Health care industry once again reminded of cybersecurity risks with cloud vendors | Mannat, Phelps & Phillips, LLP

summary. The Ohio Supreme Court ruled last week that insurance coverage was not available to the provider of cloud-based medical software because under an applicable insurance policy, “[c]Computer software cannot suffer “direct physical loss or physical damage” because it has no physical existence. To respond to an incident.As discussed in more detail below, this decision outlines how and why healthcare organizations should assess both cyber risks and their response plans.

Electronic risks for healthcare. The final week of 2022 brought with it two reminders of the ongoing ransomware plague on the healthcare industry and the need for organizations to take careful steps to guard against cyber risks. On December 28, 2022, The news appeared The personal data of nearly 270,000 patients was accessed in an attempted ransomware attack on a health care system in Louisiana. The Internet industry is now accustomed to these types of attacks, which are particularly debilitating and expensive—IBM 2022 The cost of a data breach Report It is estimated that the cost of responding to the average healthcare industry breach exceeds $10 million. And the day before, Ohio Supreme Court held That the medical software vendor was not covered by their insurance policy for a ransomware attack that encrypted system files. The company provides cloud-based applications and billing services to single and multiple medical practices. The court’s analysis is highly relevant to healthcare providers’ assessment of cyber risk, given the significant efforts many are making to move critical technology to the cloud, including electronic medical records and billing applications.

EMOI Services, LLC v. Owners Insurance Company. It is evident from the importance of proper insurance coverage Ohio Supreme Court decision of December 27, 2022 in EMOI Services, LLC v. Owners Insurance Company, which addressed whether coverage of material damage to the media would include the medical software company’s losses from the ransomware attack. The ransomware attack encrypted the company’s computer systems and the files needed to run its software and database systems. The company eventually paid the ransom and received the decryption key, although until then, it was said to have been unable to decrypt certain parts of its system. The company’s insurance policy included a rider for data breach events, but that rider excluded coverage for costs arising from “any threat, extortion or extortion”, including “ransom payments”. Thus, it seems that the company was not able to count on this rider.

Instead, the company sought coverage under a different contestant, the Electronic Equipment Endorsement of its policy, which provided coverage for direct physical loss or damage to “media,” defined (according to the court) as “material on which information is recorded.” such as film, magnetic tape, paper tape, discs, drums, and cards” and “a computer program and the reproduction of data on the covered media.” The court decided that the evidence showed no harm to the company’s software and databases from the encryption; The Ohio Court of Appeals disagreed with the argument and ruled that the company should have the opportunity to “prove that its media, that is, its software, was indeed damaged by encryption.” (There seems to have been no dispute that computers’ hardware components are not damaged, only the information and programs that are stored in and can be accessed through these components.)

That was left to the Ohio Supreme Court. That court determined that endorsement required direct physical harm or loss to the media—”media,” the court decided, “has a physical presence.” Because electronically stored information (for the court) is “totally intangible,” it and the computer software comprising the electronically stored information “have no physical existence,” and thus, computer software cannot sustain physical damage without physical damage to the hardware on which the software is stored.

Practical considerations. This decision clarifies the questions facing healthcare organizations. For example:

  • Have organizations assessed the potential cyber risks to their businesses and those of the suppliers, vendors, and others with whom they share information?
  • Have organizations appropriately contracted with cloud service providers to ensure that cyber and privacy risks are appropriately addressed and communicated?
  • Do organizations have the right portfolio of insurance coverage to protect against these risks?
  • For organizations that rely on off-site services (such as cloud rentals), can they even assess appropriate coverage if they can’t tell if they have a physical machine or a virtual machine on the other side of the wire?

These are open questions that will be answered over time as more software and applications move to the cloud and cyber risks evolve rapidly. But the EMOI The decision reinforces these points:

(1) Health care organizations and others must deploy a set of appropriate technical and governance controls, conduct appropriate care during and after contracting, and – if the parties contract to transfer liability or minimum insurance coverage (which is still common) – carry appropriate insurance coverage for protection from The effect of a successful attack and the desired response.

(2) Healthcare and other organizations that require their vendors and vendors to maintain cyber security insurance will need to closely evaluate the coverage they need to ensure it protects against potential risks.

(3) Relying solely on third-party sellers’ insurance coverage is often not enough to mitigate privacy and security risks; Instead, active and ongoing diligence and review of technical, policy and governance controls is critical to onboarding and maintaining third party suppliers in order to identify and mitigate any risks.

Leave a Comment