Slashdot Mirror

← Back to Stories (view on slashdot.org)

Insurer Won't Pay Out For Security Breach Because of Lax Security

Posted by Soulskill on from the ounce-of-prevention-is-worth-a-ton-of-green dept.

chicksdaddy writes: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow "minimum required practices," as spelled out in the policy. Among other things, Cottage "stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet," the complaint alleges. Disputes like this may become more common, as insurers anxious to get into a cyber insurance market that's growing by about 40% annually use liberally written exclusions to hedge against "known unknowns" like lax IT practices, pre-existing conditions (like compromises) and so on.

23 of 119 comments (clear)

  1. Seems reasonable by Bruce66423 · · Score: 5, Insightful

    If a company cuts corners on security, then in the same way that if I leave my door unlocked and get burgled, I can't make a claim. There's going to be a good living for lawyers establishing what is the required level of security. But if this incentivises senior managers to ask the right questions, then it's probably a good development.

    1. Re:Seems reasonable by JaredOfEuropa · · Score: 4, Interesting

      The hard part is indeed establishing what the right level of security is and how to evaluate companies against that. At least over here, the exclusions for burglary are pretty clear cut: leaving your door or a window open, and for insuring more valuable stuff there are often extra provisions like requiring "x" star locks and bolt, or a class "y" safe or class "z" alarm system and so on. With IT security, it's not just about what stuff you have installed and what systems you have left open or not; IT security is about people and process, as much or more than it is about systems.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    2. Re:Seems reasonable by fuzzyfuzzyfungus · · Score: 5, Insightful

      Not that real world IT systems often ascend to this level of security; but the issue is not going to be clarified by the fact that the analogy to physical security is only partially accurate: everyone accepts that (for a given purpose; bank vaults and nuclear installations get judged differently than houses) there is some level of 'reasonable security', which reflects appropriate caution on the policyholder's part; but is known to be breakable. Materials have limited strength, police have nonzero response time, sensors generate false negatives.

      With IT systems(at least at the level of software attacks, if they break in at the silicon level it's another story), there is a platonic essence of 'the secure' floating out there, though generally far, far, far, too expensive, cumbersome, and slow to build to ever see the light of day; and there really isn't the same degree of agreement about what counts as 'secure enough for X' or 'incompetent'. Gross incompetence is something you can identify, and there are various formally proven systems in existence, mostly for the constrained use cases of cost-insensitive customers; but the stuff in the middle is very much up in the air.

    3. Re:Seems reasonable by Rich0 · · Score: 2

      If a company cuts corners on security, then in the same way that if I leave my door unlocked and get burgled, I can't make a claim. There's going to be a good living for lawyers establishing what is the required level of security. But if this incentivises senior managers to ask the right questions, then it's probably a good development.

      Maybe. If you're buying an insurance policy to cover leaks of information, then almost by definition any claim is going to be the result of lax security. So, why bother buying insurance at all if the insurer can get out of it? The likely result is that those harmed won't be able to collect damages since there will be no insurance, and the company that lost the data will simply declare bankruptcy.

      I think there are better precedents. For example, my company is routinely audited by its insurers or other certification bodies. If they spot a blocked electrical panel, that has consequences for the company. The purpose of the audits is to PREVENT bad things from happening, and of course passed audits will support later claims if something bad things happen anyway.

      So, why not do the same with "cyber policies" or whatever they're calling them. The insurer states some standard that the policyholder is to be audited against. The policyholder agrees to be audited. If the audit passes, they're in the clear.

      And that is what insurance is about - elimination of risk. If you are in charge of some big company you can get the blessing of the appropriate auditors and now it isn't you're fault if something bad happens. It is a bit like having an IT team with skin in the game.

      Sure, you can hire what you think is a good IT security team, but how do you really know if you've gotten one? If you buy a cyber insurance policy you're getting that IT audit, but then if you're declared clean and you get burned anyway, that insurance company comes in and puts their money behind their words and pays for your loss. THAT is what insurance is supposed to be.

