Tag Archives: iso

Avoiding Data Breaches in Healthcare

While the largest number of data breaches occur at healthcare providers’ sites, such as hospitals and physician offices, healthcare plans account for the greatest number of health plan member records stolen over the past seven years, according to a study published in JAMA.

This is attributable to extremely large breaches of electronic systems. While these centralized databases offer a wealth of health records that can be used to improve healthcare, it’s important to balance the risks of being hacked against the benefits.

These breaches represent one area where health plan organizations must focus their attention to overcome an increasingly complex regulatory and risk management environment. A fully equipped health information management platform has become a vital requirement for health plan organizations seeking to improve care, member outcomes and ROI.

Balancing Risks of Data-Sharing

While better policies and procedures and the use of encryption have helped reduce easily preventable breaches, more must be done to protect member privacy and mitigate associated costs.

Health data breaches cost the U.S. healthcare industry an estimated $6.2 billion, and 70% of businesses that have experienced ransomware attacks in their workplace have paid to have stolen data returned.

Attackers have learned how to monetize healthcare data, with the number of attack points continuing to rise with the use of mobile medical- and health-related apps and with electronic health records (EHR) become increasingly embedded in clinical settings.

Given all this, health plans should seek a technology-enabled platform that optimizes operational viability, helps to improve member outcomes at reduced costs and ensures data security and privacy. The first step is to look for a vendor that has earned Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) certification.

See also: VPNs: How to Prevent a Data Breach  

Understanding HITRUST Benefits

As healthcare data shifts from local infrastructure to the cloud, the ability to control and secure data weakens, creating substantial challenges for health plans and hospitals that need to assess third-party vendors and ensure that data complies with HIPAA and other regulations.

HITRUST sprang from the belief that information security should be the core of the broad adoption of health information systems and exchanges.

HITRUST CSF certification can be used by all organizations to guide them in selecting and implementing the appropriate controls to protect the systems that create, access, store or exchange personal health and financial information. Certification gives organizations detail and clarity related to information security controls tailored to the healthcare industry.

Certification also carries two key advantages: First, it’s designed to examine regulations. During the certification process, an independent assessor uses the HITRUST framework and then submits work papers to HITRUST for scoring and quality assurance. This ensures providers a level of consistency from one assessment to another.

Second, HITRUST performs a gap analysis, which providers can request to help them further assess a vendor’s security posture, which saves substantial resources.

HITRUST CSF certification also includes these benefits:

  1. Cross references the requirements from legislative, regulatory, HIPAA, NIST, ISO, state laws and others for one comprehensive framework
  2. Provides a framework that prepares organizations for new regulations and security risks once introduced
  3. Ensures compliance and security protection to clients
  4. Assures payers working with vendors that the platform is compliant, private and secure and meets the necessary requirements of HITRUST CSF certification
  5. Means a third-party assessed the platform and attests to its compliance with globally recognized standards, regulations and business requirements, ensuring data security, privacy and compliance

Full-spectrum, end-to-end Platform

Health plans should look for an integrated risk-adjustment optimization and quality improvement platform that has HITRUST CSF certification as validation of a commitment to improving the health of healthcare and providing innovative solutions for health plans across the country.

They should offer a platform that provides health plans and provider groups with a comprehensive risk adjustment solution that plays an integral role in helping health plans and risk-bearing entities improve measured quality.

HITRUST CSF provides a certifiable framework that provides organizations with a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Leveraging nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA and COBIT to ensure a comprehensive set of baseline security controls, HITRUST CFS normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance.

HITRUST CSF, the most widely adopted security framework in the U.S. healthcare industry, continues to improve and update its framework ensuring that organizations are prepared when new regulations and security risks are introduced.

See also: Unclaimed Funds Can Lead to Data Breaches  

Furthermore, the certified solution should combine risk adjustment and quality improvement services and provide real-time visibility and reporting for risk adjustment analytics, medical record retrieval, HEDIS abstraction, risk adjustment coding, claims and data validation, prospective health assessments, clinical abstraction, member engagement/outreach and provider education. It should also be designed to integrate risk adjustment and quality services to deliver fully transparent insights.

