back to article Insurer tells hospitals: You let hackers in, we're not bailing you out

When hackers swiped 32,500 patient records from Cottage Healthcare System, it was sued by its own customers for $4.1m – a bill that was settled by its insurers. Now the insurance company, Columbia Casualty Company, has claimed Cottage's computers were hopelessly insecure, and it wants its money back. Columbia claims the …

  1. elDog

    This is the way it should be. Insurers should require insurees to maintain "due diligence"

    Based on my pathetic 45+ year stint with many companies (and defense contractors) in the US, security is still something that doesn't get funded in the budget - it is just supposed to be something that the IT staff "do".

    I like the idea of hitting the bottom line of companies that don't take this seriously. Better if corporate bonuses were offset by 3-5 years based on overall performance.

    1. Eddy Ito

      Re: This is the way it should be. Insurers should require insurees to maintain "due diligence"

      It's nice that it seems everyone is finally starting to pay attention. The insurance company couldn't pick a better time since it looks like Congress is also finally getting their act together with HR 2205 and matching S 961 coming out the gate. While the bills aren't perfect it's a start. The first obvious defect in the two bills is that they come out of the gate exempting governmental entities.

    2. Anonymous Coward
      Anonymous Coward

      Re: This is the way it should be. Insurers should require insurees to maintain "due diligence"

      The question I have is why did the insurance company make the payment in the first place??

      Shouldn't they have checked into the breach, discovered the obvious flaws and refused to make the payment in the first place???

      1. Trygve Henriksen

        Re: This is the way it should be. Insurers should require insurees to maintain "due diligence"

        The insurance is to pay the costs incurred by the hospital's patients because of the breach.

        Breach happened, insurers pay out. Whether the insurers THEN make the hospital reimburse them depends entirely on their investigation.

        Just like liability insurance on your car... You park your car in the side of someone else's car, and he gets the damage paid by your insurance company. They then decide if you caused the accident or not(odds are they'll blame both no matter what) and yeah, you suffer higher premiums, and all that...

        1. Anonymous Coward
          Anonymous Coward

          Re: This is the way it should be. Insurers should require insurees to maintain "due diligence"

          A more accurate analogy would be that after you crashed your car, the insurer would attempt to get the money it paid out back from you if it found to be breaching the terms of your insurance ( eg: drunk driving, allowing anonymous FTP access to all your files ).

          1. Roland6 Silver badge
            Pint

            Re: This is the way it should be. Insurers should require insurees to maintain "due diligence"

            >allowing anonymous FTP access to all your files

            Don't you mean anonymous access to your car management system... :)

    3. Cris E

      Re: This is the way it should be. Insurers should require insurees to maintain "due diligence"

      That's fine, but then there's also a burden on the insurer to verify that the company is meeting standards before a claim is filed. You can't just pocket the money and then go looking afterwards to see if you can get out of paying. Want to have an out like this? Give me a fair evaluation of my compliance every year or two. Even if the onus is on the customer to provide pen test results, at least there's an assurance that any needed payout will be honored.

  2. Henry Wertz 1 Gold badge

    Good

    Good. I agree with this decision. I mean, an insurance co would think twice about paying for house theft if they found you left the doors wide open when you leave; they wouldn't pay an accident claim if your car had no brakes and you were driving around drunk. I have no idea why insurers have treated computers as this mysterious special case for so long. If a blackhat used some cunning hacks and tricks to get in, fair enough. If the blackhat does a google search and finds you left the goods on an FTP site? I'm glad the insurance co. didn't pay, that'd just raise insurance rates for everyone else who does things properly.

    1. Yet Another Anonymous coward Silver badge

      Re: Good

      But they now require the hospital to "provide adequate security " - presumably "adequate" means they never get hacked, so any hack proves it was inadequate, so they never have to pay = win

      1. Adam 1

        Re: Good

        "Adequate" is inadequate (excuse the pun). It is a weasel word that makes it very easy for the customer to think that they have one policy but learn a hard lesson when they try to claim.

        In principle, I agree with the insurer. Failure to take "adequate" precautions makes you a higher risk, and if that is not recognised against your policy cost then everyone else's must increase to socialise the loss caused by your lack of foresight.

        But adequate must have provable definitions if you are going to deny claims based on it. If my car insurer stated that my car must be adequately maintained, a current certificate of registration proves that my car passed the required certifications. If they have other additional expectations, like 6 monthly services etc then they need to stipulate that explicitly.

        Back to the case in point. If adequate means that patches should be applied within 30 days, what do they mean by that? Windows update? Sure. What about that old version of jre that is still needed to run that legacy system? What about that system that has been powered down for 6 months with its user on some type of extended leave? Is your policy torn up because they switched their computer back on and it was not updated for a few days? Is your router patched?

