Tag Archives: data breaches

Data Breaches’ Impact on Consumers

Data breaches are perhaps more harrowing an experience than many realize. In the latest, the vast majority of LinkedIn users—about 92%—have been affected. Experts say it’s not just the magnitude of this breach that’s worrying; it’s the type of information compromised that should give LinkedIn users pause. The breach was announced June 22 by the alleged hacker, offering the data of 700 million users for sale. The breach reportedly contains email addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn username and profile URL, personal and professional experience or background, genders and other social media accounts and usernames. It’s easy to imagine creating a digital profile impersonating any of the 700 million victims. 

As urgent as this sounds, most breach victims do very little, if anything, in response. Some may find slight solace in the fact that many others (and, by many, we mean millions) have also been affected in the same way. This feeling can sometimes help to dampen the blow, along with the fact that most consumers are realizing there is virtually nothing they could have done to prevent the breach from happening in the first place: Data breaches are just par for the course in today’s digital world. 

But this limited consolation offers nothing to protect victims from the uncertain, but very real risk of future identity fraud. Over time, with breach after breach, the uncertainty grows, consumer trust in businesses weakens and new anxieties take hold. There’s an oft-overlooked psychological aspect to it all that even consumers themselves may not realize is happening. 

Living in a constant state of worry about being affected by identity theft can be exhausting. And while it may not be a frequent topic of conversation—and breach notifications often aren’t triggering specific precautions to be taken—we still know it weighs heavily on consumers’ mental state. Customer trust in organizations is eroding, and it’s happening rather quickly. Customers no longer have confidence that corporations can safely house the data they’re asking of customers. 

Moreover, there’s a subconscious pleasure that comes with feeling loyal to and cared for by organizations that one chooses to spend money with; all that goes away when the company experiences a data breach. The consumer no longer feels appreciated or valued and may be left wondering, are there any organizations left that I can trust with my data? Sadly, the answer may be an unstated but emphatic “no.”

See also: How Machine Learning Halts Data Breaches

The more definable and palpable sentiments of the consumer are still telling, though. Over the last few years, we at Generali Global Assistance have been keeping our finger on the pulse of the consumer to gain a better understanding of the consumer mentality. Earlier this year, we released findings from our second market study and found that, since 2017, concerns about identity theft—and especially about cybercrime—have continued to increase.

The very large majority of consumers (90%) believe that becoming a victim of identity theft or cybercrime is something that could happen to them at any time; this is up five points from 2017. Eighty percent of consumers said that they’re often scared by the number of ways in which their identity may be compromised, which is up 6 points from 2017. And 76% of consumers agreed that companies and institutions are not doing enough to protect their personal information. A holiday survey of ours in 2017 showed that 40% of consumers believe that businesses are not doing all they can to protect their personal information. The rate at which this gap has widened is striking.

Outside of the psychological impact, we must not forget what it actually means when one’s personal data is exposed. While a leak of your email address may leave you shrugging your shoulders, the combination of your name, address and birthdate can be ample data for a fraudster to do damage. It’s the aggregation of years’ worth of mega breaches that are leaving consumers wildly exposed. We already got a sneak peak of that this past year when unemployment fraud reached frightening levels in the midst of the pandemic—in our Resolution Center alone, we saw a 5,630% increase in employment-related fraud from 2019 to last year. Unfortunately, that may have been just the beginning. 

So while a singular data breach may not have an immediate effect on the consumer, each one chips away at the security of their identity. Data point by data point, our identities will be left in such a fragile state that the resulting fraud will not only be inevitable, but difficult to come back from. 

At the risk of sounding trite, the time is now for consumers to take action. It’s true that one cannot prevent hackers from infiltrating the companies they choose to do business with, but there are certainly ways to strengthen their identity so that any potential damages are greatly reduced.

