Even before the days of high-profile, massive PHI breaches from Anthem and other health organizations, it was up to cyber insurance companies to pay for damages from data leaks. Since breaches typically cost millions in settlements, mitigation and crisis management, it made sense that health care systems lean on cyber insurance companies to foot the bill.
So, what happens when breaches become more commonplace, and insurance companies need to protect themselves from paying out millions in coverage thanks to shoddy security? Insurance companies put their foot down, and are demanding that health care system security teams put in serious safeguards like risk assessment strategies – before they even offer coverage.
“The most important thing that a hospital can do is to demonstrate due diligence in how they approach security,” says Mike Gentile, Executive Vice President of Innovation and Security for Auxilio, Inc. “The best approach is by developing a repeatable that can establish the appropriate level for the organization, implement processes for measuring their environment against the benchmark, presenting gaps to management so they can make informed decisions on what to fix, and then implementing those decisions.”
According to an interview with John Yanchunis in Healthcare Info Security, as hackers become more sophisticated, so do the information security demands of insurance companies.
“As technology develops and thieves get better at what they do, companies are going to have to continue to make improvements. The cyber-insurance market is going to have a big impact on that as we move forward,” Yanchunis says in the article.
Some insurance companies are already offering highly-sophisticated breach support, including professionals who negotiate directly with hackers, pay ransoms, and try to stop the metaphorical bleeding. And today, the stakes have never been higher.
A single stolen laptop or memory stick can cause the loss or release of hundreds of thousands of sensitive patient documents. According to Redspin, an Auxilio company, PHI data breaches were up 25% between 2013 and 2014 alone. Expect that number to soar as hackers and information brokers see the fraud goldmine in stolen patient information.
According to Gentile, some of the questions insurance companies might ask include, how well is the hospital correcting identified risk issues in the environment, and does the hospital have an established benchmark for security?
Obviously, not every hospital, insurance company or care system will rack up an estimated $100 million in damages from a data breach like Anthem, but most health systems will have to make serious changes before they apply for that cyber insurance policy. However, with hackers gaining network access through hospital equipment and employees sometimes carelessly releasing ePHI, expect more breaches and more demands for insurance.