Slashdot Mirror
Insurer Won't Pay Out For Security Breach Because of Lax Security
chicksdaddy writes: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow "minimum required practices," as spelled out in the policy. Among other things, Cottage "stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet," the complaint alleges. Disputes like this may become more common, as insurers anxious to get into a cyber insurance market that's growing by about 40% annually use liberally written exclusions to hedge against "known unknowns" like lax IT practices, pre-existing conditions (like compromises) and so on.
If a company cuts corners on security, then in the same way that if I leave my door unlocked and get burgled, I can't make a claim. There's going to be a good living for lawyers establishing what is the required level of security. But if this incentivises senior managers to ask the right questions, then it's probably a good development.
In a similar way, most home owner's insurance will also not pay out if there is no sign of forced entry. I also foresee patient litigation for allowing publicly accessible records on the internet.
For one brief shining moment, I thought that this story was about a health insurance company being dragged into court and beaten on by their insurance company; and my heart leapt and sang with the unalloyed joy of a Norman Rockwell puppy; because that would just be so beautiful.
Alas, 'Cottage Health' is a medical provider of some sort, so such feelings swiftly evaporated.
That aside, this seems like a situation that is simultaneously common sense(Obviously you won't be able to buy 'cyber insurance' that covers egregious negligence, at least not for any price that doesn't reflect an essentially 100% chance of payout, plus the insurer's profit margins and transaction cost); and likely to be an endless nightmare of quibbling about what 'security' is.
We've all seen the long, long, history of attempts to do security-by-checklist, most of which allow you to say that you 'followed industry best practices' by closing the barn door after the horse is long gone, so long as the barn door was constructed with galvanized nails of suitable gauge and is running any antivirus product, efficacy irrelevant. It's not as though 'security' is fundamentally unknowable and intersubjective, man; but it sure isn't something you'd want a lawyer or a layman attempting to boil down into a chunk of contractual language. Barring some miracle of clarity, I suspect that we'll see quite a few dustups that basically involve the insurer's expert witnesses smearing the policyholder's security measures(if they did it by the checklist, the expert witnesses will be snide grey hats who eat 'best practices' for lunch, if they deviated from the checklist, it'll be hardasses on loan from the PCI compliance auditing process, if they implemented a mathematically proven exotic microkernel it'll be somebody asking why Windows Updates weren't being applied in a timely manner); and the policyholder's expert witnesses puffing like salesmen about how strong the security was; and how it must have been an 'advanced persistent threat' to have hacked through such durable code walls.
The fundamental question of 'did you fail to lock the door, or did somebody take a crowbar to it?' is sensible enough in the context of an insurance claim; but rigorously defining what 'locking the door' means in a complex IT operation; and where the boundary between 'incompetence' and 'unavoidable imperfection' lies, is not going to be pretty. My only hope is that if any of these go to jury, the lawyers decide to strike anyone who sounds like they might know something about computers; because it's going to be a long, boring, slugging match of a case.
Health care system give too much power to the Doctors, and they get their hands into everything. They figure because they went to medical school they seem to be an expert on all thing. But because they are in such a position of power other non-clinical departments need to kiss up to them. We can get a 5 minute pitch to say why we may think it may be a bad idea (usually out of the blue as it becomes a surprise change) but if it technically can be done it will end up having to be implemented. And they want it now with no patients for testing, and way too cheap to setup a good testing environment.
Then we have issues because we were forced to implement a bad design, then it is a case those IT guys screwed up again! Even the fact it mostly worked is a near miracle that it even works.
We can have better and safer health care IT if the doctors shut up and take what we make for them. They can state there problems on the high level, but they will nitpick into a crap system.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This may offer a useful weapon in such debates; doctors - having been sued for everything - have developed a respect for the impact of law suits. Beyond that: making sure that your concerns are logged in an email to your supervisor gives you significant protection - and looking for another job may be the only answer after that...
All you need to do is take some scissors to your Ethernet cable and put your server in a locked room. You now have unhackable data. There are absolutely lax security practices out there, but being connected inherently carries risk. Our job is to minimize that risk as much as possible through best practices, but nothing is absolutely bulletproof. Security isn't a destination either, it's an investment that never goes away. The day a business stops making that investment is the day their risk goes up.
Licensed application end user license agreement
Microsoft End User License Agreement
In thinking about it, and how much of a clusterfuck this is likely to be; it struck me that there might actually be a way to restructure the incentives to provide some kind of hope:
Historically, 'retail' insurance, for individuals and little stuff, was mostly statistical with a side of adversarial: Aside from a few token offers of a free fitbit or whatever, the insurer basically calculates your expected cost as best they can based on your demographics and history and charges you accordingly, and tries to weasel out of anything too unexpectedly expensive.