How Machine Learning Halts Data Breaches

Although we hear a lot about major cybersecurity breaches in non-insurance organizations – Target, Experian, the IRS, etc. – there have been breaches in the insurance industry, too, albeit less publicized. Nationwide faces a $5 million fine from a breach back in 2012. Horizon Blue Cross Blue Shield is still the defendant in a class action suit over a 2013 breach that affected 800,000 of its insured. 

As hard as organizations try to secure their data and systems, hackers continue to become more sophisticated in their methods of breaching. This is why innovation in risk management and insurance is so important.

Can Machine Learning Improve Cybersecurity (and Vice Versa)?

The short answer is yes. Because machine learning can collect and process huge amounts of data, the technology can analyze historical cyber-attacks, predict types that may occur and set up defenses against them

Here is a very simple example:

An on-site employee has decided to use his computer to access some shopping sites during his lunch break. One of those sites has elements that alert the machine of a potential security threat. The security team is notified immediately. It is then possible to block access permission from that computer to any data that could be useful to hackers until a full investigation can be completed. 

See also: How Machine Learning and AI Reduce Risk  

This may be a rather far-fetched example because most organizations limit private use of their computers in advance. But consider the Horizon breach – two laptops were stolen from a facility, and access was obtained. Or the case of Target, where a third-party contractor did not have appropriate security in place, and hackers were able to access the company’s systems through this third-party. Machine learning can help to reduce these threats through a proper alert system, and remote shutdowns can then occur.

Common Types of Data Breaches that ML Can Help Thwart

1. Spear Phishing

Company employees receive emails every day, in their company inboxes. Some of these, from sources that may not be known, can include malicious links. 

There are now ML algorithms that can identify and classify language patterns – email subject lines, links, body content/communication patterns, phrases and even punctuation patterns. Anomalies can be flagged, and security analysts can investigate, even catching the emails before they are opened, if the system is set up correctly. Some of these emails, for example, may be very poor translations from foreign languages, certainly not professional translations from services like The Word Point. Poor translations will alert machines that spear phishing is a possibility.

2. Ransomware

Most everyone is familiar with this security threat. Users’ files are “kidnapped” and locked. Users must then pay up to get an encryption key that will unlock those files. Often, these files house critical client data, other proprietary information or system files that are necessary for business operations. The other type of ransomware attack will simply lock a user’s computer and not allow access until the demanded amount is paid.

To train a machine to identify potential ransomware requires some pretty deep learning. Data sets of historical ransomware files must be loaded, along with even larger sets of clean files, so the machine can learn to distinguish between the two. Again, so-called micro-behaviors (e.g., language patterns) are then classified as “dirty” or “clean,” and models are developed. A ransom file can then be checked against these models, and necessary action taken before files are encrypted or computer access locked.

3. Watering Hole

Employees, especially insurance agents who are out in the field, may have their favorite spots for coffee or lunch breaks. Or, suppose, a group of employees have favorite food joints from which they frequently order food for delivery or takeout. Whether they are using the Wi-Fi in that watering hole or accessing that business’s website to place an order, there is far less security and an ideal place for hackers to enter a user’s access/credentials through that backdoor. 

Sometimes this is called “remote exploitation” and can include a situation like what occurred with Target – a third party is used as the “door” to get in.

ML algorithms can be developed that will track and analyze the path traversals of an external website that employees may be accessing on devices they are using either on- or off-site. Users can be directed to malicious sites while they are “traveling” to a destination site, and this is what ML can detect.

See also: How Machine Learning Transforms Insurance

4. Webshell

A Webshell is nothing more than a small piece of code. It is loaded into a website so that a hacker can get in and make changes to the server directory. The hacker then gains access to that system’s database. Most often, hackers look to take banking and credit card information of customers/clients, and this type of attack occurs most often with e-commerce websites. However, medical practices and insurance companies are certainly at risk, too, because they house lots of personal data. When the insured set up automatic payments from their bank accounts, the activity is even more attractive to these hackers. Payments are simply routed somewhere else.

