Insurer Won't Pay Out For Security Breach Because of Lax Security

chicksdaddy writes: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow "minimum required practices," as spelled out in the policy. Among other things, Cottage "stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet," the complaint alleges. Disputes like this may become more common, as insurers anxious to get into a cyber insurance market that's growing by about 40% annually use liberally written exclusions to hedge against "known unknowns" like lax IT practices, pre-existing conditions (like compromises) and so on.

Seems reasonable

[Bruce66423]

If a company cuts corners on security, then in the same way that if I leave my door unlocked and get burgled, I can't make a claim. There's going to be a good living for lawyers establishing what is the required level of security. But if this incentivises senior managers to ask the right questions, then it's probably a good development.

Re:Seems reasonable

[JaredOfEuropa]

The hard part is indeed establishing what the right level of security is and how to evaluate companies against that. At least over here, the exclusions for burglary are pretty clear cut: leaving your door or a window open, and for insuring more valuable stuff there are often extra provisions like requiring "x" star locks and bolt, or a class "y" safe or class "z" alarm system and so on. With IT security, it's not just about what stuff you have installed and what systems you have left open or not; IT security is about people and process, as much or more than it is about systems.

Re:Seems reasonable

[fuzzyfuzzyfungus]

Not that real world IT systems often ascend to this level of security; but the issue is not going to be clarified by the fact that the analogy to physical security is only partially accurate: everyone accepts that (for a given purpose; bank vaults and nuclear installations get judged differently than houses) there is some level of 'reasonable security', which reflects appropriate caution on the policyholder's part; but is known to be breakable. Materials have limited strength, police have nonzero response time, sensors generate false negatives.

With IT systems(at least at the level of software attacks, if they break in at the silicon level it's another story), there is a platonic essence of 'the secure' floating out there, though generally far, far, far, too expensive, cumbersome, and slow to build to ever see the light of day; and there really isn't the same degree of agreement about what counts as 'secure enough for X' or 'incompetent'. Gross incompetence is something you can identify, and there are various formally proven systems in existence, mostly for the constrained use cases of cost-insensitive customers; but the stuff in the middle is very much up in the air.

Re:Seems reasonable

[Rich0]

everyone accepts that (for a given purpose; bank vaults and nuclear installations get judged differently than houses) there is some level of 'reasonable security', which reflects appropriate caution on the policyholder's part; but is known to be breakable.

I agree with your post. I'll just add that a big problem with IT security is that companies cannot rely on the same level of protection from governments in preventing intrusion.

For example, if I have a safe in my house, the means an attacker would have to penetrate it are going to be limited. Since my township has police and neighbors that wander around, they can only spend so much time there before they're likely to be detected. They can generally only carry in stuff that will fit in the doors and is man-portable, since if they have to cut a hole in the house and lower their equipment using a giant crane somebody is likely to notice. If they want to use explosives they will have to defeat numerous regulatory and border controls designed to prevent criminals from gaining access to them, and of course they will be detected quickly. Some destructive devices like nuclear weapons are theoretically possible to use to crack a safe, but in practice as so tightly controlled that no common thief will have them. If the criminal is detected at any point, the police will respond and will escalate force as necessary - it is extremely unlikely that the intruder will actually be able to defeat the police. If the criminal attempted to bring a platoon of tanks along to support their getaway the US would mobilize its considerable military and destroy them.

On the other hand, if somebody wants to break into my computer over the internet, most likely nobody is going to be looking for their intrusion attempts but me, and if they succeed there will be no immediate response unless I beg for a response from the FBI/etc. An intruder can attack me from a foreign country without ever having to go through a customs control point. They can use the absolute latest technology to pull off their intrusion. Indeed, a foreign military might even sponsor the intrusion using the resources of a major sate and most likely the military of my own state will not do anything to resist them.

The only reason our homes and businesses have physical security is that we have built governments that provide a reasonable assurance of physical security. Sure, we need to make small efforts like locking our doors to sufficiently deter an attacker, but these measures are very inexpensive because taxpayers are spending the necessary billions to build all the other infrastructure.

When it comes to computer security, for various reasons that secure environment does not exist.

Re: Seems reasonable

I'm not so sure about that. I've had the misfortune of dealing with auditors whose definition of best practices included completing non-deviation from things they obviously read out of a college textbook and do not understand at all.

The notion of actual risk and threat analysis and applying practices to suit situations was completely alien to them.

I've also dealt with very competent auditors. I rather miss dealing with them. I imagine the incompetent ones cost less, and that kind of thing is going to be a problem as security audits become more prevalent.

That, and we must never forget that as much as we may applaud the insurance company in this particular story for calling out poor practices, the primary purpose of a modern insurance company is to take your money and give you nothing in return. Everybody needs to be very aware of that, and be untrusting in all your dealings with anyone in the insurance business.

Re:Seems reasonable

[luis_a_espinal]

The hard part is indeed establishing what the right level of security is and how to evaluate companies against that. At least over here, the exclusions for burglary are pretty clear cut: leaving your door or a window open, and for insuring more valuable stuff there are often extra provisions like requiring "x" star locks and bolt, or a class "y" safe or class "z" alarm system and so on. With IT security, it's not just about what stuff you have installed and what systems you have left open or not; IT security is about people and process, as much or more than it is about systems.