Success in value-based approaches pivots around delivering on total member health, cost and quality rather than relying on the traditional model of maximizing relative value units, revenue and downstream referrals.

The right full-spectrum, end-to-end approach to care empowers health plans and providers to identify gaps in care and manage plan members more productively. Consequently, plan members reap the greatest benefit by being guided toward more preventive care and self-management early in the care process and their information and privacy remain protected.

Insurers Grappling With New Risks

Warren Buffett’s caution about underwriting cyber-insurance put the spotlight on one of the big challenges facing carriers today – how to address a slew of new insurance risks.

The Oracle of Omaha told shareholders at the Berkshire Hathaway annual meeting that he didn’t want the group’s insurance business to pioneer cyber-cover because the risks were largely unknown and potentially too big. Berkshire Hathaway might write some cyber-policies to stay competitive, Buffett added, but it would not be among the top three providers in this market.

Underwriting complex new risks such as cyber-insurance, as well as meeting the rising demand for cover for other risk-heavy occurrences such as natural catastrophes and corporate fraud, promises substantial revenue for carriers. Global premium revenues for cyber-insurance, for example, could hit $7.5 billion by 2020, according to researcher Statista. Cover related to digital products and services could also yield healthy additional income. The new revenue streams are welcome news for many insurers that have watched income from traditional products plateau in the past few years.

However, as Buffett points out, venturing into uncharted territory can be hazardous — especially when we don’t know the scope of the hazards. Catastrophe cover, for example, which must now contend with uncertainty related to climate change, cost U.S. insurers dearly last year. The effects of three major hurricanes, Harvey, Irma and Maria, as well as the extensive wildfires in California, all contributed to a spike in underwriting losses. The net underwriting deficit among U.S. property and casualty insurers leaped from $4.7 billion in 2016 to $23.2 billion the following year, according to a report compiled by research firm ISO and the Property Casualty Insurers Association.

Insurers are not only being forced to make calls on new types of risk. They must also handle the growing complexity of the underwriting required for some of their established offerings. The spread of corporate ecosystems and supply chains across many varied countries, for example, has heightened the complexity of commercial risk assessment. So, too, has the rise in trade and business regulations imposed by governments around the world.

What’s more, insurers must also accommodate a flood of new data streams. While these additional sources of data provide valuable insight into commercial risks and consumer behavior, they also compound the complexity of insurers’ underwriting systems and processes.

To meet the rising challenge of new and more complex underwriting requirements, insurers need to get a lot smarter. Improving workers’ skills and hiring more talent won’t be enough. Insurers need to deploy intelligent technology. Only by using artificial intelligence (AI) will underwriters be able to manage the new, complex risks that are confronting them.

Our research shows that more than 75% of insurers plan to use AI to automate tasks in the next three years. Many of these applications are intended to improve efficiency and productivity. The big gains in AI, however, are likely to be achieved by using this technology to improve decision-making.

In my next blog post, I’ll discuss how advances in AI can help underwriters make smarter, quicker decisions. Until then, have a look at these links. I think you’ll find them useful.

Agents’ Standard of Care for E&O Purposes

To begin on a dreary note, I feel like I am beating a dead horse discussing agencies’ standard of care. This would not even be a valid topic, except:

1. Too many attorneys are involved who cannot see the forest for the trees. They look at every situation with the idea that, if the agency had not done this or that, they would have an easy time winning the suit.

Their ability to win a suit easily should not be a factor in advising agencies to shirk their standards. Telling an agency to not advertise that they are professionals so that when they are accused of failing to provide services at a professional level they can win a case more easily is horrendous advice. Agents do not need attorneys who cannot win hard cases.

See also: Are P&C Insurers Failing Agents?  

