Insurance underwriters are increasingly investigating ways to evaluate cyber risks and help health-care organizations ensure health information systems and services are adequately protected, according to recent testimony from Daniel Nutkis, CEO of The Health Information Trust Alliance (HITRUST), healthcare leaders and security experts based in Frisco, TX.
Nutkis testified at a Homeland Security Committee hearing in front of the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. HITRUST offers guidance on cyber security and compliance. (For resources, go to www.hitrustalliance.net and select the “downloads” tab on the upper right.) The purpose of the hearing was to examine the role of cyber insurance in risk management, to try to determine what the government can do to further the efforts of the cyber insurance market, and to encourage companies to better evaluate risk and lower premiums for customers to reinvest in further protecting patients.
During the testimony, Nutkis asserted that, along with reducing the overall financial impact of cyber-related incidents or breaches on an organization, cyber insurance, and cyber insurance underwriters can play a key role in supporting an organization’s overall risk management strategy and help provide for the “adequate protection” of patient information. After analyzing the benefits of an underwriting program leveraging a robust risk management framework, HITRUST began educating underwriters on a cybersecurity assessment methodology that would provide the industry with consistent, repeatable, reliable, and precise estimates of cyber-related risk.
The testimony added that Allied World U.S., the first company to offer preferred terms and conditions based on meeting the HITRUST certification standards, conducted a review and analysis that determined that organizations that had obtained a HITRUST certification generally posed lower cyber-related risks than those organizations that have not. The comprehensiveness and improved risk reporting enabled by the HITRUST scores in place of many of the standard information security application questions create a more streamlined and consistent application process, Nutkis testified.
Nutkis told the Subcommittee that there are discussions with five other cyber underwriters regarding leveraging this approach, with an expectation that two more will be participating by midyear.