Machines can be trained to recognize normal patterns of behavior and to flag those that are not normal. Machines can also be used to identify webshells preemptively and then prevent them from exploiting a system.

The Requirement? Machines and Humans Must Work Together

Will machines ultimately eliminate the need for in-house or contracted cybersecurity experts? Highly unlikely. At this point, machines cannot engage in the deeper investigations that analysts perform once they are aware of potential breaches or once aberrant behaviors have been detected. But innovation in risk management and insurance should certainly include machine learning. Humans simply cannot gather and analyze data as fast as machine algorithms can. Incorporating ML as a solid part of cybersecurity just makes sense.

Insurers Must Collaborate on Cyber

We are living in the accumulated aftermath of the countless cyber breaches that, since the turn of the century, have cost the global economy over $2 trillion. We are in the untenable situation where insurers find it nearly impossible to provide security for their insureds while safeguarding their own profitability.

However, the destruction and loss of the past need not be the fate of the future. If cyber liability and technology E&O insurers learn from the recent past, then insurers can help give rise to a future cyber realm that is free from the doubt and fear that are prevalent now.

Over the past two decades, insurers have not worked with members across the private spectrum to put into place unified laws governing the cyber realm, so there are now laws across the world that have been enacted or about to be enacted that are making it more difficult to provide cyber liability insurance. What may be even worse is that, for the past four years or so, different governments have argued against end-to-end encryption (E2EE), and insurers have not responded swiftly to that threat, either. If a country, especially one like the U.S, were to pass a law making E2EE unlawful, then providing cyber liability insurance to anyone would be made more difficult than it already is.

Thus far, insurers rarely speak to each other regarding their most prominent common adversary: hackers. Perhaps the only time that insurers might broach the subject of that adversary is when they are at a NetDiligence or PLUS Cyber Symposium conference, and even then hackers are treated as more of an appetizer than as a main course. If a hacker or hacking group causes five different insurers a combined loss of $50 million, then clearly such attacks represent a inconsequential loss. However, because insurers do not talk to each other, not only do they not know the common methods of attacks on their insureds, along with the collective loss they suffered, but they also have no way to focus efforts on removing that hacking threat. There is also no way to know that a hacker or hacking group is targeting a specific sector of the private sphere, because the only way to know that is through shared intelligence.

Every day, threat actors from nation states or hacking groups or standalone hackers are using the advances in cyber breach techniques learned from each other to create the next unstoppable attack. It is time for insurers to pool their own resources so that they and their insureds can begin to level the playing field with respect to the main adversary so that laws passed are to the benefit of insureds and insurers alike.

Insurers also need to look at the complete picture to be responsible netizens and help craft a safer cyber future. When semiconductor technology in the form of computers began to integrate with the personal and professional realms in the 1980s and into the 1990s, at least in the U.S, it was a very tortured process. Almost as soon as businesses had upgraded to 33Mhz processors, 66Mhz processors came out. Similarly, the original floppy disk drives quickly gave way to 3.5-inch disks, which gave way to Zip drives, CD-Roms and so forth. In software, things were no better. After finally using computers and learning DOS, businesses were introduced to Windows 3.1 and thereafter were upgraded to Windows 95, 98, 98SE and beyond. Every part of binary technology over the past 40 years has seen a relentless drive toward cutting-edge technology, and that pursuit thrust upon the people of this world a technological reality that very few understand.

Today, most people are unable to say what SoC (System on Chip) drives their smartphones, what a GPU stands for, what the differences are between 4G and 5G wireless technologies and what many other basic technological concepts are. Even among insurance professionals, there are still many people who hunt and peck and are unable to achieve a typing speed of 45 words per minute.

Worldwide, almost all schools lack a structured curriculum for the K-12 system that not only teaches binary fundamentals to the young but also helps them to understand computing history and the potential future of computing and networking technology. Consequently, despite the significant numbers of people using social media and smartphones, and the rise of IoT, most people do not know the fundamentals of our present binary world.

