Insurance Issues for Cloud ComputingCustomer Liability May Require Additional Insurance
Organizations may find that standard business liability insurance coverage does not cover breaches, incidents and security violations, he notes. If this is the case, the organization may need to buy a "rider" to the insurance policy to cover these events, he explains. Unfortunately, Nussbaum says, "Insurance companies are still exploring ... how they would measure the potential liability if they were to issue such riders. So [the riders] may either be unavailable or extremely expensive."
In an interview (transcript below) following his participation in a cloud computing panel discussion at the American Health Information Management Association's Legal Electronic Health Record Summit, Nussbaum also:
- Describes important questions to ask a cloud vendor, including whether the company has experienced a breach and, if so, what corrective action it took in the wake of the incident;
- Advises organizations to ask cloud vendors for a copy of their HIPAA security risk analysis and make sure they've had a third-party audit as well; and
- Tells healthcare organizations to make sure the business associate agreement spells out responsibility for breach investigation and notification, including requiring the cloud vendor to quickly report breaches to help ensure HITECH Act breach notification rule compliance.
Nussbaum, an attorney and certified public accountant, is director of technology services at Kurt Salmon. He has more than 30 years of experience dealing with information technology, finance and marketing functions.
Liability Insurance IssuesHOWARD ANDERSON: You just participated in a cloud computing panel at the AHIMA Legal Electronic Health Record Summit. One of the points you mentioned was that hospitals and other providers need to check their liability insurance coverage when it comes to cloud computing risk. Can you describe those details?
GERARD NUSSBAUM: It applies to cloud computing. It also applies to many other forms of computing infrastructure, so some of the issues relate to just the coverage that the organization has in the event that something goes awry - a breach for example.
Some contracts from IT vendors, including cloud computing vendors, result in the assignment of the liability to the hospital for certain events. A hospital may find that standard business [liability insurance] coverage does not cover cyber-liabilities. These include things like breaches, security violations and the like, and this becomes especially serious when you consider that [it could involve] hundreds of thousands or millions of records, and the cost of dealing with and cleaning up a breach can run, depending on the severity of it and what information is released, to $50 to $100 per year per patient. ...
Cloud Computing PrecautionsANDERSON: What kinds of precautions should folks be taking when reviewing their insurance liability coverage?
NUSSBAUM: It first starts with reviewing the indemnity clauses in the contract itself and the assignment of responsibility. They need to carefully talk to their insurance carrier about the levels of coverage and be sure that events are either covered or they buy riders. In many cases, you're going to be forced to buy a rider because either the vendor will be unwilling to meet your requirements on the indemnity side or may be fiscally unable to, which is a secondary issue. Because even where you might be able to get the appropriate indemnity language in the contract, the indemnity language is only as good as the money in the bank behind it, or the insurance coverage of a vendor. Especially in the cloud space, there are a lot of smaller vendors who may not have the financial wherewithal to withstand an adverse event, especially when one of the benefits of cloud computing is economies of scale. Everyone is up on that platform, so it's not just a question of whether my 25 providers were breached, but most likely it would be every one of their customers. That could be a bankrupting event for the entity. ...
The healthcare organization needs to think clearly about: Is there adequate coverage? Does the vendor have adequate coverage? And if not, what is the cost of the rider from their current insurance carrier to cover specific events? Having said that, there are many of the primary insurance companies who are still exploring their way through exactly how they would measure and quantify the potential liability, if they were to issue such riders, so that a rider may be unavailable or extremely expensive.
Questions to Ask VendorsANDERSON: What are two or three of the most important questions regarding privacy and security that should be posed before entering a contract with a cloud vendor?
NUSSBAUM: The first question may seem obvious, but it is, "Have you had a breach yet? And if so, describe not only the cause of the breach but the root cause analysis process you went through to establish what needed to be corrected and the corrective action you took." The second aspect of that is, "Well how big was the breach and how did your customers feel about that?"
The next step is to make sure that all appropriate security measures are in place. ... Getting a look at their HIPAA security risk analysis will be very important. This would be a companion to making sure that they've had independent third-party reviews, such as a SAS 70 Audit, and that they've taken the corrective actions necessary to address the deficiencies their management accountants raised by such an audit.
Business Associate AgreementsANDERSON: Now are there particular details that belong in a business associate agreement versus the contract?
NUSSBAUM: The answer to that question I suppose is I don't view a business associate agreement as independent from the contract. It's usually an exhibit to the contract, which makes it part of the contract; and so many of those things are just organizational.
Because business associates are now subject to many of the same restrictions from the regulatory and legal perspective as covered entities, we've moved to a point where understanding and clearly delineating how you're going to coordinate in the event of a breach becomes important, especially given the responsibility of the covered entity to still take action. You have to make sure that the reporting period from your business associate is short enough to allow the covered entity to do an appropriate assessment and make its responsibilities clear. ... If you let the business associate do the entire length of the law's period for [reporting a breach,] then the covered entity has no time to take its own action. And because it's the covered entities' data, it still has responsibilities - allocation responsibilities, time frames, clearly outlining who has the responsibility for notification, what the covered entity's role is in approving and reviewing any disclosures to patients, if it's determined that the business associate or the vendor should be the one doing that reporting.
You have to coordinate and have a unified front, and then responsibility for any ongoing monitoring cost, such as financial monitoring or reputational monitoring needs to be clearly laid out. The business associate agreement ... is a useful place to put all that. ...
Mutual CompromisesANDERSON: Any final thoughts on what else should be in the contract when it comes to security?
NUSSBAUM: A contract usually represents a set of mutual compromises, and the organization needs to understand explicitly what risks it's taking and must be, on a managerial level, comfortable with the risks it's taking. That means, sometimes, that the contract gets longer because you are specifically addressing things; or you have a side list of things that, because they weren't addressed, the organization is ending up responsible for, and they need to be comfortable with that responsibility and the risk that comes with it.