Category Archives: Cyber insurance

Best Practices in Securing Healthcare Data

 

Health is wealth. An old saying but it upholds an important underlying meaning. Consumers spend a great amount of money on wellness, prescriptions, medical examinations, lab tests, various auxiliary health procedures etc. With this, healthcare organizations have become a repository of vast amounts of sensitive data that these consumers share, making them soft targets for data beaches.

ITRC, Identity Theft Research Center, studied the trends of data breaches and concluded that in 2015, 35.5% of the breaches occurred in the healthcare sector. And 66.7% of the total records that were exposed were from healthcare industry.  ITRC also claims that as of date in 2016, 34.9% of the breaches and 34.6% of the total records compromised are from healthcare; an overwhelming 4 million records have been reported to be affected in just the first few months of 2016.

Zecurion has put together a list of best practices that healthcare organizations are recommended to follow in order to protect themselves from such incidents.

Early Detection through Proactive Monitoring

Having efficient algorithms and rules for the network helps detect early if PHI and PII is being accessed without proper authorization. Many automated tools are available today that can discover any such breach at the initial stage itself. And early detection can thwart data loss incidents.

Towards this, solutions such as Zecurion’s Zgate enable companies to monitor all forms of outbound network traffic and online communications. It also helps identify sensitive information and prevents it from leaving the network. Zgate uses hybrid content analysis – combining digital fingerprints, Bayesian methods, and heuristic detection – to filter outbound traffic and detect confidential data.

Multilayer Security Authentication

Multilayer security authentication is a must. Options for finger print, retina test or scanning of a smart card should be added to regular password options to establish identity of the actual user. User role needs to be identified comprehensively, and accordingly the extent of authorization should be granted.

Encryption, Encryption, Encryption

Healthcare servers have vast sources of confidential information stored. Proper encryption of stored data can prevent data loss. Zecurion’s Zserver offers an excellent solution in this context. The solution encrypts information on hard drives, disk arrays and SAN storage using innovative and sophisticated cryptographic techniques. This protects stored information whenever physical control of the media is impossible, whether moving data to the cloud, or in the case of hard drive loss.

Update Security Patches Frequently

Antivirus and firewalls should not be outdated or obsolete. The software should be current and running 24/7 365 days without failure. Still just deploying antivirus is not enough. Securing the endpoints is equally important to prevent data loss.

Set Up Dedicated Risk Assessment Team

The management should have a formal dedicated risk assessment team to look into various techniques, procedures, and access points from where the PHI and/ or PII leaves the system. The team may pose as insider threat actors and hackers, play bad cop and come up with customized solutions and risk mitigation plans to protect against breaches.

Implement Incident Response Plan

Drawing up an efficient incident response plan helps in mitigating and containing the aftermath. This is very important for the reputation of the organization. When reputation is at stake, having a robust plan that streamlines what needs to be done, when and how, saves time, money and credibility.

Cyberinsurance

Cyberinsurance is an option that healthcare organizations should consider to offset any financial liabilities that may occur as a result of data breaches.

Conclusion

Data loss prevention solutions are a must-have for healthcare organizations. They should be deployed without hindering or slowing down the access of information to care givers. While there is no fool-proof solution to any breach, it is best to go with the saying “prevention is better than cure”.

Cyber Insurance –Driving Demand for Data Loss Prevention

No matter how robust and agile the system is, how efficient the organization’s policies and regulations are and how secure the network connections are, there is always a daunting risk of data loss either maliciously, by human error or due to system glitches. The total monetary loss after a cyber-attack encompasses both tangible and intangible elements such as loss of direct monetary gain, expenses related to specialist lawyer, IT forensics experts, investigators, various fees and penalties, digital disruption, credit monitoring, slump in good will etc. – all of which can be humongous.

This is enough justification for companies – large, medium or small – to get Cyber Liability Insurance Cover or CLIC. Of course, the coverage will not be the same for all but has to be customized as per the entity and therefore will have various terms and conditions and pricing. The major factors that dictate the type of CLIC are the type of data aggregated, size of the company and extent of the potential risk.

Cyber insurance companies offer add-on services with CLIC to custom build policies for organizations. Be it lawyers, forensic experts, spend on crisis management solutions, notification and restoration expenses – all become an intrinsic part of the coverage.

Cyber insurance companies that provide the best fit will typically have the following elements covered as part of their packages:

  • First party as well as third party coverage
  • Premium pricing
  • Claims payout
  • Underwriting risks
  • Ability to offer coverages ( policies, term and conditions) over a wide spectrum of cyber risks which include theft of intellectual property, data and software loss, network failure liabilities, data destruction, DoS, etc.

Similarly, underwriters at cyber insurance companies look for the following factors while setting premium rates for CLIC:

  • Check if data loss prevention (DLP) solutions are implemented. Also check for types of encryption, security for access points in the system. A comprehensive DLP solution could typically result in lower risk and hence lower premiums.
  • Understand awareness level of employees around access policies. This includes checking if regular trainings are held to keep employees updated on systems and policies in place. How well educated employees and vendors are about regulations and compliance has a significant bearing on CLIC.
  • Check what risk mitigation plan is in place in case of a data breach incident.

As in the case of any traditional insurance, if there is a rise in the number of claims and payouts, the CLIC deductible and premium increases. Or, the payout is cancelled completely when capped. As a result, organizations looking for CLIC usually demand more comprehensive data loss prevention solutions. When an underwriter sees and is convinced that the organization has taken good measures to prevent data losses, it may result in in lower deductibles and premiums.

What is the state of cyber insurance market in the US?

According to RnRMarketResearch.com, the cyber insurance global market was at an estimated US$ 2.5 billion in terms of gross premiums in 2014. In the US specifically, 46 states have made it a law that data breach incidents be notified publicly resulting in exponential demand for cyber insurance. Although 90% of the global cyber insurance policies are bought by US companies, yet only one-third of the US companies are covered. PwC predicts the market will grow to an estimated US$ 7.5 billion in annual premiums by 2020. Allianz, a German insurer, predicts the market to grow to US$ 20 billion by 2025. This will be a driving force in putting forth better policies and measures for DLP in companies.

Following are some of the key cyber insurance trends that were seen in 2015:

About 60% of brokers say that there has been a significant increase in the number of companies seeking cyber insurance in 2015, resulting in greater demand for DLP solutions.

Healthcare has seen the highest growth in cyber insurance demand due to its high vulnerability. Use of DLP could drastically reduce insurance-related costs.

Overall, awareness and news about data breaches accounted for more than 70% of CLIC sales.

Wrapping up, one can say that embracing cyber insurance at the correct time is imperative rather than taking the burden of monumental payoff in case of data breaches. The transfer of risk to a third-party gives an edge over competitors in the long-term by unlocking the potential for sustained growth. Simultaneously, reforming current policies and/ or pushing in for better and more effective DLP solutions is equally vital to keep cyber insurance related costs under control.