15 Days of Cyber Insurance: Is cyber insurance health insurance?
The US 4th Circuit Court of Appeals recently confirmed that a general liability insurer was obligated “to defend its insured against a class-action lawsuit arising out of the inadvertent posting of patient medical records on the internet”. This decision in The Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC involved policies with language describing “web site injury” and “online publication”, indicating that claims not including that language may not cover online exposure of information, and takes advantage of the fact that Portal Healthcare’s actions in not securing their web-accessible databases led to the discovery of patient information on Google, rather than a hacker or leaker exposing the information through his or her own actions.
Incidentally, if it seems unbelievable that a company whose sole line of business is providing online health records management would have allowed those records to be accessible by a Google search, there are many HIPAA and HITECH compliance stories that beggar belief. Contractors have posted sensitive data on online bulletin boards, for example, to get IT help.
While we’ve seen that cyber insurance can be used to pay HIPAA fines and other costs associated with data breaches, and that in certain cases like Travelers v. Portal, general liability policies can cover these costs, a third option is HIPAA compliance services which, as offered by some vendors, includes reimbursement for specific costs associated with a breach that the compliance services were unable to protect against. Correctly estimating how much protection would be necessary is difficult given HIPAA’s sliding scale of $100-$1.5M per violation (which can be considered one breach or the breach of one record, depending on circumstances and prior violations). Certainly HIPAA fines and HITECH compliance add additional penalties to the healthcare industry that other industries don’t need to worry about when pricing cyber insurance policies. Some healthcare organizations choose not to purchase cyber insurance policies because the costs of the policies are too high. On the other hand, the penalties are a result of the value of healthcare information, both to individual patients and on the black market, where a health record is worth more than a credit card number or SSN.
So, is the ruling in Travelers v. Portal good or bad for the healthcare industry? On the one hand, noting that the wording of general liability protection often includes cyber liabilities may save healthcare providers some financial burden in the event of a breach. However, the healthcare industry can be slow to implement cybersecurity best practices, and has been targeted due to the low security budgets and security awareness that are common among healthcare organizations, particularly providers.
As more healthcare organizations purchase cyber insurance, the insurers themselves will have an incentive to require better security infrastructure and controls, as they compare the sophistication of their healthcare clients with clients from other industries. Insurance can also incentivize adherence to an industry-wide regulatory framework, and in fact a cybersecurity evaluation conducted by an insurer could be used to demonstrate regulatory compliance in lieu of a similar audit conducted by the healthcare organization. Regulation in the financial sector has seen a similar push toward cyber insurance, as compliance depends on evaluation of cyber risk. Similarly, in healthcare, the “meaningful use” provision of the HITECH act, and government requirements on data used or collected as part of federally-funded research are pushing large organizations to adopt better cybersecurity overall.