Cyber insurance package aimed at general practice
The recent increase in sophisticated hacks aimed at capturing personal data such as those that targeted medical practices in Queensland last year, along with the expectation that a mandatory data breach notification law will be introduced shortly, has led to the development of a cyber insurance package aimed at medical and allied health practices.
Last year, the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 was passed by Parliament and will come into effect in March 2014. It‘s expected to be accompanied by mandatory data breach notification rules, and will include significant penalties for failure to report.
Security experts are pushing for the data breach notification laws, with the director of the Centre for Internet Safety at the University of Canberra, Nigel Phair, telling the Australian Financial Review recently that many hacks were being covered up by affected companies to avoid bad publicity.
Mr Phair told the AFR that Australia “desperately” needs data breach legislation. “We are quite behind in global terms on that, to force businesses to disclose when sensitive data is breached,” he said.
Mandatory disclosure of data breaches is required in many parts of the US, and has led to an increasing number of businesses taking out cyber insurance. The AFR also reported last year that Europe is also proposing mandatory 24-hour notice for data breaches and potential fines of two per cent of revenue.
Legal experts expect similar laws to come into force in Australia, with the Office of the Australian Information Commissioner (OAIC) recommending that they follow the data breach notification requirements of the PCEHR Act.
Paul Waite, director of solutions and innovation at obsecure, a Sydney-based company specialising in information security, said that as hacks and data breaches increase, a similar situation to the US and Canada may arise in Australia, with class-actions becoming more common.
He points to the example of the Montfort Hospital in Ottawa, where a class-action lawsuit is about to be launched over the hospital’s role in losing the personal information of 25,000 patients. The Ottawa Citizen reports that a hospital employee broke policy by taking files home on a USB key, which was then lost.
Data on the USB included patient names, a summary of the health service they received, the date of the service and the name of their doctor.
“The big concern is the class action,” Mr Waite said. “The lawyers are highlighting – although concerned about the Privacy Commissioner and his new powers to enforce undertakings and issue penalties – they are more worried about class actions.”
In the event of a breach, it is expected that companies will have to pay for credit reference files to be maintained and monitored for a period of time to ensure that no one has taken individual identities, Mr Waite said. That can cost up to $200 per record, so if a general practice had a breach and 1000 patient records were stolen, the cost quickly adds up.
“You have to notify everybody, you may need to set up or hire a call centre, which will be more expensive if your clients are multi-lingual, you have to send out notification letters to each individual that has been affected and then follow up – the remediation costs are quite significant,” he said.
“Small businesses can't afford a data breach. It's an event that can potentially put people out of business.”
Mr Waite said most of the larger insurance companies don't offer cyber insurance policies for small businesses, so he and his colleagues have decided to offer a package that includes not just insurance, but tools and guidelines to help practices avoid a breach in the first place.
Called Cyber Plus, the package will include a bundle of technologies to protect computers, file servers and mail servers from viruses, threats and dangerous websites. “Business information is kept private by locking down USB drives and other storage devices as well as preventing data loss through email,” Mr Waite said.
Cyber Plus also includes a privacy and breach notification toolkit to allow practices to identify where potential risks and threats lie, as well as privacy impact assessments and breach response plans and notifications.
Data is secured by obsecure's software, which encrypts all data using industry-grade encryption standards and strong authentication methods, including two- and multi factor authentication.
It also has a cyber-specific insurance policy from CFC Underwriting, a UK-based company backed by Lloyd's, and placed through local insurance broker CHIA Insurance Consultants, which has negotiated the coverage and pricing.
“The whole idea of Cyber Plus is that it will bundle together a combination of products, technology and insurance to provide a small business tool-kit,” Mr Waite said. “For example, it incorporates a privacy component and in that component we’ve been able to engage privacy professionals to develop a variety of checklists, help guides, data response plans and privacy impact assessments.
“We are working closely with law firms like Madgwicks and two others to form a panel to assist organisations in any legal matters that may arise. We’ve been able to engage PR companies to assist with public relations, to protect branding and minimise public fears and negative opinion. And we have a team of forensics experts to assist organisations to evaluate where the breach happened and to report to the Commissioner that an investigation had been done.”
Mr Waite said Cyber Plus had also received industry advice from a number of antivirus expert companies like Trend Micro and Bitdefender to help design a series of checklists to assist practices better understand the importance of environment protection using tools like antivirus and malware software to protect patient information. Regular back-ups and system updates also form part of good data governance and security.
“What we understand from the Gold Coast extortion attempt is the targeted practice did not perform proper and regular back-ups,” he said.
“We strongly recommend that businesses must back-up at least weekly; use a commercial-grade product like Bitdefender to protect their computer systems and client’s privacy. Basically, Cyber Plus will give them all of the tools to achieve that.”
Mike Newbigin, a director with CHIA Insurance Consultants, said the package had a range of limits of indemnity available, from as low as $100,000 to $1 million, with higher limits available if required.
“For a practice with a revenue of less than $2.5 million, a $1 million limit of indemnity will cost about $3000,” he said. “However, to access this cover at this price, you’ll need to incorporate a range of system security and privacy practices, which are available as part of the Cyber Plus package.”
“The whole package idea is a simple one and we can provide the advice and tools to help health practices overcome these issue,” Mr Waite said. “We’ll also assist you in the event the Commissioner does become involved, by demonstrating the processes that were undertaken, including the impact assessments, which may substantially reduce the risk of penalties.”
He said that prior to the new Privacy Act, there were no laws to enforce data security with a punitive element, but now there are.
“You don't anticipate a data breach, but some day it may happen. There are hackers in abundance popping up everywhere, and if they can hack into large organisations such as the RBA, the ATO, the ABC, which have spent hundreds of thousands of dollars on security, how will smaller practices protect themselves? Hence the reason why we designed in partnership with other industry professionals a cyber security toolkit-in-a-box.
“If you have a breach it could potentially cost $200 per record for 1000 patients, amounting to $200,000. And that doesn't take into account your reputation and the interruption to your business and patients.”
Posted in Australian eHealth