    4. Re:Seems reasonable by jbolden · · Score: 3, Interesting

      Industry handles this in other areas and for that matter security as well by having auditing firms and engaging in a "best practices" audit. "Best practices" doesn't actually mean best practice but rather not doing stupid or dangerous stuff. The audit is how that gets determined.

    5. Re:Seems reasonable by Rich0 · · Score: 4, Insightful

      everyone accepts that (for a given purpose; bank vaults and nuclear installations get judged differently than houses) there is some level of 'reasonable security', which reflects appropriate caution on the policyholder's part; but is known to be breakable.

      I agree with your post. I'll just add that a big problem with IT security is that companies cannot rely on the same level of protection from governments in preventing intrusion.

      For example, if I have a safe in my house, the means an attacker would have to penetrate it are going to be limited. Since my township has police and neighbors that wander around, they can only spend so much time there before they're likely to be detected. They can generally only carry in stuff that will fit in the doors and is man-portable, since if they have to cut a hole in the house and lower their equipment using a giant crane somebody is likely to notice. If they want to use explosives they will have to defeat numerous regulatory and border controls designed to prevent criminals from gaining access to them, and of course they will be detected quickly. Some destructive devices like nuclear weapons are theoretically possible to use to crack a safe, but in practice as so tightly controlled that no common thief will have them. If the criminal is detected at any point, the police will respond and will escalate force as necessary - it is extremely unlikely that the intruder will actually be able to defeat the police. If the criminal attempted to bring a platoon of tanks along to support their getaway the US would mobilize its considerable military and destroy them.

      On the other hand, if somebody wants to break into my computer over the internet, most likely nobody is going to be looking for their intrusion attempts but me, and if they succeed there will be no immediate response unless I beg for a response from the FBI/etc. An intruder can attack me from a foreign country without ever having to go through a customs control point. They can use the absolute latest technology to pull off their intrusion. Indeed, a foreign military might even sponsor the intrusion using the resources of a major sate and most likely the military of my own state will not do anything to resist them.

      The only reason our homes and businesses have physical security is that we have built governments that provide a reasonable assurance of physical security. Sure, we need to make small efforts like locking our doors to sufficiently deter an attacker, but these measures are very inexpensive because taxpayers are spending the necessary billions to build all the other infrastructure.

      When it comes to computer security, for various reasons that secure environment does not exist.

    6. Re: Seems reasonable by Anonymous Coward · · Score: 4, Insightful

      I'm not so sure about that. I've had the misfortune of dealing with auditors whose definition of best practices included completing non-deviation from things they obviously read out of a college textbook and do not understand at all.

      The notion of actual risk and threat analysis and applying practices to suit situations was completely alien to them.

      I've also dealt with very competent auditors. I rather miss dealing with them. I imagine the incompetent ones cost less, and that kind of thing is going to be a problem as security audits become more prevalent.

      That, and we must never forget that as much as we may applaud the insurance company in this particular story for calling out poor practices, the primary purpose of a modern insurance company is to take your money and give you nothing in return. Everybody needs to be very aware of that, and be untrusting in all your dealings with anyone in the insurance business.

    7. Re: Seems reasonable by jbolden · · Score: 2

      I agree there are terrible auditors that don't understand what they are doing. But in most companies you can push back against that, it is just that then the burden switches to you. You have to verify and certify that alternative approach X is better than industry standard approach Y.

      As far as the rest, the purpose of an insurance company is to pool risk. The person being insured should likely not want to have to file a claim because that means something bad happened. The company doesn't want to give nothing in return because then there is no need for their product.

    8. Re:Seems reasonable by runningduck · · Score: 2

      Typically a company has to undergo an assessment to qualify for the insurance and then periodically reassess annually. At least that has been the case for every information security insurance policy with which I have been involved. Where companies can veer off track is if they are not consistent in their application of the assessment. For example a new system or process goes on line and a senior manager just wants it done, NOW! The new system or process may never be considered under that annual assessment because the left hand does not know what the right hand is doing. In another example an IT manager runs everything by the seat of his/her pants and forgets to consider the insurance requirements when deploying new systems or processes, or allows staff to "fix problems" in production without evaluating the fixes against the original requirements.