        Most people don't want to accidentally leave their networks open to pwnage. For many, it is a case of being naive rather than reckless. Providing easy to digest guidelines for your customers had the double advantage of protecting them, making your offering more valuable in their eyes and by extension more profitable for you.

      2. Anonymous Coward
        Anonymous Coward

        Re: Good

        Based on the suit, "adequate" probably means HIPPA compliant.

        From the wording of the suit, they appeared to have no formal compliance/risk assessment in place for this server - it is unclear whether this was an oversight for one service or a larger issue at the health care provider.

  3. Erik4872

    Hope this one sticks

    Usually, when an insurance company tries to weasel out of paying a claim, people get pissed off. I've heard horror stories of people paying into auto or homeowners' policies for decades, only to have a legitimate claim tied up for years if even the slightest grey area comes into play. But this one I can get behind, being an IT guy who sees this go on all the time.

    Companies have spent so long cutting their IT departments to the bone, hiring expensive "consultants" who provide insecure systems because of the accounting that makes it favorable to have contractors vs. employees. As a result, we get disinterested, disconnected people who have no idea how the particular organization they are working with works, and just shove in whatever boilerplate system fits.

    If companies actually have to pay real damages for security problems, this might change things. I've always hated how retailers trot out their PCI audit and skate free whenever credit card information is stolen...there's zero incentive to fix the problem. It might open up the IT "profession" to licensing, which I would be all for. Getting your company in legal hot water _and_ getting sued for malpractice on top of it might be the incentive some "IT professionals" need to invest in their skills and not implement whatever compiled that week.

    1. asdf

      Re: Hope this one sticks

      > only to have a legitimate claim tied up for years if even the slightest grey area comes into play

      From what I have heard that tends to happen a lot more with group policies than individual due to individual being more exposed to market forces and not paying claims getting around and hurting business. Companies in general only want to tell their employees they are covered for the cheapest amount possible. Just like anything there is usually a reason why its so cheap. Not an expert but what I have heard.

    2. swampdog

      Re: Hope this one sticks

      I can't see licensing working. The tech changes far too rapidly. Better & more relevant qualifications, sure - so we end up with IT that doesn't jump on the newest cool tech to use in production but does not stagnate either. Ultimately getting that balance right is down to the employer so stuffing them on their lousy insurance claims will hit correctly, on their bottom-line.

      1. Dr. Mouse

        Re: Hope this one sticks

        I can't see licensing working. The tech changes far too rapidly.

        It is not quite as fast, but the medical profession also advances at quite a rate. It is up to doctors to keep their skills and knowledge up to date with the latest advances in their field.

        The same goes in IT. I spend vast amounts of my own time looking at new tech. Partly because I enjoy it, but mainly because it is necessary for me to do my job well. If we are starting a new project and I have missed a new, ideal piece of tech, I will not be able to do my job as well as I should.

        Personal professional development should be part of every professional's schedule. The rapid advance of technology, in itself, does not rule out licensing and regulation.

  4. perlcat

    Nice try, but I doubt that they will learn the lesson. Not when they can socialize the costs and privatize the profits.

  5. Anonymous Coward
    Go

    I agree with the posters above--don't subsidize bad IT security practices!

    If IT security meets certain standards, then by all means pay the claim. If not, then by paying the claim you are subsidizing bad behavior, and when you subsidize something you get more of it.

  6. Henry Wertz 1 Gold badge

    I don't know about licensing

    I don't know about IT people needing to be licensed. That's a whole kettle of fish. I think companies that rely on IT but strip IT to the bone, may already reconsider how they handle IT if they find out insurance will not automatically cover them.

    1. Erik4872

      Re: I don't know about licensing

      Fair point...but companies fail to listen all the time, and if the monetary damages were low enough per incident, they might still have the incentive to not invest in proper controls.

      If you read the document, one of the points the insurance company alleges is that anonymous FTP was left open to the Internet, and people were able to just walk in and browse the filesystem. That's amateur hour, not some sophisticated attack requiring probing of OS components and crafting just the right magic packet to trigger a vulnerability, or an elaborate trick requiring smuggling hardware into the network. It just smells like what I experience a lot, an underpaid, stressed out consultant making a tiny percentage of his company's bill rate making a dumb mistake simply because they have no incentive to do it right.

      So, I say that IT and SW development should be split into technician class and engineer class positions. Technicians do what they do today, fix bugs, monitor systems, support users. As they gain experience, they gain responsibility and salary. When they get to the licensed engineer stage, they prove they have a minimum amount of education and experience, pass an exam, and get assigned the big-boy/girl work. With that power and money comes the responsibility of being liable for screw-ups, something that is sorely lacking today.

