Cyber and Social Media in Long Term Care LTC Risk Legal Forum March 10, 2016 Mark Karlson CPCU, ARM Managing Director Marsh USA Judy Pearson Managing Director Marsh USA
Who Are We: Marsh and Mark Marsh: Global Risk and Insurance Services Firm Parent: Marsh & McLennan Company (NYSE: MMC) US HealthCare Practice 27 of top 50 non-profit Hospitals 25 of top 50 for-profit Hospitals 18 of top 25 Health Insurers US Cyber Liability Team 25 dedicated team members 1,400 cyber, privacy, network security, technology clients Mark Karlson HealthCare National Practice Leader for Management Liability April 28, 2019
Agenda Cyber and HealthCare Cyber events in HealthCare Why is HealthCare a cyber / social media target? Cyber Risk Management Approaches Cyber Insurance Market Social Media in Long Term Care Residents Families Employees Business Operations Social Media Best Practices April 28, 2019
Why is Cyber such an issue for Healthcare? Data intensive industry ACA Reform drives collaboration => data movement Patient / Provider connectivity dynamic increases risk Capital investments needed to upgrade systems False Claims identification Disgruntled employee exposure Connectivity of employees and social media activity HIPAA, HITECH and other Regulatory requirements Patient frequency of activity review (or family review) April 28, 2019
Cyber Events in HealthCare Recent Breach Events in HealthCare- number of records Anthem: 79 million Anthem: 9 million Excellus: 10 million Premera: 11 million Carefirst: 1 million Statistics HealthCare was 35% of all data breach events as of mid 2015 but 68% of total records breached 90% of HealthCare entities have experienced a breach 125% increase in criminal attacks on Healthcare in past 5 years $13,500 cost to each patient to repair/recover from breach $2million - average event cost in HealthCare April 28, 2019
Cyber Events and Regulatory Liability Recent Examples Anthem: $1.7mil for HIPAA violation HealthNet: $250,000 penalty by CT Attorney General Beth Israel: $100,000 penalty by MA Attorney General NY Presbyterian: $4.8mil for HIPAA violation California Medical Information Act: up to $4,000 per person Office of Civil Rights: $50,000 per violation April 28, 2019
Why is HealthCare data attractive to threat actors? Black market value of PHI is higher than value of Social Security # Latency potential between event and data usage Credit Cards are quickly shut down and reissued Uses of data: Identity theft and impersonation Access to Medical Care Access to financial information and institutions Access to SS# and other personal identity info Access to pharmaceuticals Nation State Attacks Seeking data on US population Seeking Passwords and access to corporate systems Industrial espionage April 28, 2019
The Reality… April 28, 2019 7 April 28, 2019
Cyber Attacks in HealthCare April 28, 2019 8 April 28, 2019
Cyber and Social Media Risk Management Approaches Technology safeguards and platform design Breach event planning and rehearsal BAA Agreements Patient / Family Privacy Agreements Employee awareness and training Penetration testing Independent review: FireEye, Mandiant, Ceyence, etc Cyber Insurance April 28, 2019
US Cyber Insurance Marketplace Annual premium volume information about the U.S. Cyber Risk market is hard to come by, but in reviewing the market, we have concluded that the annual gross written premium may be as much as $2.5 billion A limited number of very large writers, with premiums in excess of $100 million (AIG, ACE, Beazley, Zurich) Several carriers in the $50-100 million range (Endurance, XL, etc.) Several more in the $25-50 million range (Liberty, etc.) Numerous carriers and Managing General Underwriters writing $10 - 25 million Several writing in the $5-10 million and $1-5 million ranges
CYBER INSURERS: Market Capacity - Cyber Coverage (All numbers in millions) Market Capacity Primary Excess US ACE USA 25 10 Admiral 5 AIG (Executive Liability & Lexington) 15 Alterra Arch Capital Argo Pro Aspen AWAC AXIS Beazley Berkley Berkshire CFC Underwriting Chartis Cat Excess Chubb CNA Endurance Freedom Hartford Hiscox IronShore Liberty Markel (Evanston) Navigators One Beacon Philadelphia QBE RLI RSUI ScorRe Starr SwissRe ThinkRisk Travelers Westchester XL Zurich US Total US 515 195 405 Market Capacity - Cyber Coverage (All numbers in millions) Bermuda ACE AIG Cat Excess 25 15 Aspen** AWAC Alterra (shared capacity with US) 10 Chubb Atlantic** Endurance IronStarr Markel XL 5 Total Bermuda 165 110 London Ace Global (shared with US) 40 Aegis ANV 20 Aspen Barbican Brit CFC Kiln Liberty Novae Total London 175 135 170 Summary Total US 515 195 405 Total Facultative Reinsurance Total Global Market 865 330 690 Available capacity may be impacted by factors such as 1. Breadth of coverage pursued 2. Lead / primary carrier(s) 3. Excess carriers 4. Loss experience 5. Retention(s) & coinsurance 6. Premium 7. Financial condition
HealthCare Cyber Rate Changes Q1 2015: 6.9%avg
HealthCare Cyber Rate Changes Q4 2015: 50%+ avg