      --
      -rd
    9. Re:Seems reasonable by luis_a_espinal · · Score: 5, Informative

      The hard part is indeed establishing what the right level of security is and how to evaluate companies against that. At least over here, the exclusions for burglary are pretty clear cut: leaving your door or a window open, and for insuring more valuable stuff there are often extra provisions like requiring "x" star locks and bolt, or a class "y" safe or class "z" alarm system and so on. With IT security, it's not just about what stuff you have installed and what systems you have left open or not; IT security is about people and process, as much or more than it is about systems.

      I would disagree with you on this (somewhat). There are well established practices on how to build secure systems, for each major development platform (JEE, .NET, RoR, etc) and also for general decision-making.

      Any organization, big or small, needs to be able to come up with scenarios and questions for things that need care, and for which it might need to provide evidence of attention. The important thing is to execute due diligence when it comes to defending your business against attacks, and to demonstrate providing evidence of such due diligence.

      If we are in e-business or are bound by PCI, HIPAA and/or SOX compliance, the following questions would come to mind (just an example):

      1. Are we addressing the top 10 risks identified by OWASP?
        1. If so, can we quickly identify how we address them?
        2. What other risks identified by OWASP do we address and how?
      3. How do we address CERT alerts and advisories?
      4. Are we on top of security patches?
      5. Are the underlying systems security patches up to date?
        1. If so, can we quickly provide evidence of this?
      7. If we are bound by HIPAA and/or SOX how do we address security concerns that might stem from these regulations?
        1. How do we quickly provide evidence (evidence of process and assurance)?
      9. Do we have a multi-tiered architecture, or do we run everything co-located?
      10. Are back-end databases on their own machines, in their own subnets outsize of a DMZ?
      11. Are "mid-tier" services on their own machines, separated from databases?
      12. Are they in a DMZ? Are they proxied by a HTTP server in different machines?
      13. Do we have firewalls? If so, do we keep an inventory of their rules?
      14. Are we up to date with patches for network assets (firewalls, SSL appliances, etc)?
      15. Are we still on SSL 3.0 or older versions of TLS?
      16. Do we specifically disable anonymous ciphers?
      17. If we use LDAP, do we disable anonymous binds?
      18. Do we use IPSec to secure all communication channels (even those internally, a requirement for banking in several countries)?
      19. If not why? How do we compensate?
      20. If we are in E-Commerce, how do we demonstrate that we are PCI-compliant?

      In my opinion and experience, these questions present the starting point for a framework to determine the right level of security in a system. More should be piled on this list obviously, but anything less would open a system to preventable vulnerabilities.

      And that is the thing. The right level of security is the one that helps you deal with preventable vulnerabilities that you, the generic you, should know well in advance, vulnerabilities that are well documented. How costly the prevention is, that is a different topic, and any business will be hard press to justify to an insurer that they forego to deal with a vulnerability because it was too expense.

      Answers to those questions and evidence of such would constitute proof that an organization followed reasonable due diligence in establishing the right level of security. Moreover, it will have a much greater chance to disarm an insurer trying to find a way to avoid covering damages.

      Notwithstanding the ongoing abuses done in the Insurance business, insurers have rights also. My general health and life insurance is not going to pay up my family if I kill myself while base jumping with blood alcohol levels up the wazoo.

    10. Re:Seems reasonable by greenfruitsalad · · Score: 2

      my previous employer (in the UK) wanted to be able to store credit card details of customers for automatic payment processing. unfortunately for us, a law came out that essentially meant that to get certified, we'd have to switch to MS Windows servers. that was the only platform for which there were guidelines and which could be audited. in the end we gave up and had a 3rd party process payments for us. the law pretty much caused the monopoly of sagepay in the UK.

    11. Re:Seems reasonable by Archangel+Michael · · Score: 3

      I agree with your post. I'll just add that a big problem with IT security is that companies cannot rely on the same level of protection from governments in preventing intrusion.