      1. Chris G

        Re: I don't know about licensing

        If it is necessary to pass an exam to get a diploma and a licence in order to be an IT Senior Engineer, then the majority of people will train to pass the exam rather than continue in job training to stay up to date and do a competent job.

        How many holders of licences are not worth the paper in the frame on the wall?

        If licencing was introduced to be valid, holders would really need to be retested annually or bi-annually to be sure they were up to standard, someone somewhere will have to pay for the licencing system and the cost of engineers maintaining their status, when bean counters are already reluctant to spend good money on an engineer that does something they don't really understand, what will be their attitude when the engineer is even more expensive?

        Much of the fault in lax security is the result of upper management not appreciating the need and value of an intangible like security and cutting corners in the IT departments and not encouraging IT to spend time training staff in good security practices.

    2. Roland6 Silver badge

      Re: I don't know about licensing

      >I don't know about IT people needing to be licensed.

      Don't see a problem with that... It's all part and parcel of becoming a mature industry.

  7. Keven E.

    Actuary cow dung

    Methinks an anonymous FTP account being "left open" really requires more investigation to see who *actually made the mistake. Isn't insurance for "unforseeable" things... like mistakes?

    Anyway, HTF can an actuary take into account insurance *risk when using... oh, for example only... a Microsoft server which over the last 5 years there has been 100+ security flaws discovered, exploited and "patched"?

    You drive car knowing full well somewhere along the line the chances of getting a flat tire is big enough to buy road side assistance. Seems like these "security insurance" co's are just low-balling thier rates to get business... ignoring the eventual "return of the cows".

    1. Anonymous Coward
      Anonymous Coward

      Re: Actuary cow dung

      You drive car knowing full well somewhere along the line the chances of getting a flat tire is big enough to buy road side assistance.

      Actually, most of us around here carry a spare wheel with tyre fitted.

      Even on the bike, I carry a pump (12V electric) and two spare tubes. If a tyre goes flat, I can have the tube replaced and be on my way in 10 minutes or so. On long tours, I plan to carry a spare wheel or two there too.

      Never been a need to get a bail out unless the tube is found to be defective.

      1. Anthropornis
        Trollface

        Re: Actuary cow dung

        You carry a 12V pump on a bicycle ? methinks thou art an 'merican ;-)

        Over here in blighty, some new cars do not have spare wheels. So far, I've managed to avoid buying one of those cars.

        1. Anonymous Coward
          Anonymous Coward

          Re: Actuary cow dung

          You carry a 12V pump on a bicycle ?

          Yep

          methinks thou art an 'merican ;-)

          methinks a quick Google search on my name will prove you wrong.

      2. Trygve Henriksen

        Re: Actuary cow dung

        I use self-sealing tubes in my bicycle wheels...

        But also have a hand-operated pump and a repair kit for longer trips.

        1. Keven E.

          Re: Actuary cow dung

          Fine. It was not a good analogy... but I'll forget the mention of "self-sealing tubes in bicycle wheels".

          Isn't the word "unforeseeable" appropriate? Of that I can have an assumption of unforeseeableness (that which I don't know)... the reason for me seeking "insurances". Providing specific definitions of what falls under the context of "unforeseeable" is cheapening (sic) any definition of an "insurance". I'm not saying standards shouldn't be met. But I think it should be up to the insurance company to provide them and enforce, in essence... for themselves, if they are going to actually enter into a "coverage" contract. The contract covers what neither insurer or insuree can foresee. Yes, it'll require a lot more people with *actual knowledge, not risk assessors and bet hedgers (lawyers)*.

          One would think the core problem is security. I believe the core problem is the assumption of security...

          But, then again, as far as I'm concerned (see * above), insurance companies should not be allowed to be profitable, but that's the usual issue, isn't it?

  8. Turtle

    Out Of Pocket.

    "When hackers swiped 32,500 patient records from Cottage Healthcare System, it was sued by its own customers for $4.1m – a bill that was settled by its insurance company. Now the insurance firm, Columbia Casualty Company, has claimed Cottage's computers were hopelessly insecure, and it wants its money back."

    This is one of very very few things that can lead to better data and computer security: make the responsible parties pay the damages, settlements, lawsuits and fines, out of their own pockets.

  9. Six_Degrees

    " For the loss of 32,500 customer records, the healthcare provider was eventually forced to pay out a settlement of $4.125m"

    So, that's about $126 per customer. And after the lawyers take their cut, customers will walk away with maybe $50 each.

    Which is pathetic.

    Make such losses punishable by a mandatory $10k, payable directly to the customers involved, and you'll see this crap stop in a heartbeat.

    1. Boo Radley

      In the US a doctor or hospital can also be fined $1,000 per breach of confidentiality. I would assume this would apply here, 32,000 records times $1,000 each would bankrupt many smaller businesses.