Perhaps more damaging is what the future holds. If most people barely understand current technology, then quantum computing, carbon nano tubes and neurotropic technology will be ever more unnerving for even more people. This disparity between the few who understand it, and the tremendous numbers who access the binary world without comprehension, creates a dangerous situation in multiple ways. Yet, this is the situation in which cyber liability and technology E&O insurers are trying to insure a binary usage world.

See also: Future of Insurance to Address Cyber Perils  

With the whole picture in mind, it is time for insurers to start implementing, soonest, solutions that will prevent the future from being like the past two decades. Insurers and insurance brokers alike need to start to act in accordance with what being part of a community means.

In its most basic form, a community is a group of people or organizations that exist in the same area or share a common purpose, and the most successful communities are the ones that come together and put the good of the community ahead of any individual member. Insurers would do well to start to establish a series of townhalls in physical communities to talk about not only what cyber liability and technology E&O are but also go over every aspect of what cybersecurity is, from anti-virus software to which CPUs and GPUs are the least vulnerable, to cyberattacks.

It would be especially helpful if some of these townhall seminars were dedicated to people 65 and older, because many organizations are wanting to “help” seniors without providing them with reasonably secure cyber products. To date, seniors do not seem to have borne the brunt of cyberattacks. However, it is only a matter of time before cyber criminals begin to realize the monetary value of focusing cyberattacks on seniors.

Many insurance professionals are eager to point out that small and medium-sized businesses are extremely vulnerable to cyberattacks, but warnings from a distance are not an acceptable substitute, on such an urgent issue, for face-to-face human interaction. There is a reason that property and auto insurers in the 20th century, used a phrase such as “like a good neighbor, State Farm is there.” A neighbor is a community member who is invested in the success and challenges of others.

With the 2020 U.S census coming up, there still has not been a unified community outreach effort on the part of insurers to help the census begin and end in a secure form at the community level. The most efficient way insurers can help with the census is to provide public libraries and community centers with new computers and networking equipment and lending IT staff.

Insurers also need to work with the cybersecurity community and with K-12 schools around the world so that students understand how to be responsible netizens. There needs to be encouragement in education, from letting the young follow what is popular technologically, to what is actually effective and useful. If
insurers do not work with the cybersecurity community, then how can educators and parents ever really know what responsible netizen activity looks like? Insurers can either work with others to start reducing that deficit, which will also reduce the frequency of breaches, or insurers can repeat their mistakes and forever put their profitability and the safety of their insureds in doubt.

In terms of effective global communication, we who are living now are standing where once stood those who coped with the changes in communication wrought by the printing press and its transformation of the world. However, modern global correspondence faces challenges that require insurers to start putting solutions into place now that will have benefits that last in terms of decades and centuries. With that in mind, it is time for insurers to bring to life an international competition that will encourage students in the seventh to 12th grades to create educational websites or advanced robots or allow for a structured and interactive way for them to point out zero-day exploits and other vulnerabilities that would have a $500 million or larger impact on the world economy if the exploit were to be used against the netizen community.

Insurers also need to start to rate every piece of technology with an independent testing lab. The lab needs to be built with the authority and autonomy to ensure that its ratings are as impartial and accurate as possible so that insurers can work with information that is as close to factual as possible. Insurers also need to tackle higher education and work with an organization like IEEE to finally bring the training of software developers/engineers into the 21st century. It is time for software engineers to have to meet requirements that are on par with structural engineers and attorneys. Not only will this enable a minimum higher level of coding competency, but it will prevent the non-certified engineers from being allowed to put pieces of inept software code into programs upon which this world depends.

Helping the brilliant young become useful and positive contributors to the cyber community, creating an independent testing lab and working with other members of the netizen community to produce certified software engineers can only enable a netizen community that appropriately values and pursues safety, the common good and the future success of the cyber realm. All of this would be to the great benefit of cyber liability and technology E&O insurers and their insureds.