      I am in IT, but not in Security. However, I don't need to know security to know that a large part of the problem is that money fixes problems, and nobody wants to spend the money needed to fix the problems. Further, problems are pushed down to the people least able to fix them (consumers) more often than not.

      These security breaches are going to be even more prevalent and no amount of security will ever resolve them completely. The real fix, IMHO, is to assume that all this info is publicly traded, even when it shouldn't be, and work the problem from there. IF the systems were in place that made assumptions such as this, the problem is much easier to define, and fix.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    12. Re:Seems reasonable by ilsaloving · · Score: 2

      While I agree 100% with what you're saying, I think the problem lies in the fact that there is no consistent, *external* measure to indicate your security level, and that's where things fly off the rails.

      There are things like SOX compliance (in the US, anyway), but that's more for auditibility than security. What is the minimum required aspects your infrastructure has to have to be able to say that you're considered reasonably "secure"? Encryption of all data stores using an officially recognised encryption scheme? All logins for all devices managed through kerberos? All communications between devices must be wrapped by SSL?

      I don't know if there's an ISO standard or something that mandates these things, but it sounds to me that until there are some clear minimum requirements to indicate securedness, this all seems like nothing more like a license for insurance companies to print money on the backs of their clients.

      One will *always* be able to give some hindsight response whenever a breach occurs... to the point where companies would have to lock themselves tighter than Fort Knox before they *might* be able to squeeze money out of their insurance provider.

    13. Re:Seems reasonable by Pinky's+Brain · · Score: 2

      If the insurers get together and set up a minimum requirement for the middle the costs would go down quickly. I'd say that at the minimum records should only be accessible via the intranet, with all machines able to access the intranet being company issued (BYOD is moronic). If internet access is allowed on the same machine it should only be through a virtual machine.

      For financial and medical institutions the cost of a scheme like this should be negligible. My sister works for a bank and at least they have finally started agreeing with me a little, to work at home they now all use company issued laptops with smart card based VPN. She used to do it on her own laptop ...

    14. Re: Seems reasonable by coolmoose25 · · Score: 2

      That, and we must never forget that as much as we may applaud the insurance company in this particular story for calling out poor practices, the primary purpose of a modern insurance company is to take your money and give you nothing in return. Everybody needs to be very aware of that, and be untrusting in all your dealings with anyone in the insurance business.

      As in all industries, there are the good and the bad. I would posit that you are speaking about "bad" insurance companies, not good ones. Not every insurance company dreams of giving you "nothing in return" for your premium dollars. Quite the contrary, if insurance companies never paid any claims, there would be no need for them, and their premiums would dry up immediately. The primary purpose of an insurance is to transfer risk... in effect, pooling it and transferring the risk from one entity to several/many. Believe it or not, this enables many things. Even things like the Ansari X-Prize. The organization awarding the prize didn't have the money to pay the prize, they only had about half of it. They used that to buy an insurance policy, which paid the claim when the prize was won. Regardless, most insurance companies invest in their claim handling capabilities as it is a competitive advantage to have good claim paying history. Doubt it? Compare "The General" auto insurance claims paying vs. USAA or Amica. The latter pride themselves on claim paying. Personally, I have a policy for my house, that recently paid a claim and paid on items I never expected them to reimburse me for. Their claim handler went out of her way to make sure I got far more money than I had anticipated. The bottom line is that its easy to pick on insurance companies, but if you do your research and buy policies from reputable companies, you'll likely have a great experience with them when you have to file a claim. If you go for the cut rate, "The General" type companies, well you got what you paid for.

      --
      Brawndo: It's what plants crave!
  2. Completely agree by zynperor · · Score: 2

    In a similar way, most home owner's insurance will also not pay out if there is no sign of forced entry. I also foresee patient litigation for allowing publicly accessible records on the internet.

  3. Ahh..a pity. by fuzzyfuzzyfungus · · Score: 5, Interesting

    For one brief shining moment, I thought that this story was about a health insurance company being dragged into court and beaten on by their insurance company; and my heart leapt and sang with the unalloyed joy of a Norman Rockwell puppy; because that would just be so beautiful.

