View
1.056
Download
0
Category
Tags:
Preview:
DESCRIPTION
Citation preview
USI Insurance Services
Cyber and Privacy Liability for Healthcare Providers
USI Management and Professional Services
2Confidential
Cyber and Privacy Exposures Are Significant Sources of Liability Claims Against Healthcare Providers
Cyber Liability:
1st and 3rd Party risks associated with on-line
activities - Internet, Network and Data Assets
Privacy Liability:
Liability arising out of misuse or improper
disclosure of Personal Data - Social Security Number
or Credit Card)
3Confidential
Errors & Omissions
• Typically excludes a security breach
• Typically tied to/requires an act of negligence to trigger coverage
General Liability
• Excludes damage to and corruption of electronic data
• Covers only “tangible” property
• Personal & advertising liability does not cover violations/misuse of private information
Property Insurance
• Coverage is specific to physical loss or damage to tangible property (named)
• Courts have consistently held that data is not tangible property
Crime Insurance
• Covers loss due to employee theft of money, securities or other property
• Property must be tangible and have intrinsic value
• No coverage for confidential information
The Insurance Gap
Cyber & Privacy Claims are Not Covered under Traditional Insurance Policies
4Confidential
Providers Increasingly Challenged to Manage Expanding Regulations with Limited Budgets and Resources
Health Insurance Portability and Accountability Act (HIPAA): Applies to health care businesses and any employer that provides health care benefits
State Breach Laws: 46 states have enacted legislation requiring security breach notification involving personal information – with no “overarching” Federal law, state statutes control.
Health Insurance Portability and Accountability Act (HIPAA): Applies to health care businesses and any employer that provides health care benefits
Payment Card Industry Data Security Standard (PCI DSS): Worldwide security standard created to prevent credit card fraud
Federal Trade Commission (FTC): 2012-13 most active enforcer; new role similar to the EEOC of the last three years
Fair and Accurate Credit Transactions Act (FACTA): Disposal Rule, passed in 2003, created standards to help reduce identity theft and allows consumers to obtain a free annual credit report
Hi Tech: Applies to certain healthcare facilities and is an expansive amendment to HIPAA
5Confidential
Health records commonly include date of birth, social security number, credit card number and address
Healthcare breaches increased 32% in 2011 over 2010
Providers increasingly utilize hospital, pharmacy, payor and network computer systems to transmit patient information electronically
Lack of employee training in data security and privacy in healthcare
Lax office procedures related to confidential patient information
Increased Cyber and Privacy Liability regulatory challenges:
HIPAA Act (Federal)
HI-TECH (Federal) & PPACA
State laws (e.g., California Confidentiality of Medical Info)
Healthcare Industry Number One Target For Criminal Organizations Looking for Personal Information
6Confidential
*Poneman Institute and Symantec
Average Cost of Data Breach in 2011: $5.5million*
Health system accidently posts medical records of thousands of patients on Internet. Class action suit filed seeks $10 million in damages. OCR notification costs $1+ million with total costs at $20+ million.
May 2012: two physician clinics settled for $100,000 with HHS and OCR regarding HIPAA violations; investigation triggered by public calendar posting of patient appointments.
Small MA hospital settled with State Attorney General for $750,000 on HIPAA violations; hospital shipped three boxes of unencrypted data to third party to be erased; only two boxes arrived at facility.
June 2012: CT Medical Board fined a doctor $20,000 for unauthorized download of patient data.
May 2012: Receptionist at psychological institution found liable for $2 million in ID theft and fraud; ordered to pay approximately $360,000 in restitution. Fines against institution under discussion.
Information no longer resides exclusively on servers: Data has gone mobile, limiting the
effectiveness of firewalls and other controls at even the most advanced firms!
7Confidential
Privacy and Cyber Liability for Healthcare Providers – Increased and Unique Risks I
HIPAA virtually unenforced from 2005 to 2010. Starting with the passage of the Hi-Tech Act, the Dept. of Health and Human Services has stepped up enforcement actions through the Office of Civil Rights (OCR).
Plaintiff Attorney fees have increased as complexity and potential awards have increased. A patchwork of both State and Federal statutes provide multiple actionable causes and there is no sign of abatement.
Beginning September 2012, with rules expanding in January of 2013, TX HB300 expands HIPAA requirements to businesses of all shapes and sizes in Texas, exponentially increasing statutory exposure.
Healthcare Holds or Transmits More Personal Data than Any Other U.S. Business Segment
Bottom Line: Healthcare businesses must begin evaluating their cyber and privacy
liability exposures and consider insurance coverage solutions!
8Confidential
Source: http://datalossdb.org
Hack
FraudSe
StolenLaptop
Web
Disposal_Document
StolenDocument
Unknown
StolenComputer
SnailMail
LostDrive
LostDocument
Virus
StolenDrive
LostMedia
LostMedia
LostTape
LostMobile
DisposalComputer
StolenMobile
MissingLaptop
StolenMedia
MissingMedia
LostLaptop
StolenTape
30%
17%
9%
8%
6%
4%
4%
3%
3%
3%
2%
2%
2%
2%
1%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
Almost 50% of Losses Come From Fraud and Hacking
9Confidential
The USI SOLUTION
EXPERIENCE
• Coverage is modular – it is essential to know which coverage fits a specific risk
• Policy language varies from carrier to carrier, no two policies are the same.
EXPERTISE
• Dedicated team of Network Security & Privacy experts
• Experience in the policy features critical to Health Care Providers
MARKET LEVERAGE
• Access to the leading network of insurance carriers
• Ability to creatively tailor coverages to meet the needs of each unique client
10Confidential
Cyber Extortion: Covers costs to investigate, negotiate and settle if credibly threatened or if an extortion demand is received. Wording is essential, as distinction between extortion/terrorism/act of war, etc. is developing.
Data Asset/Data Restoration: Covers data restoration expenses after a covered data breach; this does NOT mean cost of new software/hardware, but restoration to pre-loss condition.
Business Interruption: Covers costs and expenses resulting from a shut down of operations due to a covered data breach; not always included in standard coverage. The “waiting period” for coverage is typically 24 hours. However, this should be discussed, as some organizations (high tech, online services, etc) require a shorter trigger.
Crisis Management: Covers cost to hire a public relations firm to protect brand image and reputation following a breach.
1st Party Coverage Losses Your Company Suffers Directly
11Confidential
3rd Party Coverage Losses Suffered By Your Patients or Clients
Med
ia o
r C
on
ten
t L
iab
ilit
y Covers insured’s economic liability when hackers / unauthorized users access Insured’s systems to inflict damage on others.
Covers unauthorized access, unauthorized use and denial of service attacks, etc.
Pri
vacy L
iab
ilit
y C
overa
ge
an
d B
reach
Resp
on
se Covers defense and damages
related to allegations of insured’s failure to protect private or confidential patient data, whether in electronic or paper forms defense and settlement costs.
Coverage may include following, subject to sub-limits or per-record basis: Notification Expenses Credit Monitoring Event Management Governmental Regulatory Claims
12Confidential
Additional 3rd Party Coverage
Intellectual Property:Responds to loss arising from infringement of trademark,
copyright and other protected sources – typically a SEPARATE POLICY is required to provide more expansive coverage for
patent portfolios
Media or Content Liability:Responds to advertising
injury for losses arising from display of material online and
advertising,
13Confidential
Interested in Learning More?
Toni L Ferrari
Commercial Insurance Executive, Healthcare Practice
Mid-Atlantic Region
Phone: 757 640 5466
Mobile: 757-406-5229
toni.ferrari@usi.biz
Recommended