Healthcare organizations are increasingly looking at cyber insurance to help in managing privacy breach risks; this article discusses reasons why the Beazley Breach Response program may not be a good fit for many healthcare organizations which have it. I believe we provide credit where it is due, and also discuss the finer points of responding to a breach… how the “unconventional” service model may restrict a breached entity from having the response they once envisioned.
“First, healthcare organizations often have experienced, certified privacy, information security and compliance officers who are not data breach generalists, but are specialists in privacy, security & breach issues within the context of the very complex healthcare regulatory statutes and mandates. These professionals may not feel it is in their organizations’ best interests, nor those of their patients, to defer to their insurance company in making all of the key decisions relative to responding to a data breach incident, especially when the insurance provider doesn’t have staff with the same level of healthcare certifications.
Second, because of the nature of healthcare, potential data breach incidents are an on-going fact of life. An average hospital system may evaluate over 10 incidents or more every month, to determine if they are notifiable data breaches or not. And they will also typically have a methodology and maintain meticulous records around this process, because doing incident risk assessments is required by HHS/OCR Data Breach Notification Rules. Such an organization may not want to defer to their insurance company (or the selected lawyer) as to making this determination. And it would be especially burdensome to do this for every small potential breach that the healthcare organization must assess.
Third, one of the most important elements in responding to a data breach by a healthcare organization is addressing the real and perceived concerns of their patients. Unlike many industries, healthcare is special in the culture of patient caring and safety that pervades their organizations. And it is in this regard where Beazley’s “service model” has the most significant tradeoffs and challenges. Beazley will decide who talks to your patients that have been affected by the breach, and they will decide what you offer them, as far as a product, to address their concerns.”
Among other points that Doug makes, is the fact that offering credit monitoring to victims of a healthcare data breach is silly. Credit monitoring does not protect a victim from medical ID theft.
You can read all of Doug’s post: Is Beazley Breach Response a Good Fit for Healthcare? here