  10. Hit Snooze

    Did the insurance company require an audit of the insured network? If they didn't then I say they should pay up. The insurance company should require an IT audit once a year to make sure the insured are kept up to spec. Its a win/win for the insurance company as they do not have to pay for the audit, for fixing the issues, and for paying up if a hacker got in through a known hole.

    Maybe the admin thought they were completely secured and following every word of the insurance contract, but as it turns out, they were insecure. With the rapidly changing world of IT, how can someone know they are completely secure without either being licensed for every technology in your network (not gonna happen), or by requiring network audits by an external party.

    1. Roland6 Silver badge

      Re: Did the insurance company require an audit of the insured network?

      I think it all comes back down to the word "adequate".

      Does a household insurance company require me to have my locks and alarms audited every year? No but it does expect me to use and maintain them, hence if I get a break in they will look for evidence of forced entry before making a payout. Likewise, I have a garage, but I tend to leave my car on the drive, hence I pay an insurance excess, so that there can be no doubt about whether the car was/was not covered, if my car were to be damaged or broken into whilst parked on the drive. Because I've declared I have a garage, if I park the car in the garage and the garage catches fire etc. I'm still covered at no extra cost.

      So I think the question isn't so much about what the insurance company should require, but the excesses they charge for not following good practise.

      1. Hit Snooze

        Re: Did the insurance company require an audit of the insured network?

        "Does a household insurance company require me to have my locks and alarms audited every year?"

        Does that mean all I need for network security is a firewall? It might be improperly configured but hey, I meet the security specification! Locks and alarms are physical items which are easy to tell if they are configured correctly.

        Digital security is a bit harder to know if things are secure and require regular audits of not only network security but also server security. As every vulnerability has taught us, what we thought was secure yesterday is not secure today.

        Personally I hate audits but, if done by a true expert, they can point out some weaknesses/vulnerabilities that you might not have known were there and best practices going forward.

        1. swampdog

          Re: Did the insurance company require an audit of the insured network?

          Lest we forget govt is often told in advance of an impending audit. Non critical stuff gets downtime for a few days.

        2. Roland6 Silver badge

          Re: Did the insurance company require an audit of the insured network?

          >"Does that mean all I need for network security is a firewall? It might be improperly configured but hey, I meet the security specification! Locks and alarms are physical items which are easy to tell if they are configured correctly."

          Many insurance policies will give you a choice, with the most favourable rate being given to those who claim their locks and alarms satisfy certain criteria eg. door locks must be 5 level etc. etc. (Aside, I suspect that many people using the price comparison websites never look at their 'cheap' policy and hence don't realise that they are probably not correctly insured...) Interestingly, I've not seen a clause that requires me to either regularly change the keycode on my alarm or to make it anything other than say "1234", however, if I were to leave a post-it note with the keycode attached to the alarm they would find fault with my security practises.

          So with respect to IT and networks, we could expect Insurance companies to layout key requirements which you either signup to or not and pay the appropriate excess, where such requirements may contain inspection/audit clauses. (Aside: It will be interesting to see how insurance companies deal with the IoT where key domestic systems are controllable from outside the building via the Internet connection.)

          Agree about the use of "true experts" but have found that it is useful to rotate such experts as each, due to their differing experiences, tends to take a differing approach and so can contribute more than simply having repeated visits from the same expert.

          1. theblackhand

            Re: Did the insurance company require an audit of the insured network?

            If there was an industry-wide regulation that covered storage and transport of health details then "adequate" would be defined as meeting those requirements.

            i.e.

            While it may not be mandatory, encrypting your data provides “safe harbor.” If your data is somehow breached or lost, provided it was properly encrypted, it will not be considered a breach of unsecured protected health information. To protect yourself and your data, make sure protected health information is encrypted in any possible location.

  11. DocJames
    Coat

    Forget the leaks, fix the patient

    That is one very sick patient. I'd be suing for $4.1million if someone was standing around taking photos of my monitor. And sweating/swearing profusely if I was looking after the patient. I think the medical term for this is "perideath".

    It's the white one...

  12. Mike Lewis

    Outsourcing

    To me, the most interesting part of the insurer's complaint is that the healthcare system "outsourced data to firms with poor security". Could that be extended in future to "outsourced programming to firms with poor security"?

  13. Merodach

    Typically upper management echelons are largely to blame for these breaches. As a previous commenter noted IT budgets have been repeatedly slashed. Combine that with a perception of IT not adding to the bottom line (i.e. cost center only) and a (faulty) risk analysis that it is cheaper to deal with the results of a breach than to try to prevent and you wind up with an infrastructure that just can't meet the security needed to remain secure against most threats.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like