Global Edition

You’ve been breached, so what does that mean with cyber insurance?

The final chapter in our cyber insurance series outlines the legal considerations after a breach, mainly, ensuring the organization can choose its own investigator.
By Jessica Davis
October 24, 2018
04:28 PM

In this current threat landscape, healthcare data breaches are common -- if not nearly inevitable. Cyber insurance policies can provide some protection in that worst case scenario, but only if an organization has carefully selected the right policy and carrier.

But cyber insurance isn’t some magic cure-all. As with any type of insurance, a healthcare organization must hold up to its end of the bargain.

Here’s what Jane Harper, Henry Ford Health System’s director of privacy and security risk management and Matthew Fisher, partner with Mirick O’Connell had to say about the legal considerations an organization needs after a breach.

First steps

Once a breach has been confirmed, healthcare organizations need to tell the insurance broker as soon as possible, explained Fisher. In that way officials can figure out if there are any potential objections to coverage.

“The insurance broker will want a role in the investigation,” said Fisher. “It could be immediate, and they’ll help right away or ask for an assessment before they get someone in place. The insurance carrier may have the tools.”

“So it’s always best to notify the carrier as soon as possible to take advantage of these tools and experience,” he added.

Considerations

As with the variances in policies and coverage, each insurer will have its own preferences on how to handle a breach -- including the preferred vendors and or investigators an organization must use in case of a breach, Harper explained.

“The insurance carrier may require you to use a third-party that they approve and that they work with on a regular basis,” Harper said. “You may not be able to use your own investigation team and may not be able to get outside council: that may be dictated by the insurance company.”

It’s also important to note that the third-party is gathering evidence on behalf of the insurance company, “so when they write the report and finding all of those things, they’re very, very much the property of, not just your organization, but the cyber insurance company,” she explained.

“And the results of the investigation can possibly dictate whether these people believe your breach or incident is covered,” said Harper.

So if an organization wants to be able to hire its own investigative team and council, “those items need to be worked on up front when building the contract,” she explained.

For example, imagine you own a home and have a homeowner’s insurance policy. If there’s a fire, the insurer will hire a company to investigate the fire and determine the cause. The investigator will return a copy of the report to the insurer -- “working on behalf of the insurance company,” Harper said.

The investigation may be part of the policy, but that report is for the insurance company and may not examine those finite details a healthcare organization needs to know -- like the type of virus, Harper explained.

“If you don’t want that to be the case, you need to get that upfront,” she said.

 Not only that, but as the insurance company is trying to manage cost.

“We write policies sometimes, not expecting that the cost of the policy would be more than the review as a result of the policy,” said Harper. “At that point, now there are these issues and you’ve had an incident, someone is about to spend money.”

Harper advised being careful when an insurance hires the third-party investigator because “they’re trying to manage costs,” she continued. “They may not hire the most advance team.”

In fact, Harper explained that she’s worked with forensic organizations for her own personal capacity, and “sometimes they never find out who did it and what exactly happened.” Consider the major breaches at Target, Equifax, Home Depot and the like -- and how many years it took to determine the cause.

Ultimately, organizations need to take their time with researching and selecting the right carrier and policy.

“At the root of insurance: It’s a way to manage risk related to cyber activity that could affect the availability and integrity of your personal information,” Harper said. “You want a carrier who’s going to partner with you -- not just what you’re covered for -- but what you’re not covered for so you can develop policies to cover those things.”

Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com

Topics: 
Privacy & Security

More regional news

Man with backpack on mobile device

A roadmap for designing more inclusive health chatbots

By
Andrea Fox
May 03, 2024
HIMSSCast logo

HIMSSCast: How to get more value from your EHR system

By
Bill Siwicki
May 03, 2024
Researcher at screen

NVIDIA integrates its AI microservices with AWS

By
Nathan Eddy
May 03, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Man with backpack on mobile device
A roadmap for designing more inclusive health chatbots

Most Read

WebMD acquires Healthwise to bolster patient engagement and growth
How the Change Healthcare cyberattack is straining providers, and what the government can do
HHS response to cash flow concerns from Change cyberattack inadequate, providers say
After Change Healthcare, more effort needed to avoid cyberattack chain reactions
HIMSSCast: Web apps are ubiquitous in healthcare – and come with vulnerabilities
Change Healthcare begins to restore service after cyberattack – as lawsuits begin

Research

White Papers

More Whitepapers

Compliance & Legal
Artificial Intelligence
Analytics

Webinars

More Webinars

Privacy & Security
Artificial Intelligence
Analytics

Video

Christopher Falkner at Sodexo_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Making a career of medical device interoperability and security
Jessica Skopac at MITRE_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How MITRE helps break the silos of healthcare and technology
Emily Barey at Epic_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Saying 'yes' to the possibilities of a health IT career
Abigail Norville at the Netherlands Ministry of Health_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How the Dutch health ministry takes innovation inspiration from other nations

More Stories

Dr. Guido Giunti at Trinity College Dublin_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
Novel digital therapeutics for MS empower patients
Walmart store
Walmart announces closing of clinics and virtual care
Hacker with glasses and hat looking at two screens with data and code
Ransomware was used in 72% of network intrusions last year, says BakerHostetler
Amanda Bury, chief commercial officer at Infermedica
Telemedicine, enabled with responsible AI, can improve the patient experience
Kendall Brown at CenTrak_Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
How HIMSS membership can grow healthcare careers
Nurse using tablet
To get stronger AI buy-in from wary nurses, start with automation
Ellen Arigorat at NewYork-Presbyterian Hospital Palm trees and skyscrapers in Orlando Photo by Gabriele Maltinti/iStock/Getty Images Plus
HIMSS Changemaker champions Filipino-American health literacy
Doctors review practice finances
LLMs are not ready to automate clinical coding, says Mount Sinai study