See also: Surveying Wreckage of Cybersecurity  

People often cite the increasingly sophisticated breach techniques of hackers or the hyper evolving technological innovations of technology companies as reasons why dark knight cybersecurity specialists have managed to become so formidable. However, the reality for the rise of hackers is the inaction of implementing long-term solutions by insurers.

Cyber liability and technology E&O insurers perhaps have the best vantage point of any other part of the private sector, because they get to watch in real time everything that happens before, during and after a breach. It is those insurers, especially cyber liability insurers, who say they can help and protect insureds, and who are actively offering their services on the world’s stage. Unfortunately, insurers have thus far acted as if they need only sprint to the finish line to help their insureds. This is not, though, a sprint. It is in fact a very long journey that insurers must undertake.

However, if insurers pace themselves, unite with each other to overcome shared challenges and reach out to other members of the netizen community, then they will be able to leave the winter of desolation behind and step into a future spring that is lively, safe, profitable and enduring.

Surveying Wreckage of Cybersecurity

On Jan. 1, 2001, it would have been beyond human ability to predict, with precision, most of what has happened in the first 20 years of the 21st century. Certainly, no one was expecting that following September to dramatically alter the geopolitical landscape of the world, nor was anyone expecting the U.S. to use UAVs (unmanned aerial vehicles) to eliminate targets, terrorist or otherwise. Perhaps more crucially, though, people were not expecting to have a substantial chance of having the security of their lives drastically diminished over the course of the following 20 years due to hardware and software engineers, some of whom were “dark knight” software engineers, hackers. However, more than any other occurrence since the start of this century, the cyber realm has, and will continue to have, profound impacts on nearly every aspect of our lives regardless of where we live globally.

It is only fitting then, as we review the lessons we have learned, to examine their inextricable links to and impacts on cyber liability and technology E&O.

Let us start with some numbers. Of breaches that have compromised 30,000 records or more, there have been at least 266 since 2001. Each year since 2001 there have been no fewer than 13 such breaches.

In 2014, the global average cost of a data breach was $3.5 million. Today, the number stands at $3.9 million, based on an average records size of approximately 26,000. In the U.S. in 2018, the average cost of a breach was $7.9 million, and today it stands at $8.2 million.

According to a 2001 CSI/FBI Survey, the aggregate loss for firms reporting data that year was close to $456 million. For mega breaches, the cost of losing 50 million records in 2018 was $350 million; this year to date it stands at $388 million. Essentially, two mega breaches today would likely equate to all of the losses that were sustained in 2001.

In 2014, cybercrime cost the world economy at least $400 billion, and today the figure stands at $600 billion. Calculating the cost of any breach with exactitude is difficult, but the above figures are reasonable cost approximations. Certainly, it is clear from the information available that the cost of a data breach is significant.

More concerning is that there is no foreseeable future in which the cost of a breach decreases. The future is also bleak where the amount of unwanted system intrusions is concerned. After all, as the cost of doing business in countries like China and India increases, those increases will have a direct upward correlation with the cost of data breaches.

Furthermore, the number of people on this planet continues to rise, as does the number of devices connected to the Internet. The passage of privacy laws, like the General Data Protection Rule (GDPR) in the E.U. bloc, will also force the cost of data breaches upward.

The numbers are rising in multiple ways, and they are not in favor of cyber liability and technology E&O insurers or their clients.

Despite the staggering numbers, cyber breaches are treated with an uncommon tolerance. If San Francisco, New York City, London, Dubai, Singapore and Hong Kong all lost power for seven straight days each year, then the energy providers to those areas would be lambasted and perhaps face new, more reliable competition. However, despite all the damage that hackers are causing, not enough resources are being put into place to prevent the next cyber breach. The mega cyber breach of Capital One in 2019 would seem to validate this conclusion.

