Is Beazley Breach Response a Good Fit for Healthcare?

I was fortunate enough just recently to sit on a Cyber Liability Panel at ASHRM in Washington, D.C., moderated by Mary Anne Hilliard, president of ASHRM. The panel included representatives from two insurance firms that provide cyber insurance, Paul Bantick from Beazley and Kim Holmes from Chubb, as well as an insurance broker that specializes in cyber coverage, Joe Depaul from AJG Risk Management, as well as myself.

The panel discussion was very engaging and high energy. All of us are very involved in working with organizations to address data breach risks and incidents. And while there was a shared view as to the current environment, and its associated risks, there was some divergence among the panel as to how best to address these risks, specifically and especially for healthcare organizations.

As to the areas of agreement, there was clear consensus relative to the increasing level of instances of data security incidents and data breaches within the healthcare environment, as well as the fact that a growing number of healthcare organizations are looking at cyber insurance as a component of their overall data breach risk management program. These circumstances are somewhat indisputable.

Healthcare is the only industry that is required to report data breach occurrences to their regulatory authority, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), based on the HITECH Act and associated rulemaking by OCR on data breach notification. So unlike all other industries, the data is complete and public.

Relative to divergence in views, this was highlighted by a slide presented by Paul Bantick, who noted that there are two different approaches to cyber insurance – the “service model”, where the insurance company provides “breach management expertise and staff”, and the “bucket model”, which is the more traditional one where the insurance company provides the insured with a panel of approved vendors who have been vetted as competent and price competitive.

I believe that Paul considered Beazley Breach Response a policy that adopted the service model. And to a great extent, his presentation represented the service model as one that for cyber insurance is preferable to the more traditional model used by other insurance carriers.

I believe however that as with many things in life, there are tradeoffs between the models. Using another area of the health insurance world as an analogy, I think of the Beazley approach as being a lot like an HMO, where the other model used by many other cyber insurance carriers is more like a PPO.

In Beazley’s case, the client effectively transfers control of assessing and managing their data breach incident response to the Beazley team. They will provide their clients with assistance with privacy breach response services and with the investigation and notification process. And while they do provide their policy-holders with the flexibility to choose from a shortlist of lawyers and forensics firms to work with, Beazley will make the key decisions as to who will be speaking with your patients (the call center) and what identity protection product is offered, if any, to your patients.

Now, in industries where a data breach is a very rare event, and where the client is unlikely to have experienced staff in privacy breach issues, the Beazley service model approach may have some distinct benefits. By transferring control to their breach response team, you can quickly access resources to address an issue that you haven’t planned for. Just understand that your company culture and style may not be able to come through in the communication with the bulk of these decisions being made by the payer.

But for healthcare organizations, this approach has significant liabilities. First, healthcare organizations often have experienced, certified privacy, information security and compliance officers who are not data breach generalists, but are specialists in privacy, security & breach issues within the context of the very complex healthcare regulatory statutes and mandates. These professionals may not feel it is in their organizations’ best interests, nor those of their patients, to defer to their insurance company in making all of the key decisions relative to responding to a data breach incident, especially when the insurance provider doesn’t have staff with the same level of healthcare certifications.

Second, because of the nature of healthcare, potential data breach incidents are an on-going fact of life. An average hospital system may evaluate over 10 incidents or more every month, to determine if they are notifiable data breaches or not. And they will also typically have a methodology and maintain meticulous records around this process, because doing incident risk assessments is required by HHS/OCR Data Breach Notification Rules. Such an organization may not want to defer to their insurance company (or the selected lawyer) as to making this determination. And it would be especially burdensome to do this for every small potential breach that the healthcare organization must assess.

Third, one of the most important elements in responding to a data breach by a healthcare organization is addressing the real and perceived concerns of their patients. Unlike many industries, healthcare is special in the culture of patient caring and safety that pervades their organizations. And it is in this regard where Beazley’s “service model” has the most significant trade-offs and challenges. Beazley will decide who talks to your patients that have been affected by the breach, and they will decide what you offer them, as far as a product, to address their concerns.

Because of their relationship with Experian, the product offering will always be one of Experian’s credit monitoring products. The Experian monitoring may be well suited to breaches of financial information, but it is much less clear that they are helpful or appropriate for a data breach of protected health information (PHI). The risks that accrue to patients when PHI is exposed are very different, and it is very unlikely that credit monitoring will help them in addressing these risks, nor that Experian financial fraud resolution specialist will be terribly helpful with potential insurance or medical fraud issues.

While it is understandable why Beazley would want to standardize on a single monitoring (product and vendor) for all of their clients in all industries, that this enables them to provide their clients with a lower cost solution because of their volume buying power, it doesn’t, however, address the fact that the Experian offerings might not effectively address the real and perceived risks and harms to the patients that have been affected.

And lastly, by relying on Beazley to make the key decisions for your healthcare organization in dealing with a data breach response, you are entrusting them to make decisions that will stand up to the scrutiny of HHS/OCR when your breach is investigated. During such investigations, OCR will typically not only look at what you did in responding to the particular data breach that prompted the investigation, but will also investigate your broader HIPAA privacy and security posture, and how you assessed and managed other incidents, whether they were notifiable data breaches or not. Now to be fair, their coverage will probably pay for a portion of any fines or penalties that are assessed by OCR to your healthcare organization. But such payments will certainly not compensate for the stigma that will remain for being found negligent or otherwise inadequate by OCR in managing your patient’s very private personal health data.

So as you can probably discern, I believe that healthcare organizations in most cases, if they required cyber and data breach insurance, are better served by one of the other major carriers as opposed to Beazley.

Now to be totally transparent, I do have a dog in this fight, so to speak. My company, ID Experts, specializes in providing privacy and data breach solutions to healthcare organizations. We are the only provider endorsed by the American Hospital Association (AHA). We serve a who’s who of American hospital systems and other so-called HIPAA covered entities, including New York-Presbyterian, Memorial Sloane-Kettering, Johns Hopkins Hospital, Henry Ford Health, to just name a few.

And because we specialize in healthcare, we have optimized our offerings to work in partnership with the privacy, information security, compliance and legal officers in our healthcare clients, and to provide them with product and services that address the HIPAA/HITECH privacy, security and data breach notification provisions in law and rule. We believe that it is critical to go deep in healthcare, in order to help them with addressing these issues and risks.

With Beazley’s decision to adopt their “service model”, they negate the option for their clients to use ID Experts for data breach response. And as I said earlier, while this might be a benefit for organizations in industries where breaches are rare and that are unlikely to maintain privacy, infosec and compliance expertise on staff, this in many ways is often not the best approach for healthcare organizations to pursue when purchasing cyber and data breach insurance. Fortunately, most other insurance companies that are providing cyber and data breach coverage, do not take this posture. If you choose cyber insurance from Chubb, ACE, Chartis, or most other carriers, you will both be able to maintain choice and control in dealing with data breach decisions, and you’ll have the option of working with ID Experts if we’ve worked hard enough to earn your trust and your business.