A Debate Worth Pondering: Will Data Protection Liability Insurance Be a Game-Changer for Providers?
It was my privilege and pleasure to moderate a panel discussion Monday during the “Health Information Executive’s Guide to Cyber Security: A CHIME LEAD Forum Event in Collaboration with iHT2.” The event, which was held on Oct. 6 at the Westin Arlington Gateway in Arlington, Va., was cosponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and the Institute for Health Technology Transformation, or iHT2. (Since December 2013, iHT2 has been in partnership with Healthcare Informatics, through the Vendome Group LLC, HCI’s parent company.) And it flows naturally into the opening sessions today of the Health IT Summit in Washington, D.C.
In any case, I was honored to be asked to moderate a panel discussion entitled “Healthcare Cyber Security Solutions: Concepts and Trends.” My fellow panelists were all thoughtful healthcare IT data security leaders: Darren Lacey, chief information security officer (CISO) at Johns Hopkins University and Johns Hopkins Medicine; Miroslav Belote, director of IT infrastructure and information security officer at JFK Health System; Skip Hubbard, senior vice president, business intelligence & performance improvement at Bon Secours Health System; and David Finn, health information technology officer at Symantec, and a former CIO.
And in the midst of our broad, wide-ranging discussion on how one might build a data security infrastructure and what lessons these gentlemen and their colleagues have been learning in doing so in their organizations so far, a fascinating issue came up around data breach/IT security insurance. This is insurance that many, if not most, patient care organizations are purchasing these days, as the potential for serious data breaches involving protected health information (PHI) has been growing by leaps and bounds nearly every day now, and bigger and more serious breaches are happening virtually every week (for example, the hacking of the Franklin, Tenn.-based Community Health Systems, which led to the compromise of 4.5 million patient records, and has already produced the filing of a class-action lawsuit).
And the question that came up was this: is there a potential for the eventual near-universalization of data breach/IT security liability insurance to alter how chief information security officers, CIOs, and others involved in this area, manage data security processes?
The point that I myself made is that perhaps, as breach/data security liability insurance becomes near-universal, isn’t it possible that those insurers will essentially force best-practice process protocols on CISOs and others charged with maintaining the security of protected health information from both internal and external threats? (That is to say, internal staff and others, and external hackers and others.) I made the comparison with regard to how the rigors forced on obstetricians by malpractice insurers have nearly straitjacketed those medical specialists in terms of how they handle certain clinical processes, in order to not be sued out of business.
Not everyone agreed, but some on the panel did feel the comparison was apt. Fundamentally, as I was saying in the discussion, liability insurers may well come to compel CISOs and others to follow relatively strict data security protocols in order to maintain their liability insurance, thus perhaps forcing a kind of standardization of approach onto patient care organizations when it comes to PHI and other healthcare data security processes. It’s a fascinating prospect.
In the meantime, all of the panel members are working to optimize data security processes and to achieve best practices in the industry. It promises to be a very long journey ahead—but also one in which some collective wisdom will inevitably accumulate.