The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement

A presentation at Black Hat recently revealed that the creators of the “SamSam” ransomware have netted over $6M to date, attacking mostly medium-to-large public and private sector organizations. And they’re showing no signs of slowing down.

In the most recent SamSam attacks, the attackers concentrated their efforts on brute-force hacking of weak passwords on devices

Health care providers and suppliers should be wary of the “Orangeworm” threat, an implementation of malware out in the wild that’s gathering information off of compromised medical equipment, especially old systems where file shares and Windows XP are still in use:

https://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/

While this group seems to be limiting their actions to reconnaissance and compromising

Some notable stats showed up in the recently-released 2017 Veracode State of Software Security report: while “nearly a third (29 percent) of survey respondents indicated that they are actively pursuing digital transformation projects [and] … a further 29 percent stated that they are either planning for or considering digital transformation projects for the future,”

As you work to finalize your cyber insurance riders or supplemental policies, it’s important to pay attention to the language around what is specifically covered. To ensure you’re receiving the coverage desired, the first step is to understand the difference between hacking and phishing, and how this is being applied to your policy, and to ensure the language is mutually interpreted as clearly and uniformly as possible.

Hacking is the use of exploits and vulnerabilities to gain access to and extract information from, disrupt or tamper with a computer system. Hackers break into a system and take information.

Phishing is the use of social engineering via e-mail to trick the recipient into revealing personal or confidential information, or granting access to a computer system either directly or through the installation of malicious software. Phishers convince you to let them into a system or give them information.

Why is this so important to your cyber coverage? Because there’s been some fairly significant litigation around these differences that has supported both the upholding and denial of coverage. Here are 3 examples of cases where interpretation of the rider/supplemental policy language led to litigation:

Universal American Corp. v. National Union Fire Insurance Co., 37 N.E. 3d 78 (N.Y. June 25, 2015)
Continue Reading Hacking vs. Phishing – and Why the Difference is Important for Cyber Insurance Coverage