Furthermore, advertising is not the issue. To even bring it up is evidence the attorney or other adviser is completely missing the point. The real point should be to act as a professional so that the agency can advertise as a professional. By acting as a true professional, the agency does not have to worry about using better advertising. It does not have to worry about being called out as a hypocrite for advertising one thing while doing something less.

2. A preponderance of agencies seems to want to be considered incompetent. A low standard of care is evidence of incompetence. At the very least, a low standard of care encourages amateurism.
This combination of advice from on high, attorneys and advisers, with a willing audience that WANTS TO BE TOLD to act amateurish, is a death knell for independent agencies because NO ONE NEEDS AMATEUR AGENTS!

The need for professional agents is stronger than ever. With so many new distributors of insurance, including ones that do not seem to think insurance licenses are even important, existing amateur agents are being made redundant. Some of these new distributors are going one level of dumb further, but cheaper.

Other new distributors are far cleverer because one has to read their advertisements carefully to understand that they create the impression of professionalism but not the promise of professionalism. They are using the difference between implying and inferring. They have larger budgets to hire more professional advertising experts that can craftily navigate between appearance and reality. I do not agree with their approach, but I understand it, and I expect some will be successful. This group’s success further negates the value, whatever value ever existed, of amateur agents.

The space that is left, which is largely uncontested, is the space of a true professional agency. This requires closing your ears to those advisers and attorneys who incompetently cannot understand the difference between a professional agency’s E&O exposures advertising professional services and an amateur agency’s E&O exposures created when they advertise professional-level services or images.

A true professional agency will incur far less E&O exposure because its clients are far more likely to buy the coverages they need! What is the cause of most E&O claims? The client not having the right coverage. If the agency sells clients more coverages, then the odds of a client not having the right coverage decreases. E&O is not that complex. The #1 way to avoid E&O is to sell clients the coverages they truly need, no more and no less.

Executing at a professional level is harder than the strategy, which is why this space is open. It is difficult, and, if it was easy, the space would not be available. Here are a few key points for becoming a true professional agent:

  1. Learn your coverages.
  2. Use a coverage checklist with your clients. No single better tool exists, by far, than a checklist for determining coverage applicability other than my proprietary exposure training process.
  3. Read your forms. I flat do not understand why anyone would assume what coverages exist or do not exist in a non-ISO form without reading it and without regard to how well someone knows the ISO form. If one is not selling an ISO form, then one has to read the proprietary form to know what is or is not in it. This is work. This is what you get paid to do as a pro. Amateurs take short cuts.

Why do more agency personnel not take these three basic steps? To date, they’ve learned to make a living being partially ignorant, so why start now? Please understand, I am not trying to be cynical, satirical or facetious. The fact is, based on the E&O claims I have seen and the hundreds and hundreds of interviews I’ve conducted of agency personnel, ignorance and incompetence is not an overstatement. People with 10, 15 or 20 years’ experience cannot describe basic coverages, and yet they have made a living. Hence, they have made a living while remaining ignorant.

See also: Insurtechs: 10 Super Agents, Power Brokers

I can’t argue about past success, but, going forward, I do not see how this business model has much opportunity. The new disrupter agencies can achieve the same level of amateur knowledge for much lower commissions.

If an agent knows the coverages, identifies the coverages the client actually needs, sells the client those coverages and obtains the client’s sign-offs on the coverages he or she needs but will not purchase, and then reads the forms to determine whether the coverages actually exist, the odds of a client having an exposure is quite limited. Additionally, the agency’s sales will increase, and the agency can have more fun by advertising more powerfully. I think a smart agency owner would build the entire sales strategy around identifying other agents’ mistakes, which should be like shooting fish in a barrel.

Hiding behind an attorney’s caveats is no way to go through the world, and it is not much of a business strategy. Be bold by doing what your clients truly need you to do, enjoy your success and sleep better at night.

Need Proof Policies Aren’t Commodities?

