Close Close
ThinkAdvisor

Life Health > Health Insurance

5 ways cybersecurity could cause cyber hives

X
Your article was successfully shared with the contacts you provided.

Health insurers say poorly designed regulator responses to hackers and malware could backfire, by adding costs and red tape without doing much to improve data security.

Matt Pratt of America’s Health Insurance Plans (AHIP) and Kim Holland of the Blue Cross Blue Shield Association make that case in comments on a set of draft principles for effective cybersecurity regulatory guidance.

Members of the Cybersecurity Task Force, an arm of the National Association of Insurance Commission (NAIC), talked about the draft, and interest groups’ comments on the draft, Sunday in Phoenix, at the NAIC’s spring meeting.

The task force unveiled the draft March 12. Originally, public comments were due March 23. The task force ended up extending the comment period to April 10, to give members of the public more time to weigh in.

See also: Anthem hack may have involved millions who aren’t customers

J. Kevin McKechnie wrote, on behalf of the American Bankers Association (ABA), that the ABA and its insurance arm, the American Bankers Insurance Association, like the draft principles but believe the NAIC should put more emphasis on software vendor disclosure and software patchability.

McKechnie asked the NAIC to back H.R. 5793, a bill would create standard measures of software systems’ “cyber hygiene.”

See also: Cyber-huddle: Treasury gathering insurance sector for briefing

Representatives from the Center for Economic Justice, the Consumer Federation of America, United Policyholders and the National Consumer Law Center wrote a joint comment emphasizing that insurance regulators should apply strong data security standards to insurance producers as well as to insurance issuers.

Pratt and Holland welcomed the NAIC’s work on cybersecurity, but they asked regulators to adjust what the draft principles say about insurance regulators’ role in that area.

When the human immune system has problems dealing with an actual, or imagined, problem, it can cause reactions ranging from runny noses to shock.

For a look at Pratt and Holland’s ideas about how poorly focused regulatory principles could add to the burden inflicted by the data breach threat, read on.

Cold office building

5. Regulators could impose overly specific requirements.

The 14th principle in the current draft calls for insurers and insurance producers to join the Financial Services Information Sharing and Analysis Center (FSISAC), to “share information and stay informed about cyber and physical threat intelligence analysis and sharing.”

Pratt and Holland say they strongly disagree with the idea that the NAIC should require insurers to join any specific group.

FSISAC, for example, has been more helpful for banks than for insurers, and many health insurers already belong to the National Health Care Information Sharing and Analysis Center (NH-ISAC), the commenters say.

See also: Benner on tech: Anthem

Person writing

4. Regulators could add a new round of cyber conduct examinations.

Pratt and Holland say it would be better if regulators verify whether an insurer has sought out external validations of its defenses, rather than trying to conduct its own cybersecurity examinations.

“It is important to note that cybersecurity talent is very limited, due to the current demands of government and industry,” the commenters write. “This demand, and the corresponding resource drain, will continue into the near future. State insurance regulators will have a difficult time acquiring the talent or knowledge to enable each state to independently support this principle.”

See also:Royce Unsatisfied With NAIC Response, Cites NAIC Role in Multi-State Exams 

Flowchart

3. Regulators could get end up getting too involved in data security system details.

The second principle in the current draft states that, “Insurance regulators have a significant role and responsibility regarding the insurer’s efforts to protect sensitive customer health and financial information.”

“We are concerned with this principle’s breadth,” Pratt and Holland write. “Insurance regulators may play a role here in overseeing the compliance activities of insurers, but we would suggest it not be misinterpreted to imply regulators should establish and oversee detailed security standards, which are not primarily within the jurisdiction or area of expertise of state insurance departments.”

Similarly, in a comment on the 12th principle, Pratt and Holland say the principles should not require an insurer to include cybersecurity or any other specific issue in its enterprise risk management process.

See also: PPACA: CCIIO Fears Risk Adjustment Bugs

Big dog looking at a small dog

2. Regulators could end up trying to take responsibility for other people’s jobs.

The first principle in the current draft states that, “Insurance regulators have a significant role and responsibility regarding protecting consumers from cybersecurity risks.”

“We believe this principle places too much responsibility upon insurance regulators,” Pratt and Holland write. “Ultimately, under federal law and policy it is the entity holding data that has the primary responsibility for defending against cybersecurity risks.”

Even the federal government recognizes that it is merely responsible for sharing information about cyber threats, not for providing the primary line of defense against the threats, Pratt and Holland write.

See also: 5 reasons the Anthem hacking story should make YOU shiver

White House

1. The first principle could push state insurance regulators into a collision with federal regulators.

Even if a state insurance department were equipped to regulate data security, the federal government is already doing that, Pratt and Holland write.

They note that the Office of Civil Rights at the U.S. Department of Health and Human Services (HHS) enforces Health Insurance Portability and Accountability Act (HIPAA) compliance.

“Any effort to assume those responsibilities by the NAIC or state regulators would likely entail responsibilities they would be unable to support,” Pratt and Holland write.

Image: AP photo/Pablo Martinez Monsivais

See also: Will you top the HIPAA audit candidate list?