Spies, thieves and joy hackers have helped turn health insurance cyber security into a hot legal specialty.
Insurers and brokers need help with everything from interpreting the Health Insurance Portability and Accountability Act of 1996 (HIPAA) “covered entity” provisions; to drafting and interpreting the agreements that the covered entities must get “business associates” to sign; to providing seminars, procedure reviews and soothing herbal tea for business associates that are facing the possibility of undergoing “Phase 2 audits” by investigators from the Office of Civil Rights at the U.S. Department of Health and Human Services (HHS).
Jon Kelly, a partner in the New York office of Sidley Austin L.L.P., is one of the advisors building teams that can help insurers deal with a hard-to-detect, hard-to-explain, marshmallow-like threat that, apparently, could ooze out of anything from their computers to their phones to their automated climate control systems at any time, and trigger involvement with any elected or appointed official in the world who happens to enjoy reading about hackers.
Since late 2014, Kelly has been seeing insurance clients thinking more about cyber security issues.
For a look at what Kelly said about the state of insurance industry data security regulation in a recent telephone interview, read on.
1. The New York State Department of Financial Services really woke people up.
For many years, hacker magazines entertained readers with articles about youngsters who made unattended retail store cash register terminals their playground.
In the past year, news about retail system vulnerability reached primetime audiences with the news of the massive Target and Home Depot hackings.
Hackers then caught health insurers’ attention by hacking Anthem and Premera.
But Kelly says he thinks the New York State Department of Financial Services also played a role, by releasing survey data that hinted at the sketchy nature of some insurers’ data security efforts.
The department’s report “shows that the insurance companies weren’t as astute as the regulators would like,” Kelly said.
Image: GI photo/Claus Alwin Vogel
2. Companies in the insurance industry are struggling to understand what exactly it is that they have to do.
Insurers were early adopters of computer technology, and that has left them with giant buildings full of old, little-understood, hard-to-update legacy systems, Kelly said.
Managers at insurers and brokers would prefer to be thinking about improving and expanding operations, not computers, and, at the same time, the regulators themselves are still struggling to understand how to address data security, Kelly said.
“I’m not sure there’s a clear set of standards that’s yet developed or prescribed,” Kelly said.
Companies in the insurance industry want to share what they know, to help other players and get information they can use to protect themselves, but they worry about the possibility that reporting breaches or other problems could open themselves up to regulatory action, Kelly said.
Kelly said it would be helpful if policymakers could recognize that financial services companies are the victims in these situations and need rules that protect them against punishment in situations in which they have taken every reasonable precaution that they knew how to take but still get hacked.
“When is it that I’ve done enough?” Kelly asked.
3. Insurers and brokers hope regulatory agencies will find ways to work together.
These days, state insurance regulators can, and do, bring up data security issues when carrying out ordinary regulatory activities, Kelly said.
“You’re seeing them in regular insurance exams,” Kelly said.
When insurers talk about enterprise risk management (ERM), for example, they are supposed to address efforts to manage cyber security ERM risk as a stand-alone ERM risk, Kelly said.
Many different state and federal agencies also play a role in cyber security efforts, Kelly said.
Companies in the insurance industry recognize that agencies have their own priorities but would like to see as much coordination as possible, Kelly said.