    Alas, 'Cottage Health' is a medical provider of some sort, so such feelings swiftly evaporated.

    That aside, this seems like a situation that is simultaneously common sense(Obviously you won't be able to buy 'cyber insurance' that covers egregious negligence, at least not for any price that doesn't reflect an essentially 100% chance of payout, plus the insurer's profit margins and transaction cost); and likely to be an endless nightmare of quibbling about what 'security' is.

    We've all seen the long, long, history of attempts to do security-by-checklist, most of which allow you to say that you 'followed industry best practices' by closing the barn door after the horse is long gone, so long as the barn door was constructed with galvanized nails of suitable gauge and is running any antivirus product, efficacy irrelevant. It's not as though 'security' is fundamentally unknowable and intersubjective, man; but it sure isn't something you'd want a lawyer or a layman attempting to boil down into a chunk of contractual language. Barring some miracle of clarity, I suspect that we'll see quite a few dustups that basically involve the insurer's expert witnesses smearing the policyholder's security measures(if they did it by the checklist, the expert witnesses will be snide grey hats who eat 'best practices' for lunch, if they deviated from the checklist, it'll be hardasses on loan from the PCI compliance auditing process, if they implemented a mathematically proven exotic microkernel it'll be somebody asking why Windows Updates weren't being applied in a timely manner); and the policyholder's expert witnesses puffing like salesmen about how strong the security was; and how it must have been an 'advanced persistent threat' to have hacked through such durable code walls.

    The fundamental question of 'did you fail to lock the door, or did somebody take a crowbar to it?' is sensible enough in the context of an insurance claim; but rigorously defining what 'locking the door' means in a complex IT operation; and where the boundary between 'incompetence' and 'unavoidable imperfection' lies, is not going to be pretty. My only hope is that if any of these go to jury, the lawyers decide to strike anyone who sounds like they might know something about computers; because it's going to be a long, boring, slugging match of a case.

    1. Re:Ahh..a pity. by AbRASiON · · Score: 3, Funny

      You think that's bad? I very briefly thought this was due to some laptop / hardware being forced open by LAX airport security staff.

  4. One possible way forward... by fuzzyfuzzyfungus · · Score: 2

    In thinking about it, and how much of a clusterfuck this is likely to be; it struck me that there might actually be a way to restructure the incentives to provide some kind of hope:

    Historically, 'retail' insurance, for individuals and little stuff, was mostly statistical with a side of adversarial: Aside from a few token offers of a free fitbit or whatever, the insurer basically calculates your expected cost as best they can based on your demographics and history and charges you accordingly, and tries to weasel out of anything too unexpectedly expensive.

    However, for larger endeavors, (the ones I'm most familiar with are utility and public works projects, there may well be others), sometimes a more collaborative model reigned: the insurer would agree to pay out in the event of accidents, jobsite deaths, and so on, as usual, and the client would pay them for that; but the insurer would also provide guidance to the project, best practices, risk management, specialist expertise on how to minimize the number of expensive fuckups on a given type of project, expertise that the customer might not have, or have at the same level. This was mutually beneficial, since the customer didn't want accidents, the insurer didn't want to pay for accidents, and everyone was happiest if the project went smoothly.

    In a case like this; the incentives might align better if the contractor were were delivering both the security and the breach insurance: this would immediately resolve the argument over whether the policyholder was negligent or the insurer needs to pay up: if the IT contractor got the systems hacked through neligence, that's their fault; and if they secured the systems; but a hack was still pulled off, that's where the insurance policy comes in.

    This scheme would run the risk of encouraging the vendor to attempt to hide breaches small enough to sweep under the rug; but it would otherwise align incentives reasonably neatly: an IT management/insurance hybrid entity would internalize the cost of the level of security it manages to provide(more secure presumably means greater expenditures on good IT people; but more secure also means lower effective cost of providing insurance, since you can expect fewer, smaller, breaches; and fewer, smaller, claims). If the equilibrium turns out to be 'slack off, pay the claims', that suggests that the fines for shoddy data protection need to be larger; but the arrangement would induce the vendor to keep investing in security until the marginal cost of extra work on IT was higher than the marginal gain from lower expected costs in claims; so the knob to turn to get better security is relatively accessible.