We have also learned that the rule of law is far less bothered by data breaches than other types of incidents. After the sinking of the Titanic in 1912, governments and shipbuilders enacted major changes to try to ensure that such a disaster would never happen again. After the 1956 sinking of the SS Andrea Doria, training was mandated on the use of radar and a change to radar screens was required. Shipping accidents are now rare. Governments forced changes in the design and operation of nuclear reactors after disasters at Three Mile Island (1979) and Chernobyl (1986), and worldwide energy companies got the message. In contrast, each year since 2005 has included at least one major to moderate data breach somewhere. Some years, like 2013 and 2014, saw at least three major data breaches. Often the worst penalty the exposed organization faced was not levied by any governmental agency but by a private organization like American Express or Visa. (The E.U. has the strongest and most exacting data privacy legislation. The state of California also has admirable privacy laws. Elsewhere, strong data privacy laws are the exception.)

Perhaps one of the most shocking aspects of the first part of the 21st century is the lack of accountability in the private sphere for CEOs, boards of directors and other senior individuals. If an entry-level employee were to take a photograph of a client’s banking records, even by accident, that would be more than enough for dismissal. The employee could even face civil and criminal penalties. In contrast, in the aftermath of the June 2017 NotPetya attack on the international shipper A.P. Moller Maersk, its CEO was not dismissed nor was he criminally charged even though the attack on Maersk cost the organization no less than $300 million. The CEOs of Marriott International and Target also retained their positions despite the data breaches those organizations suffered in 2013 and 2018, respectively.

When a director or officer can neglect the legal duty of care owed to an organization, then the profitability and even the continued existence of the organization is at risk. Such failed diligence constitutes gross negligence!

There is an interesting communication pattern with regard to data breaches as evidenced by Target (2013), Equifax (2017) and Capital One (2019). In this routine, a statement is released by the CEO. The CEO says how she or he understands that the company’s clients may feel frustrated or worried that their data is now in the public domain. Then the CEO expresses a bit of remorse for the breach. Finally, the CEO says that dutiful action will be taken to get to the bottom of things. Next comes the public outcry over how an organization, especially a large one, could be so irresponsible as to not screen its sub-contractors and segment its network (Target), or how an organization could be lax in its security standards, especially as they concern software patches (Equifax).

Usually, the numbers of afflicted customers creeps up over the next few weeks, as was the case with DSW Shoes (2005), LexisNexis (2014). Or, as in the case of Maersk, the severity of the damage done becomes fully apparent over the course of days and weeks. By the time the last of the initial steps occurs, which is the providing of identity theft protection, clients are so numb with pain that the “freebie” of identity theft protection provides next to no solace for the clients.

Still, to this day in the U.S. and many other countries, there is nothing on a national or multinational scale that compares with the E.U’s GDPR to help prevent data breaches and make it clear to organizations what the penalties are for inappropriate security standards.

Another setback is the continued lack of recognition of how the data breach landscape changes with different attacks, or a severely delayed response to that change. To this day, many people are unable to appreciate how much side-channel attacks at the CPU level have altered the landscape, especially because more side-channel attack possibilities are being realized.

When Stuxnet was made public in 2010, it forever changed the cyber breach landscape because it meant that every organization in the world could not only suffer damage in the cyber realm but that computer and networking systems could physically be damaged by a worm or virus, as well. WannaCry and NotPetya (the enhanced Russian strain) have NOT struck so much fear worldwide that organizations of every size are now only using variants of Windows 10, MacOS 10.15 or Fedora version 30. To this day, there are multi- national corporations that have not upgraded to Windows 10, even in the financial services sector. This is not even counting the damage of election interference in the U.S. in 2016 and the political fallout that is still afflicting the U.S.

Also uncounted are the ways social media can be corrupted to negatively influence people. It certainly is possible to continue to list advances in breach technology that have altered the cyber landscape, but suffice it to say the ways in which a breach can occur and the sophistication with which it can happen since 2001 have significantly eroded the security of most people on this planet. Today, for a majority of people around the world, our health, financial, and even electronic identities are all compromised to varying degrees, and our privacy or collective societal independence has further been eroded by companies like Cambridge Analytica.

