not just general commercial liability coverage, which does not provide the same protection, according to Githens.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Cyberinsurance: A breach savior for healthcare providers, but read the fine print Audrey McNeil (Aug 28)