There are many ways to the skin a cat, and even more ways to handle a healthcare data breach response. As more and more Healthcare organizations look into cyber insurance, or privacy insurance, understanding the different ways insurance carries approach breach response is key. HealthIT Security has a great run down on the pros and cons of different approaches.
In a recent blog post on IDexpertscorp.com, Doug Pollack of IDExperts said that he had a chance to weigh the benefits of the Beazley system during a Cyber Liability Panel at American Society for Healthcare Risk Management (ASHRM) in Washington, D.C. While Pollack’s company specializes in privacy and data breach solutions and could be called a Beazley competitor, he raises some good points about cyber insurance.Paul Bantick, head of Beazley’s technology, media and business services team in London, said that Beazley is a “service model” to cyber insurance where the individual insurance company offers breach management expertise and staff. And he maintained that there’s also a bucket model where it provides the providers and patients with a panel of approved vendors. Pollack believes that the Beazley plan is similar to a health maintenance organization (HMO), whereas the bucket approach is similar to a preferred provider organization (PPO). Providers are essentially giving full control of data breach management to the Beazley team. Pollack sees a few problem areas with this line of thinking:- Hospital CIOs and compliance officers, especially at large organizations, may “not agree that it’s in the organizations’ best interests, nor those of their patients, to defer to their insurance company in making all of the key decisions relative to responding to a data breach incident, especially when the insurance provider doesn’t have staff with the same level of healthcare certifications.”- Because an average hospital may evaluate 10 or more potential incidents per month, it may be asking too much to go through the Beazley cyber insurance process for every small potential breach that the healthcare organization looks at.- Do healthcare providers really want to defer the decision who talks to your patients that have been affected by the breach to Beazley? It would also decide what products providers will offer patients to aid security concerns.-Lastly, and perhaps most importantly, providers would be leaving it up to Beazley to deal with the department of health and human services (HHS) in the event of Health Insurance Portability and Accountability Act (HIPAA) violation. Most hospitals would likely want to control their own fate in that situation so that may be a roadblock toward adoption.