There are two areas of further concern in the professional sphere, and these segments have grown less secure since 2001: medical data and servers that form the data backbone of organizations. Each year, more and more medical data has been put online, whether by primary care physicians, pharmaceutical companies, insurance companies or other private sector organizations. The vast amount of medical data that has been put online, though, has been done with a focus on ease of access without a similar regard for security, as evidenced in the consistent rise of medical identity theft since at least 2010.

Sometimes, the information comes from a large-scale hack, like that of Anthem (2015), and sometimes it comes from a smaller one such as that made on Sutter Medical Center (2011). On the server side, the hack of Capital One is a reminder that cloud-based data is not beyond the reach of unauthorized users. Furthermore, Spectre and other side-channel attacks on CPUs continue to chip away at the safety of the cloud, as does the illicit alteration to products from a company like Supermicro.

We are clearly not safer, overall, today than we were in January 2001, despite the rise of cybersecurity firms and cybersecurity technology.

lt would be misguided to say that nothing has been done to advance our cybersecurity in the first 20 years of this century. Perhaps our biggest advantage in this century was the creation and success of cybersecurity firms, especially ones that publicly call out bad actors. Today such firms can offer a sorely needed layer of protection in the fight to defeat a cyber breach, and this layer can often be updated each day to account for the knowledge the cybersecurity firm gained in fending off attacks from its various clients.

Advances in quantum encryption are also allowing nearly impenetrable discrete communication even over long distances. Internet browsers, like Chrome, are forcing organizations to have valid and up- to-date security certificates. Otherwise an organization risks being labeled as dangerous to online users. Private sector competition between internet browser makers is helping to advance the creative effectiveness, from a security standpoint, with which internet browsers are created.

Similar competition in the cloud segment is also helping to ensure safety. When the Capital One breach was announced, Amazon was quick to point out that there was no indication that its AWS cloud had been breached, as well.

We also have two-factor authentication for securing our e-mail and even our mobile devices. Card issuers, at least in the U.S., have finally moved almost entirely to cards with chips built into them. Now card users have a more secure method of making a payment than with the magnetic strip on the back of the card. On a much larger scale, Apple Pay, Samsung Pay and contactless technology built into credit and debit cards have been introduced over the past 10 years. They have made POS purchases much safer and easier today compared with 2001.

2016 saw the first mature version of the payment card industry data security standard (PCI DSS) framework, which helped to encourage merchants to install firewalls, segment networks and only retain credit/debit card information when necessary. Furthermore, financial firms often provide the option for a client to be notified in the event of unusual activity on a card or when a large purchase is made with a credit or debit card.

Ultimately, despite all of the cybersecurity advances, the cost and number of cyber breaches has gone up consistently since 2001. Moreover, the ease with which societies and the rule of law accept such breaches remains high. Even today, CEOs are rarely held responsible, legally or otherwise.

Furthermore, people and organizations of all sorts fail to understand how the cyber landscape changes on a continuous basis, and that failure reduces the responsiveness to the altered terrain, which consequently increases the chances of yet another cyber breach.

Globally, almost all of us bear scars in one form or another due to the damage that our lives have suffered over the course of the past 19 years. Time and again, governments have failed to protect their citizens, and organizations often grasp for cybersecurity without the knowledge of what true cybersecurity is.

However, even from this grim landscape we can find hope, direction, and ultimately a reliable path forward, such hope lying with cyber liability and technology E&O insurers.

Avoiding Data Breaches in Healthcare

While the largest number of data breaches occur at healthcare providers’ sites, such as hospitals and physician offices, healthcare plans account for the greatest number of health plan member records stolen over the past seven years, according to a study published in JAMA.

This is attributable to extremely large breaches of electronic systems. While these centralized databases offer a wealth of health records that can be used to improve healthcare, it’s important to balance the risks of being hacked against the benefits.

