Today's Practice: Changing the Business of Medicine National Edition Q1 2017 | Page 44

TECHNOLOGY
Ransomeware
Trevor Weyland
Response
These incidents are becoming increasingly common , and healthcare organizations have begun to analyze their security and response plans accordingly .
Although various federal and state laws require healthcare organizations and their business associates to provide notification following a breach of unsecured protected health information ( PHI ), there is currently no requirement to provide notification of a ransomware attack . The U . S . government discourages individuals and organizations from paying the ransom ( since this does not guarantee that files will be released ) and requests that cases of fraud be reported to the FBI .
Coverage Considerations
These ransomware examples are situations where the insured is being threatened with a breach of their security that will result in a denial of access to systems and data , damage or deletion of data , theft of data , or the interruption or suspension of their computer systems . So , what can a business do to help mitigate the threat ? This “ cyber extortion ” can be addressed by both security / privacy ( cyber ) insurance and kidnap and ransom policies .
Security / Privacy ( Cyber ) Insurance
A cyber insurance policy contains several insuring agreements ; the core insuring agreements address computer network security ( information security ) liability , privacy liability , regulatory defense costs and associated penalties , media liability and the first-party costs of responding to a breach ( costs of forensic and legal advice , notification expenses , credit monitoring ). Other insuring clauses may address first-party ( the insured ’ s ) business interruption loss , the costs of restoring lost data and , typically , cyber extortion costs .
If the healthcare entity ’ s cyber policy includes coverage for cyber extortion , the policy will respond to threats to damage , alter , destroy or render unusable data , or to insert malicious code into the computer system . However , without the specific insuring agreement , most policies will not typically cover threats to physically harm ( or kidnap ) any person nor to bodily injury resulting from the impact of ransomware / malware . The cyber extortion coverage is specifically designed to cover payments to terminate the threat ( and the fees of security consultants ), as opposed to compensation for bodily injury or financial loss .
Kidnap and Ransom Insurance
The healthcare entity ’ s kidnap and ransom policy may include extortion as an insured event , to cover a threat to the entity or an insured person ( by someone who demands a ransom not to carry out the threat ), to kill or injure an insured person , and also the threat to damage , alter , destroy or render unusable your data or to insert malicious code into the computer system .
This differs from the cyber extortion coverage in a cyber policy , which as discussed above , does not typically cover bodily injury , because the kidnap and ransom policy covers the ransom payment , legal liability of the organization arising out of the extortion ( including bodily injury ), and specific payments for death , dismemberment or disability of the insured person .
Existence of Coverage Must be Kept Confidential
Kidnap and ransom policies and the cyber extortion coverage in a cyber policy typically require that the insured not publicize the existence of the coverage .
Demands that Require Payment in Bitcoins
Many ransomware attackers are demanding payment in bitcoins , a crypto-currency that is not governed by a
43 TODAY ’ S PRACTICE : CHANGING THE BUSINESS OF MEDICINE