Synopsis. The Ohio Supreme Court ruled last week that cloud-based medical software providers are not covered by insurance.[c]Computer software has no physical existence and therefore cannot experience “direct physical loss or damage.” Although the court acknowledged that the software was code-based, the ransomware did not cause the physical damage required under the insurance policy, leaving the company to bear the full cost of responding to the incident. was certified. As discussed further below, this decision demonstrates how and why healthcare organizations should assess both cyber risk and response plans.
Healthcare cyber risk. The final week of 2022 will feature two reminders of the continuing toll of ransomware on the healthcare industry and the need for organizations to take prudent steps to protect against cyber risks. bottom. On December 28, 2022, news broke that an attempted ransomware attack on the Louisiana health system accessed the personal data of approximately 270,000 patients.The cyber industry is now accustomed to these types of attacks, making them particularly debilitating and costly — IBM’s 2022 Cost of Data Breach According to the report, the cost of responding to an average breach in the healthcare industry exceeds $10 million. And the day before, the Ohio Supreme Court ruled that a medical software vendor was not covered by insurance policies against ransomware attacks that encrypted system files. The company provides cloud-based application and billing services to single and multiple healthcare institutions. The court’s analysis is highly relevant to healthcare providers’ assessment of cyber risk, given the significant efforts many are making to move critical technologies such as electronic medical records and billing applications to the cloud. I’m here.
EMOI Services, LLC v. Owners Insurance Company. The importance of adequate insurance coverage is illustrated by the Ohio Supreme Court’s Dec. 27, 2022 ruling. EMOI Services, LLC v. Owner Insurance Company, addressed whether coverage for physical damage to media includes losses for a medical software company due to a ransomware attack. Your file has been encrypted. The company eventually paid the ransom and received the decryption key, but was still reportedly unable to decrypt certain parts of the system. The company’s policy included a rider for data breach events, but that rider excluded coverage for costs arising from “any threat, extortion or extortion”, including “paying a ransom”. . So the company clearly couldn’t rely on its riders.
Instead, the company sought compensation under a separate covenant. It is an electronic warranty to that policy that provides compensation for direct physical loss or damage to “media,” which (according to the court) is defined as “information-recorded material.” Films, Magnetic Tapes, Paper Tapes, Disks, Drums, and Cards” and “Reproduction of Computer Software and Data Contained on Covered Media”. The trial court ruled that the evidence did not show encryption harming the company’s software and databases. The Ohio Intermediate Court of Appeals disagreed, ruling that the company should be given the opportunity to “prove that its media, i.e., its software, was in fact damaged by encryption.” bottom. (No one seemed to dispute that the computer’s hardware components were not damaged, but only the information and software stored on and accessible from those components.)
This led to final judgment in the Ohio Supreme Court. That court ruled that endorsement required direct physical damage or loss to the media. The court ruled that the “media” “has a physical existence.” Also, because electronically stored information (in courts) is “totally intangible,” electronically stored information and the computer software that makes up electronically stored information have “physical It doesn’t exist.” where the software is stored.
practical considerations. This decision demonstrates the problems facing healthcare organizations. for example:
- Has your organization assessed potential cyber risks to your business and the suppliers, vendors, and other businesses with which it shares information?
- Has the organization properly contracted with cloud vendors to ensure that cyber and privacy risks are adequately addressed and clarified?
- Does the organization have an adequate portfolio of insurance coverage to protect against those risks?
- For organizations that rely on services delivered off-site (such as cloud tenancy), can you assess adequate coverage without knowing whether there are physical or virtual machines on the other side of the network?
These are open questions that will be answered over time as more software and applications move to the cloud and cyber risks evolve rapidly.But Emoi This decision reinforces the following points:
(1) Healthcare organizations and others must deploy a combination of appropriate technical controls and governance to ensure proper care during and after contracting. Protects against the impact of successful attacks and the necessary response.
(2) Healthcare and other organizations that require their suppliers or vendors to maintain cybersecurity insurance should carefully assess the coverage they need to ensure they are protected from the assumed risks.
(3) Relying solely on third-party vendor insurance coverage is often not enough to mitigate privacy and security risks. Rather, proactive and ongoing attention and review of technology, policy and governance controls to identify and mitigate risks are essential to onboarding and maintaining third-party suppliers.