I’m going to borrow the approach taken by Chuck Schramm, a Chicago-area insurance agent with more than 50 years of industry experience and one of the premier insurance educators in the country. He has done a series of seminars that examine a single policy (commercial property, business auto, CGL, etc.) by providing several case study-based claim scenarios. Participants must determine for each claim whether the policy covers the damages and why or why not. It’s a wonderful way to learn HOW to read, understand and APPLY policy language to coverage and claim situations.

Many insurtech startups and online comparative quoting systems take the position that auto insurance is little more than a commodity distinguished almost solely by price, that insurance buyers do not need professional representation by insurance agents nor advocacy at claim time because the product and process are so simple and there’s so much information available on the internet. Let’s dispel that ludicrous assertion with the following scenario….

Bubba owns a car insured in his name with the State Insurance Company. His wife, Bubbles, owns a car insured in her name with the National Insurance Company. Their adult daughter, Bubbette, and her six children live with Bubba and Bubbles, and Bubbette owns a car insured in her name with the ARP Insurance Company. All three insurers use the 2005 ISO PAP.

See also: Geospatial Data: New Key on Auto  

Using the ISO policy, determine who is covered for liability by what policy in the following claim scenarios AND why or why not are they covered. In other words, in each scenario, are the parties insureds under the policy, and, if so, does a liability exclusion apply?

Claim #1:  One afternoon, Bubba drove Bubble’s car to the liquor store, ran a stop sign and had an at-fault accident.

Bubble’s PAP   __ does   __ does not   cover Bubbles.

Bubble’s PAP  __ does   __ does not   cover Bubba.

Bubba’s PAP  __ does   __ does not   cover Bubba.

Bubba’s PAP  __ does   __ does not   cover Bubbles.

Claim #2:  That evening, Bubba drove Bubbette’s car to a local tavern and had another at-fault accident while returning home at dawn the next morning.

Bubbette’s PAP  __ does   __ does not   cover Bubbette.

Bubbettes’s PAP  __ does   __ does not   cover Bubba.

Bubba’s PAP  __ does   __ does not   cover Bubba.

Bubba’s PAP  __ does   __ does not   cover Bubbette.

Claim #3:  Upon his arrival at home, Bubba and Bubbles separate, and Bubbles moves in with her mother that afternoon. That evening, Bubba asked Bubbles if he could borrow her now-repaired car again to take his new girlfriend to visit her mother and had yet another at-fault accident.

Bubble’s PAP  __ does   __ does not   cover Bubbles.

Bubble’s PAP  __ does   __ does not   cover Bubba.

Bubba’s PAP  __ does   __ does not   cover Bubba.

Bubba’s PAP  __ does   __ does not   cover Bubbles.

I’ll post the answers within the next week, so make a note to check back later. If you simply can’t wait because you’re just too darned excited that you know the answers, feel free to email them to me, and I’ll respond.

See also: Auto Claims: Future May Belong to Bots  

If you find this kind of exercise valuable, let me know, and I’ll do others. Another one I have in mind for the PAP involves three people – Moe, Larry and Curly – two of them with PAPs and all involved in the rental of a car.

Harvey Hammers Home NFIP Issue

The economic devastation and human suffering that Hurricane Harvey inflicted on vast numbers of people will sorely test the National Flood Insurance Program (NFIP) as it comes up for renewal, with the NFIP lapsing if Congress and the president fail to act by the end of the month. Some in the federal government, state regulators, industry experts and this economist favor solutions encouraging private sector participation in flood insurance markets. Near-term, the most likely and wisest course seems to be a short extension allowing the Federal Emergency Management Agency (FEMA) and NFIP to focus on settling claims while politicians and policy experts develop longer-term solutions.

With the U.S. Government Accountability Office (GAO) reporting the NFIP was $24.6 billion in debt before Hurricane Harvey, many in government and elsewhere feel significant reforms are needed. Other knocks against the NFIP as currently constituted include its reliance on allegedly inaccurate and out-of-date flood insurance rate maps (FIRMS), its failure to charge actuarially appropriate premiums and policy limits too low to provide adequate insurance protection. Some also contend that the NFIP encourages excessive risk taking and poor land use by providing subsidized insurance coverage for properties that repeatedly get flooded out, effectively divorcing those who choose to reside in flood prone locations from the consequences of their decisions.