    1. Re:One possible way forward... by aaarrrgggh · · Score: 2

      Both levels need insurance, but I think you are right that the consultant needs the E&O coverage. One failure in the parallel though is time; if a bridge is built, the claim period lasts about 5-10% of its life. Same goes for most nonresidential buildings. What happens when a consultant is replaced on an account? Where does the new consultant assume liability for existing changes? Software bugs? Unpatched systems?

    2. Re:One possible way forward... by BVis · · Score: 2

      if the IT contractor got the systems hacked through neligence, that's their fault; and if they secured the systems; but a hack was still pulled off, that's where the insurance policy comes in.

      The IT contractor can't stay on-site 24/7 and monitor all the employees. The biggest security problems come from inside the organization; from idiots writing down their passwords to double-clicking on every single attachment that they get, users will never stop creating new and interesting ways to be complete fucking idiots.

      If I'm an IT consultant and suddenly have to take on the responsibility for all security breaches, I'm going to find another line of work. I'd spend all my time defending lawsuits from my clients who had a security breach due to nothing that I've done (or didn't do), but instead due to some moron ignoring the written AUP that I left with the client. Since as an IT consultant everything that happens on that network is my fault, I get either dragged into court by my client or my insurer refuses to pay and drops me, leaving me holding the bag for something that wasn't my fault. By the time I get done proving that what happened was not my responsibility, I've spent so much time getting the legal system to understand what happened and why it wasn't my fault that I haven't been able to create billable work for my other clients (if I have any after one of my clients gets broken into).

      The only way to avoid that would be to have a voluminous contract that covered as many "if your worker does X I'm not responsible" cases as could be described, and to have a network so locked down that people would barely be able to log into their computers. No client is going to put up with that, despite the fact that that's what they desperately need: to be protected from themselves. (And no client is going to sign that contract, because then it looks like you're trying to avoid responsibility for your work.) Plus you have the problem of your client refusing to implement a security precaution they desperately need because they refuse to change any of their processes, since "we've always done it that way". (Case in point: I used to work somewhere where we were storing complete CC information, including CVV codes, which is a BIG TIME PCI no-no. I put a stop to the CVV storage, but our back-office accounting system would not accept anything other than a complete CC number and expiration date for reconciliation later. I pointed out that we had no compelling business case to store that information, and got back "we've always done it this way". They refused to believe that we could have avoided storage and handled back-orders and refunds through tokenization supported by most major credit card vendors. So then they had a breach that cost them $200,000. They didn't change any of their processes.)

      No, the clients are the ones who need to be held responsible for data breaches. Make them expensive enough and they'll start paying attention, hopefully. Make them prove that they followed all the best practices required by the insurer AND all instructions given by the consultant, or don't pay. Only when companies start going out of business because their security was shit will people finally wake up. (Maybe the CEO goes to jail, too. A man can dream...)

      --
      Never underestimate the power of stupid people in large groups.
  5. Re:Perfect Security is Easy... by Aristos+Mazer · · Score: 2

    Stuxnet got onto Iranian centrifuges disconnected from the Internet and in locked and secured facilities. The problem is that at some point, someone has to communicate with these systems, so perfect security isn't possible... even just talking to them runs into the "little Bobby tables" problem.

  6. Good ... by gstoddart · · Score: 2

    because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow "minimum required practices," as spelled out in the policy. Among other things, Cottage "stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet," the complaint alleges

    And now what we need is criminal/financial penalties for companies who are so blindingly inept at security.

    If your business model involves confidential personal information, and you are this incompetent, you have no business being in the business you're in.

    This just screams someone was lazy, stupid, indifferent, or cheap ... possibly all of these things.

    I can completely see insurance companies saying "hell no we're not paying".

    When companies start having actual liability for being that terrible at security, they'll do something. Right now, they can mostly just say "wow, we wish we were sorry".

    --
    Lost at C:>. Found at C.