However, for larger endeavors, (the ones I'm most familiar with are utility and public works projects, there may well be others), sometimes a more collaborative model reigned: the insurer would agree to pay out in the event of accidents, jobsite deaths, and so on, as usual, and the client would pay them for that; but the insurer would also provide guidance to the project, best practices, risk management, specialist expertise on how to minimize the number of expensive fuckups on a given type of project, expertise that the customer might not have, or have at the same level. This was mutually beneficial, since the customer didn't want accidents, the insurer didn't want to pay for accidents, and everyone was happiest if the project went smoothly.
In a case like this; the incentives might align better if the contractor were were delivering both the security and the breach insurance: this would immediately resolve the argument over whether the policyholder was negligent or the insurer needs to pay up: if the IT contractor got the systems hacked through neligence, that's their fault; and if they secured the systems; but a hack was still pulled off, that's where the insurance policy comes in.
This scheme would run the risk of encouraging the vendor to attempt to hide breaches small enough to sweep under the rug; but it would otherwise align incentives reasonably neatly: an IT management/insurance hybrid entity would internalize the cost of the level of security it manages to provide(more secure presumably means greater expenditures on good IT people; but more secure also means lower effective cost of providing insurance, since you can expect fewer, smaller, breaches; and fewer, smaller, claims). If the equilibrium turns out to be 'slack off, pay the claims', that suggests that the fines for shoddy data protection need to be larger; but the arrangement would induce the vendor to keep investing in security until the marginal cost of extra work on IT was higher than the marginal gain from lower expected costs in claims; so the knob to turn to get better security is relatively accessible.
An insurance company trying to screw an insurance company. Gotta love it.
This insurer should be jailed. The nerve.
Insurance is the biggest scam ever perpetrated in the history of mankind. You pay and pay and pay some more, then, when you need to use it you're given every excuse possible why the coverage you've been paying for doesn't apply.
When one takes into consideration the thousands of dollars each year the average person pours down the drain for insurance, it's no wonder people are going broke. That money could be used for more productive endeavors such as food, housing, education or transportation.
Instead, the money is lost in the ether, used only to enrich a few while the many bleed from a thousand cuts.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
so now the insurers can be denied coverage because of a pre-existing condition, how does it feel guys?
And now what we need is criminal/financial penalties for companies who are so blindingly inept at security.
If your business model involves confidential personal information, and you are this incompetent, you have no business being in the business you're in.
This just screams someone was lazy, stupid, indifferent, or cheap ... possibly all of these things.
I can completely see insurance companies saying "hell no we're not paying".
When companies start having actual liability for being that terrible at security, they'll do something. Right now, they can mostly just say "wow, we wish we were sorry".
Lost at C:>. Found at C.
Thats not how you make profits!
Doctors are terrible businesspeople.
Really? I know quite a few and am married to one and many of them are quite good at business. Many are terrible and/or disinterested but your brush is a little to broad. If doctors in general were terrible at business in general then they would lose money and there is very little evidence of that occurring on a widespread basis.
I work in the patient refunds department for a very large insurer and it's absolutely out of control.
Ahh, so you only see the problem cases but lack the larger perspective of seeing all the things that happen correctly.
It often takes them 4 years to notice a payment which wasn't even for them.
Ahh, I see you are confusing what the doctor does (administer medicine and oversee the business) with what their accounting staff does. Doctors typically have a large staff to administer a rather ludicrously large paperwork burden. The fact that some payments get lost between the cracks should surprise no one. I'm an accountant (among other things) and I can assure you that it is not terrible difficult in a busy organization for a payment to get mishandled. I also have worked in healthcare systems and doctors offices and have a pretty good appreciation for what goes on there. It's not nearly as easy as you seem to think it is.
It's bad when they do their own books but it's still bad when you let them hire their own office staff.
Sounds like you have never tried to run a business yourself. Might give it a go before you start throwing stones at others.
If you dont believe they have tight enough security... then REFUSE TO SELL THEM INSURANCE.
To come back after years of insurance payments & say "oh im sorry your security sucks, not our problem" is unmitigated bullshit.
But they'll get away with it because insurance fraud is legal... so long as youre an insurance company.
I've been paying auto insurance for 20 years.... never had them pay for a single thing.
Mostly because i dont get into accidents.
Well except for that one time State Farm invented an accident i never had just so they could jack up my rates. That fraudulent invented accident apparently paid $5k out to someone... i was never able to find out who though.
Then there was the dental plan i got through my company health plan. When i went in for a cleaning, i was told it didnt pay for cleanings, only oral surgery. However 2 weeks later when i needed oral surgery the -very same policy- didnt pay for oral surgeries, only cleanings.
Then there was the time i got food poisoning. I only found out -after- the hospital stay that the policy that -said- it covered emergency hospital care didnt actually do that & i had to pay 100% out of pocket.
