Caveat 7.21.21
Ep 86 | 7.21.21

Healthcare cyber insurance is no longer an option.

Transcript

Dave Bittner: Hello, everyone. And welcome to "Caveat," the CyberWire's privacy, surveillance law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben.

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben takes a closer look at a specially modified Android phone. I discuss how the Trump Justice Department got creative in trying to ferret out leakers of classified information. And later in the show, my conversation with Sumit Sehgal. He's Boston Medical's former CISO and now with a company called Armis. We're going to be discussing the uptick in cyberattacks on health care institutions and why he thinks it's no longer an option not to have cyber insurance. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben. Let's dig into some stories here. Why don't you start things out for us? 

Ben Yelin: We're back to being the Joseph Cox show this week. 

Dave Bittner: (Laughter). 

Ben Yelin: I feel like it's been a while, Dave. But I did choose one of his articles today. He, of course, works for Motherboard... 

Dave Bittner: Yeah. 

Ben Yelin: ...A part of the VICE network. And I stumbled upon his article "We Got the Phone the FBI Secretly Sold to Criminals." And I just love this story. These are called Anom phones. And they were used in an FBI honeypot to attract criminals, basically, who are lured into purchasing these devices. They seemed like they were encrypted devices that could be used surreptitiously to commit crimes. Really, it was all a setup, that the FBI was actually - and law enforcement agencies in other countries were putting these devices on the market to trick criminals into using them because they resembled other such devices that had these security features. 

Dave Bittner: So if I'm a bad guy and I need to communicate with my fellow bad guys and gals, I can purchase one of these devices. And I believe that everything I'm doing is fully encrypted and outside of the view of law enforcement. 

Ben Yelin: Right, exactly. Because you've probably come in contact with other similar devices. And the reason the FBI and other law enforcement agencies were able to develop these devices is because they have human intelligence sources saying we have these other operating systems out there that look like this. So the way it works is you unlock the device. And Joseph Cox is talking about one of these devices because he was sent one by one of his readers. 

Dave Bittner: Huh. 

Ben Yelin: You open the device, and it looks completely normal, like your average Android device. Although at your first pass, when you enter in the passcode, there are a bunch of standard applications in there - Twitter, Facebook, Tinder. But none of those apps actually open. If you reset the device and enter in a new passcode, then you end up on a screen that I think is just, like, the system settings and the calculator. And then embedded in the calculator, if you enter in some sort of secret calculation, you enter an encrypted messaging service or what you think is an encrypted messaging service. 

Dave Bittner: This all sounds very James Bond. 

Ben Yelin: It is. 

Dave Bittner: (Laughter). 

Ben Yelin: This is why I love this story, because it's right out of, like, a poorly written thriller movie. 

Dave Bittner: Yeah (laughter). 

Ben Yelin: And what's - I mean, there are many interesting angles about this. But the FBI and other law enforcement agencies have to be really good at setting these up to actually imitate these secretly encrypted devices because otherwise, the criminals would catch on. 

Dave Bittner: Right. 

Ben Yelin: And it has a lot of security theater embedded in it. So they have this thing where you can scramble your passcode so the numbers don't appear sequentially. This appears to the users to be a really useful security feature 'cause if third parties are watching them, you know, they wouldn't be able to deduce what the passcode is. 

Dave Bittner: So if someone's looking over my shoulder, for example. 

Ben Yelin: Exactly, exactly. And then they have a wipe-the-phone-clean button... 

Dave Bittner: Yup (laughter). 

Ben Yelin: ...Which they actually have on many of the devices that real criminals use. Of course, law enforcement agencies have been prosecuting people for obstruction of justice for wiping these devices. So of course, they make it very easy for the criminals on this device. Just press that button and we're happy to prosecute you. 

Dave Bittner: Interesting. 

Ben Yelin: So the way they communicate is through this hidden encrypted messaging application that's inside the calculator. And, you know, somehow, they know how to get to this page. 

Dave Bittner: Right. 

Ben Yelin: So this device, it's called an Anom phone. And the operating system - they set up their own operating system. A bunch of people have inadvertently purchased them because they've been sold on the secondary market, eBay, as very cheap Android devices. 

Dave Bittner: Yeah. 

Ben Yelin: And people buy them. And, you know, people who are tech savvy enough start to realize what's going on. There are a couple of clues in the startup process. You know... 

Dave Bittner: (Laughter) This is fascinating to me because, like - I don't know. If you've ever watched a show like "Breaking Bad," you know, or "Better Call Saul" or, you know, any of those shows where people are doing things they shouldn't be doing, the way they treat their cell phones - you know, if they no longer need a device, basically a burner phone, they break it in half. 

Ben Yelin: Right. 

Dave Bittner: They stomp on it. They don't put it - list it on eBay, right (laughter)? 

Ben Yelin: That's a great point. I mean, I - and I also - I wonder who's selling these devices, if it's the criminals themselves or just they've, you know, gone around the market and... 

Dave Bittner: Right. 

Ben Yelin: ...Somebody is looking for a very cheap device. 

Dave Bittner: (Laughter). 

Ben Yelin: Well, the applications don't really work except for the encrypted messaging on the calculator. 