Non HealthCare Non Retail Cyber Rate Changes Q4 2015: 10% avg
CYBER INSURANCE DEFINED – First Party Coverages Business Income Lost revenues due to a cyber event Data Asset Protection Costs to recover or recreate data Event Management Forensic costs, notification costs, credit monitoring costs Service providers to handle an event Cyber Extortion Costs to respond to a cyber extortion event
CYBER INSURANCE DEFINED – Third Party Coverages Privacy Liability Costs to respond to a lawsuit arising out of a breach Customers, employees, third parties are likely claimants Network Security Liability Costs to respond to a lawsuit arising out of network or security failure Customers are likely claimants Privacy / Regulatory Liability Costs to respond to a regulatory action Media Liability Costs to respond to allegations that online content included libel, slander, misappropriation, plagiarism, etc
CYBER INSURANCE DEFINED – Exclusions Mechanical issues Prior claims, SEC Liability, ERISA Liability, Bodily Injury, Property Damage, Employment Liability, etc Asbestos, pollution Types of cyber insurance not purchased Legal limitations Violations of Sherman Act, antitrust, RICO, FLSA, etc Criminal or fraudulent acts (but defense applies until proven) Patent Infringement Damages do not include: Future profits, return of fees, fines, taxes, sanctions, penalties
INSURANCE GAP ANALYSIS The example depiction on the following page is an illustration of a sample gap analysis. Is Loss or damage to reputation coverage available on cyber? Not Covered Covered Dependent upon specifics of claims, may not be covered Note: All insurance coverage is subject to the terms, conditions, and exclusions in the applicable individual policies. Marsh cannot provide assurance that insurance can be obtained for any particular client or risk.
Advice to Clients: Have a Strategy and a Plan Governance and Executive Level attention for Data Breach Plan Identify potential threats Identify data assets and their location Prioritize exposures and create a roadmap to secure assets Update Data Breach Plan regularly Test the Plan and the Security Train Employees and make it real Have appropriate Insurance coverage
Social Media as a subset of Cyber Social Media – Platforms used by patients, employees, families, etc For better or worse Has become part of the environment Is not totally controllable May or may not create a clear trail of origination and liability Is extremely easy to access Is a necessary part of operating a LTC business Allows for positive / negative online commentary Is not exempt from HIPAA and other regulatory requirements
LTC Social Media Residents/Patients Patient medical information must remain private No PHI should ever be posted online by an employee, patient, or family member HIPAA does not exempt social media activities No medical advice should be given in response to a post No pictures of a resident without prior written permission WiFi User Agreements
LTC Social Media Families Marketing to future customers Dialogue with families of residents Resident / Legal guardian agreement to social media guidelines Communication Resident to Family Family to employees Fundraising activities for non-profits Pictures Use of LTC logo Disclaimers
LTC Social Media Employees Mandatory training around privacy and social media Monitor on-line postings by employees Nurses / Care Givers often use online forums to discuss care and experiences Employees may be sued for defamation, breach of privacy, or harassment Employees must not discuss their work experiences in the same way that they discuss their personal experiences Training: Posted information does not go away and cannot be limited to intended recipient Disclaimers – require on personal posts regarding LTC facility Discourage “Friending” of residents and families
LTC Social Media Business Operations Design an intentional approach to Social Media Who can post? Who can comment? Who can “like”? Who will monitor? Train employees Boundaries work/personal No expectation of privacy – monitoring Prohibit pictures without express written permission Computer Access: personal, Skype, Web time, etc How to respond to resident/family posts? Social Media in hiring /firing employees
LTC Social Media Conclusions Have an implementation plan and a strategy Have an incident response plan Act with Privacy, Respect, Honesty Seek legal guidance Safeguard cyber/data/operational systems from social media systems Review potential insurance solutions for cyber/data breach risks
Thank You Judy Pearson Mark Karlson CPCU, ARM Western Zone Senior Care Leader Marsh National Healthcare Practice Marsh Risk & Insurance Services 17901 Von Karman, Suite 1100 Irvine, CA 92614, USA Office: 949 399 2982 Mobile: 949 584 7439 Judy.i.Pearson@Marsh.co m Mark Karlson CPCU, ARM Managing Director, Marsh FINPRO National Practice Leader for HealthCare Management Liability 20 Church St, 8th Floor Hartford, CT 06103 P: 860-723-5660 mark.r.karlson@marsh.com www.marsh.com