I would disagree with you on this (somewhat). There are well established practices on how to build secure systems, for each major development platform (JEE, .NET, RoR, etc) and also for general decision-making.

Any organization, big or small, needs to be able to come up with scenarios and questions for things that need care, and for which it might need to provide evidence of attention. The important thing is to execute due diligence when it comes to defending your business against attacks, and to demonstrate providing evidence of such due diligence.

If we are in e-business or are bound by PCI, HIPAA and/or SOX compliance, the following questions would come to mind (just an example):

1. Are we addressing the top 10 risks identified by OWASP?
2. 1. If so, can we quickly identify how we address them?
   2. What other risks identified by OWASP do we address and how?
3. How do we address CERT alerts and advisories?
4. Are we on top of security patches?
5. Are the underlying systems security patches up to date?
6. 1. If so, can we quickly provide evidence of this?
7. If we are bound by HIPAA and/or SOX how do we address security concerns that might stem from these regulations?
8. 1. How do we quickly provide evidence (evidence of process and assurance)?
9. Do we have a multi-tiered architecture, or do we run everything co-located?
10. Are back-end databases on their own machines, in their own subnets outsize of a DMZ?
11. Are "mid-tier" services on their own machines, separated from databases?
12. Are they in a DMZ? Are they proxied by a HTTP server in different machines?
13. Do we have firewalls? If so, do we keep an inventory of their rules?
14. Are we up to date with patches for network assets (firewalls, SSL appliances, etc)?
15. Are we still on SSL 3.0 or older versions of TLS?
16. Do we specifically disable anonymous ciphers?
17. If we use LDAP, do we disable anonymous binds?
18. Do we use IPSec to secure all communication channels (even those internally, a requirement for banking in several countries)?
19. If not why? How do we compensate?
20. If we are in E-Commerce, how do we demonstrate that we are PCI-compliant?

In my opinion and experience, these questions present the starting point for a framework to determine the right level of security in a system. More should be piled on this list obviously, but anything less would open a system to preventable vulnerabilities.

And that is the thing. The right level of security is the one that helps you deal with preventable vulnerabilities that you, the generic you, should know well in advance, vulnerabilities that are well documented. How costly the prevention is, that is a different topic, and any business will be hard press to justify to an insurer that they forego to deal with a vulnerability because it was too expense.

Answers to those questions and evidence of such would constitute proof that an organization followed reasonable due diligence in establishing the right level of security. Moreover, it will have a much greater chance to disarm an insurer trying to find a way to avoid covering damages.

Notwithstanding the ongoing abuses done in the Insurance business, insurers have rights also. My general health and life insurance is not going to pay up my family if I kill myself while base jumping with blood alcohol levels up the wazoo.

Ahh..a pity.

[fuzzyfuzzyfungus]

For one brief shining moment, I thought that this story was about a health insurance company being dragged into court and beaten on by their insurance company; and my heart leapt and sang with the unalloyed joy of a Norman Rockwell puppy; because that would just be so beautiful.

Alas, 'Cottage Health' is a medical provider of some sort, so such feelings swiftly evaporated.

That aside, this seems like a situation that is simultaneously common sense(Obviously you won't be able to buy 'cyber insurance' that covers egregious negligence, at least not for any price that doesn't reflect an essentially 100% chance of payout, plus the insurer's profit margins and transaction cost); and likely to be an endless nightmare of quibbling about what 'security' is.

We've all seen the long, long, history of attempts to do security-by-checklist, most of which allow you to say that you 'followed industry best practices' by closing the barn door after the horse is long gone, so long as the barn door was constructed with galvanized nails of suitable gauge and is running any antivirus product, efficacy irrelevant. It's not as though 'security' is fundamentally unknowable and intersubjective, man; but it sure isn't something you'd want a lawyer or a layman attempting to boil down into a chunk of contractual language. Barring some miracle of clarity, I suspect that we'll see quite a few dustups that basically involve the insurer's expert witnesses smearing the policyholder's security measures(if they did it by the checklist, the expert witnesses will be snide grey hats who eat 'best practices' for lunch, if they deviated from the checklist, it'll be hardasses on loan from the PCI compliance auditing process, if they implemented a mathematically proven exotic microkernel it'll be somebody asking why Windows Updates weren't being applied in a timely manner); and the policyholder's expert witnesses puffing like salesmen about how strong the security was; and how it must have been an 'advanced persistent threat' to have hacked through such durable code walls.

The fundamental question of 'did you fail to lock the door, or did somebody take a crowbar to it?' is sensible enough in the context of an insurance claim; but rigorously defining what 'locking the door' means in a complex IT operation; and where the boundary between 'incompetence' and 'unavoidable imperfection' lies, is not going to be pretty. My only hope is that if any of these go to jury, the lawyers decide to strike anyone who sounds like they might know something about computers; because it's going to be a long, boring, slugging match of a case.