These breaches represent one area where health plan organizations must focus their attention to overcome an increasingly complex regulatory and risk management environment. A fully equipped health information management platform has become a vital requirement for health plan organizations seeking to improve care, member outcomes and ROI.

Balancing Risks of Data-Sharing

While better policies and procedures and the use of encryption have helped reduce easily preventable breaches, more must be done to protect member privacy and mitigate associated costs.

Health data breaches cost the U.S. healthcare industry an estimated $6.2 billion, and 70% of businesses that have experienced ransomware attacks in their workplace have paid to have stolen data returned.

Attackers have learned how to monetize healthcare data, with the number of attack points continuing to rise with the use of mobile medical- and health-related apps and with electronic health records (EHR) become increasingly embedded in clinical settings.

Given all this, health plans should seek a technology-enabled platform that optimizes operational viability, helps to improve member outcomes at reduced costs and ensures data security and privacy. The first step is to look for a vendor that has earned Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) certification.

See also: VPNs: How to Prevent a Data Breach  

Understanding HITRUST Benefits

As healthcare data shifts from local infrastructure to the cloud, the ability to control and secure data weakens, creating substantial challenges for health plans and hospitals that need to assess third-party vendors and ensure that data complies with HIPAA and other regulations.

HITRUST sprang from the belief that information security should be the core of the broad adoption of health information systems and exchanges.

HITRUST CSF certification can be used by all organizations to guide them in selecting and implementing the appropriate controls to protect the systems that create, access, store or exchange personal health and financial information. Certification gives organizations detail and clarity related to information security controls tailored to the healthcare industry.

Certification also carries two key advantages: First, it’s designed to examine regulations. During the certification process, an independent assessor uses the HITRUST framework and then submits work papers to HITRUST for scoring and quality assurance. This ensures providers a level of consistency from one assessment to another.

Second, HITRUST performs a gap analysis, which providers can request to help them further assess a vendor’s security posture, which saves substantial resources.

HITRUST CSF certification also includes these benefits:

  1. Cross references the requirements from legislative, regulatory, HIPAA, NIST, ISO, state laws and others for one comprehensive framework
  2. Provides a framework that prepares organizations for new regulations and security risks once introduced
  3. Ensures compliance and security protection to clients
  4. Assures payers working with vendors that the platform is compliant, private and secure and meets the necessary requirements of HITRUST CSF certification
  5. Means a third-party assessed the platform and attests to its compliance with globally recognized standards, regulations and business requirements, ensuring data security, privacy and compliance

Full-spectrum, end-to-end Platform

Health plans should look for an integrated risk-adjustment optimization and quality improvement platform that has HITRUST CSF certification as validation of a commitment to improving the health of healthcare and providing innovative solutions for health plans across the country.

They should offer a platform that provides health plans and provider groups with a comprehensive risk adjustment solution that plays an integral role in helping health plans and risk-bearing entities improve measured quality.

HITRUST CSF provides a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Leveraging nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA and COBIT to ensure a comprehensive set of baseline security controls, HITRUST CFS normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance.

HITRUST CSF, the most widely adopted security framework in the U.S. healthcare industry, continues to improve and update its framework ensuring that organizations are prepared when new regulations and security risks are introduced.

See also: Unclaimed Funds Can Lead to Data Breaches  

Furthermore, the certified solution should combine risk adjustment and quality improvement services and provide real-time visibility and reporting for risk adjustment analytics, medical record retrieval, HEDIS abstraction, risk adjustment coding, claims and data validation, prospective health assessments, clinical abstraction, member engagement/outreach and provider education. It should also be designed to integrate risk adjustment and quality services to deliver fully transparent insights.

Success in value-based approaches pivots around delivering on total member health, cost and quality rather than relying on the traditional model of maximizing relative value units, revenue and downstream referrals.

The right full-spectrum, end-to-end approach to care empowers health plans and providers to identify gaps in care and manage plan members more productively. Consequently, plan members reap the greatest benefit by being guided toward more preventive care and self-management early in the care process and their information and privacy remain protected.