In my book, insurance is a synonym for fraud.
An insurance company that wants to start insuring new things should understand what they are insuring. They need to run tests beforehand to determine if the level of security is acceptable prior to issuing said policy. This would be similar to my getting a physical before obtaining a large dollar amount life insurance policy. The company wants to be fairly certain that my health is at an acceptable level and I am not expected to die soon from natural causes. Issuing policies solely as a means to profit, without proper due diligence, and then refusing to pay a claim seems unethical. Let the courts sort this one out.
Don't really wanna make it tough
I just wanna tell you that I had enough
Might sound crazy,
But it ain't no lie,
Bye, bye, bye
I'm guessing they made their employees change their passwords every 2-3 months.That's pretty much all the precaution any company I've ever worked for has taken.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Let's see them apply this to IT support outsourced Overseas.
Let's see
Outsourcing = $.002 per call
Insurance for outsourcing $ 200000.00 per call
Nope the numbers don't add up
Actually, security by checklist is the way to go for writing an insurance policy. An underwriter should be able to work out actuarial tables for companies that follow which security best practices, and then price policies accordingly. For instance, if you pass a PCI scan and have virus scanners installed and don't give your users admin rights, and have websense installed, and you have data of $X value, you have an Y% chance of getting jacked, so your policy costs $Z.
I'm not saying that the checklist should be the company's only security practice. That would be madness. I'm just saying that the insurance underwriter should be able to use a checklist to quote an insurance policy.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
They weren't hacked. They accidentally put a bunch of medical records online according to http://www.noozhawk.com/articl... (linked from the article). If they bought an insurance policy that only pays out if they follow "minimum required practices", and they didn't, then of course it shouldn't pay out.
Ah, the brutal irony of these medical insurers not being covered by THEIR insurance. It harkens back to the days when the medical insurance industry claimed that patients’ pre-existing conditions disqualified them from coverage. I guess a pre-existing condition is now considered a compromise or malware infestations. Unfortunately their deep pockets will be able to cover their losses while individuals often times couldn’t cover the medical care or went bankrupt because of the exorbitant costs.
Finally the security offenders are forced to pay. It's weird how coverage gets all hung up about finding and punishing the perps.
It's also weird how we're very comfortable with self-regulating systems like The Market or Evolution, but don't seem to think that these systems require feedback. How many security breaches would be avoided if there was consistent (negative) feedback?
they'd find some way out of it.
They do every time.
I am at the point of saying that almost all insurance should in itself be illegal. Often employees fail to do as they are asked in a business. sometimes the people at the top of the chain of command must simply accept employees statements that work is properly completed. I have been in a situation in which the president of a substantial company went a bit senile as he was past 80 years of age. Frankly many things could slide by the old guy without him understanding that something was wrong. So even if an insurance company claims that something was seriously wrong with a companies security i really have trouble blaming a company unless the entire situation is known and really it never is. On the other hand I see car insurance as a joke and a bit of theft hoisted upon the public. Auto insurance simply never has high enough limits to actually properly pay a seriously injured person. Requiring people to carry insurance on each other bodies eliminates responsibility as pay outs larger than in the policy are almost unheard of in my state. So if you come out of a wreck and lose both eyes and both legs most peoples' auto insurance will not even cover a helicopter to rush you to a trauma center and all of your medical bills will fall upon you despite the other guy clearly being 100% at fault. And medical insurance allows doctors to bill at absurd rates. In short insurance really needs to be banned.
I don't know any insurance that offers a payout in the event that *I* screw up. I don't see how companies can purchase any insurance against their own negligence. If such a thing did exist then you can be damn sure I'll buy the insurance just so I don't have to work hard.
If you can, disclaim liability. If you can't, insure against it. If you really can't, cover it up and hope no-one notices.
This is the only thing that will get us better enterprise IT security. Insurances actually care about not paying, and hence they care about actual risk. They do not care about "compliance" unless it actually decreases their risk.
(Side note: Anything you cannot get insured, like a nuclear reactor, is a very bad idea in the first place.)
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The insurance would only kick in where the insured doesn't do their job securing the data. There is no in-between in computer security, you either implement security and it works or you don't and you take an insurance for when the inevitable happens.
Custom electronics and digital signage for your business: www.evcircuits.com
People want to work from home and companies recognise that this is desirable, so I think you're hoping for too much in trying to ban it. However making it safer - and getting insurance companies to impose the right constraints - may be the best way forward. 'If your system is hacked because an unauthorised laptop was attached to it, we don't pay out' should be a standard insurance clause. Similarly trying to separate the email system from the rest of system to sandbox spear fishing attacks should be required.
The point of course is that risks always exist; the challenge is to identify them and manage them. At the moment those risks are not being recognised, and the insurance companies are beginning to take exception to taking the fall for things going wrong.