In late 2013 Cottage Health System, the operator of a network of hospitals in Southern California, discovered that hackers had stolen 32,500 patient records. Cottage was sued for $4.1 million, which was paid by the insurer, Columbia Casualty Company, as provided by the policy.
Now, Columbia is suing Cottage for reimbursement, alleging that Cottage and its third-party vendor, INSYN Computer Solution, Inc., stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information as required by the policy.
[Related: Best of the best: Now, in cyber]
“Insurers are denying coverage to companies that fail to take even the most obvious security measures. But many businesses don’t think about security vulnerabilities with open source software,” says Mike Pittenger, vice president of product strategy for Black Duck Software, Burlington, Mass., which helps companies safeguard and manage their use of such software.
Open source software is generally what we think of as “free” software developed by communities, for example, open SSL or Mozilla Firefox, Pittenger explains. It’s trusted enough that companies use many of these open source libraries to provide the basic functionality that they need in an application. Then the company provides its own logic code to make the application work the way the developer wants it to work. Even large developers like Microsoft may incorporate some open source software into their products.
The problem comes in when open source software is updated or patched, Pittenger says, but companies don’t know that the code is buried in the commercial software they’re using, which increases their data security risk. As a result, businesses are hiring Black Duck Software, among others, to notify them when new vulnerabilities are discovered and to help them patch or update the software.
Pittenger provides the following six tips for agents who want to help their clients minimize their software vulnerability.
1. Meet minimum requirements for Cyber coverage
Pittenger notes that the minimum security requirements from Columbia were what he characterizes as “basic hygiene.” For example, Cottage was required to change the default password that came with its network firewall. If the software that Cottage was using issued a patch or update, Cottage was required install it within 60 days. However, Cottage, like many other organizations, outsourced its technology operations to a third party that didn’t meet the minimum requirements of the policy. In addition, Cottage didn’t have the controls in place to ensure that requirements were being met, and consequently they were hacked.
“Cyber coverage requires due diligence on the part of the insured,” Pittenger points out, “and agents should be asking their clients how well they’re managing the risk of a data breach.” At a minimum, most policies include a requirement to install patches as they’re issued by the software companies. Failure to install the patches can lead to denial of coverage, as the Cottage case demonstrates.
2. Monitor continuously
If you’re buying cyber coverage, you have to be aware of the minimum required standards, and understand that you’re ultimately responsible for the meeting those standards—even when you’ve outsourced data management, Pittenger says. Just signing a contract isn’t enough, as Cottage learned. Its third-party vendor is too small to reimburse Columbia for the cost of the settlement, so Cottage may have to repay the $4.1 million if it loses its case.
Educating the buyers of cyber insurance as to their obligations to meet the policy’s minimum requirements to maintain that insurance is very important, Pittenger says. But before your company can manage its risk, you need controls in place, and you need to understand the vulnerabilities of your system.
Ongoing monitoring, which is more than just auditing your technology operations once a year is key, Pittenger explains. Agents should explain to clients that the insurance company will most likely do an audit—a snapshot in time of the security profile of the business—before issuing coverage, but the client is ultimately responsible for monitoring.
Agents also should be aware that their small business clients are especially vulnerable. “Smaller organizations often use packaged software, and they outsource their IT management,” notes Pittenger, “so they don’t have a security center that’s doing any monitoring—or they don’t think about it.”
3. Understand the software that you’re using
“Understand the software you’re using, its security measures and vulnerabilities,” Pittenger says. As a first step, know what information you have, where it is at all times, and what applications control it so you can prioritize those application security efforts.
Next, be sure you have policies and procedures to update the software whenever updates are available—and that those policies and procedures are followed correctly and promptly. If you’re using a third party to manage your technology, ensure that the third party has policies and procedures in place as well. “You can outsource the operation but not the responsibility for the security,” Pittenger says.
4. Know where your data is
“Small retailers or similar businesses often outsource PCI [payment card industry] compliance,” Pittenger observes. “When your dry cleaner swipes your credit card, the information often goes to a third party processor.” Other small businesses may use a vendor like Square or PayPal.
Agents should explain to clients that they still have primary liability for the data, even though the outsourcing agreement may include a requirement for the vendor to meet PCI security standards. “Advise your clients to be sure they’re not storing credit card numbers on any electronic devices or local computers” Pittenger says. Outsourced data is going “into the cloud,” and it should be encrypted in transit and at rest.
Businesses also should ask about the physical security at the data storage center, as well as information security, he adds. For example, many data centers require a handprint to enter or only allow one person at a time to pass through the door.
(Photo: Shutterstock/Keith Bell)
5. Comply with federal and state regulations
Depending on what kind of business you operate, Pittenger points out, you also may be responsible for compliance with state and federal laws. In addition to the lawsuits by patients, Cottage is facing an investigation by the California Department of Justice. The investigation will determine whether Cottage complied with its obligations under HIPAA and any other pertinent state and federal laws and may potentially result in the imposition of fines, sanctions or penalties.
For agents whose clients include medical or dental offices, pharmacies, or other healthcare providers, it’s important to remind them that they must some level of controls in place to comply with HIPAA and other related laws, such as the Health Information Technology for Economic and Clinical Health (HITECH) Act.
6. Secure all devices including smartphones and tablets
“Remind your clients to consider handheld devices too,” Pittenger says. Understand how they connect to your corporate network, and what data is stored on the device.
Many insurance professionals use mobile devices “on the road,” but those devices generally don’t have the same level of security as corporate laptops or desktops.
Selling cyber insurance coverage to small or mid-sized businesses can be a great opportunity for agents and brokers. It also provides them with opportunities to educate their clients, demonstrating the value they bring as business partners.
[Related: Cyber space: The new frontier]