Uncertainty about the exact extent of the devastation caused by Harvey will persist for some time, as the huge number of properties damaged by the storm, difficult conditions and continuing lack of access to some of the hardest-hit areas all add to the time necessary to assess losses. Further complicating efforts to understand the magnitude of the losses caused by Harvey, published reports often fail to clearly distinguish between economic losses, insured losses covered by private carriers and insured losses covered by the NFIP. Nonetheless, it appears Hurricane Harvey may exhaust the NFIP’s financial capacity, causing the program to go still deeper in debt.

See also: Harvey: First Big Test for Insurtech  

The NFIP purchased private reinsurance covering 26% of its losses between $4 billion and $8 billion, but Fitch Ratings believes losses from Hurricane Harvey could consume the NFIP’s $1.04 billion in reinsurance protection.

As Congress and the president ponder the way forward, the options available to them include several that would facilitate development of private markets for flood insurance akin to the private markets for homeowners insurance. Key elements of such solutions include measures clarifying mortgage lenders’ ability to use flood coverage underwritten by private carriers to satisfy insurance requirements imposed by Fannie Mae and Freddie Mac.

The development of private markets for flood insurance will also require that the NFIP adopt actuarially sound pricing. Simply put, private carriers that must cover their costs and earn an adequate rate of return on capital would be at a tremendous disadvantage competing against taxpayer-subsidized coverage from the NFIP. And it would certainly help if carriers currently participating in the NFIP’s WYO Program were allowed to also offer alternative coverage. Currently, the WYO Program includes a non-compete clause that precludes carriers from offering alternative standalone flood insurance.

The constituencies supporting increased private sector involvement in flood insurance markets include the National Association of Insurance Commissioners, the Property Casualty Insurers Association of America, the National Association of Mutual Insurance Companies and the American Insurance Association, which have all come out in favor of the Flood Insurance Market Parity and Modernization Act passed unanimously by the House in 2016.

Thinking more broadly, there may be no need for the federal government to participate directly in the flood insurance business. Mechanisms akin to state FAIR and Beach Plans could serve as insurers of last resort for property owners unable to obtain coverage from private carriers. Or, we could transition from the NFIP as it exists today to a new NFIP modeled on the Terrorism Risk and Insurance Program (TRIP) introduced after the terrorists destroyed the World Trade Center on Sept. 11, 2001. Under that program, insurers must offer terrorism coverage, with policyholders then free to accept or decline. If insured losses from a terrorist attack exceed specified triggers, the federal government provides reinsurance protection, and insurers subsequently reimburse the federal government.

Thinking still more broadly, there may be no need for the federal government to participate in the flood insurance business at all. With trillions of dollars flowing through global capital markets, catastrophe bonds and other insurance-linked securities could enable insurers and reinsurers to obtain all of the capacity necessary to cover flood risk without any federal reinsurance backstop.

See also: Time to Mandate Flood Insurance?  

An ideal solution would enable one policy to provide coverage for both wind losses and flood losses. As long as those losses are covered by separate policies, policyholders and insurers will remain burdened with having to distinguish wind losses from flood losses— a frequently contentious and often expensive undertaking that adds to the time necessary to settle claims.

In any case, private sector insurers and reinsurers now have access to data and sophisticated flood models that enable them to price and underwrite flood risk intelligently. And developments such as the new commercial flood insurance program recently introduced by ISO and Verisk Analytics set the stage for greater participation in flood insurance markets by ever greater numbers of insurers, as will the corresponding personal property flood insurance program they plan to roll out later this year. With state regulators and insurers aligned, it seems all that’s necessary to unleash the power of private markets is action on the part of Congress and the president. Why not send them a postcard?