Dave Bittner: Maybe the FBI had a warehouse full of them, and they can't use them anymore, so they're just letting them go for crazy prices. 

Ben Yelin: Yeah, exactly. 

Dave Bittner: (Laughter). 

Ben Yelin: And, you know, to a user or to somebody who's uninitiated, this is an amazing Android device. 

Dave Bittner: Yeah. 

Ben Yelin: It's a Google 4A Pixel whatever. 

Dave Bittner: Yeah. 

Ben Yelin: So it's sleek. It has a nice design. Of course, it turns out this is all a ruse, and the FBI, according to this article, and other law enforcement agencies across the world have obtained 27 million messages from nearly 12,000 devices running the software... 

Dave Bittner: Wow. 

Ben Yelin: ...In more than 100 countries. They add an extra encryption key, which allows the agency to read copies of the messages. So, you know, they're discovering things like large-scale drug trafficking operations, human trafficking - you know, all different types of illicit criminal activity. So, as I said, this is interesting for a number of reasons. 

Ben Yelin: The one thing I always want to mention in these situations - people who are unfamiliar with our legal system and legal systems around the world seem to have the mistaken thought that if they're, you know, manipulated by law enforcement into purchasing a device like this or are tricked into admitting something in an investigation room, that somehow that that's an illegitimate law enforcement process. If you are fooled, you are fooled. You are in trouble. Law enforcement can engage in all types of surreptitious activity to catch criminals, and it's really up to the user to be tech savvy enough to really figure out what's going on because there's - you know, once law enforcement does catch you, you don't have any recourse. It's - you're not going to have any success saying, I was entrapped because they sold me this, you know, device that has a monitored... 

Dave Bittner: No fair. Yeah. 

Ben Yelin: Yeah, exactly. That... 

Dave Bittner: This didn't have a sticker on it that said, you know, courtesy of the FBI (laughter). 

Ben Yelin: Right. It's like all those police procedural shows when somebody is like, if I ask you if you're an undercover cop, you have to say you're an undercover cop, right? Like, that's not really a thing. 

Dave Bittner: Yeah, yeah. 

Ben Yelin: And this is just another instance where I expect that people who are going to be prosecuted after having purchased one of these devices might be of the mistaken belief that they have some sort of defense, that this was entrapment. Unless, you know, whomever sold you the device literally convinced you to commit a crime that you wouldn't have already committed, this is not entrapment. This is just some clever investigative work. 

Dave Bittner: Yeah. 

Ben Yelin: And it also means, if you notice anything suspicious when you're starting up your device, it could be a honeypot, and contact somebody who knows what they're talking about. 

Dave Bittner: (Laughter) You know, I certainly was aware of this story. This is something we covered over on the CyberWire. But I don't think that I knew - I don't recall ever seeing this number, the 11,800 devices. That is a much larger scale than I had pictured in my mind. 

Ben Yelin: Yeah. I mean, they created a whole market, which is really fascinating. And like I said before, they had to be good at what they did. You know, you're not just designing an investigative tool; you're designing a product that people are going to actually want to purchase and use. 

Dave Bittner: Right, right. 

Ben Yelin: So you have to have people at the FBI and other law enforcement agencies across the world who know how to develop devices and make them attractive to potential consumers. I mean, it ends up becoming a whole industry. And I can't wait until the movie comes out about this... 

Dave Bittner: (Laughter). 

Ben Yelin: ...When somebody gets their sweet new Pixel 4A and thinks that they're using a very secretive, encrypted chat application. 

Dave Bittner: Yep. 

Ben Yelin: And their calculator, you know, goes through their cocaine drug-smuggling operation. And then the clever FBI agent knocks on the door and says, we saw everything, you know? 

Dave Bittner: (Laughter) Right, right. Or the innocent person who gets drawn into a world of crime by - from the phone that they purchased innocently on eBay, you know? (Laughter). 

Ben Yelin: Yeah. And also, when you open the device, it does reveal the operating system, which is called Arcane OS. And I think now that some of these devices have been released, people would be able to recognize that this operating system is not exactly on the level. 

Dave Bittner: Yeah. 

Ben Yelin: I think what's particularly interesting about how they developed these devices - and, again, this mimics real devices that are out there in the market - is that all of these would be useless to people who aren't criminals because the real applications don't really work. When you first open the device and they have your standard home screen with applications on them, that's all a ruse. 

Dave Bittner: Camouflage. 

Ben Yelin: Yeah, exactly. 

Dave Bittner: Right. 

Ben Yelin: So people who aren't criminals would immediately toss away these devices and be like, this is of no use to me. But if you want, you know, your super-encrypted chat messages in the calculator applications, then there's probably not a great reason that you're doing that, to be honest. 

Dave Bittner: (Laughter) Right. Just use Signal. Just use Signal. 

Ben Yelin: Yeah. Exactly. Exactly. 

Dave Bittner: (Laughter) Right. Right. All right, well, we'll have a link to that story in the show notes. Again, Joseph Cox, who - we really need - do need to send him a gift basket. He's the gift that keeps on giving for this show. 

Ben Yelin: Yeah, we really do. And thank him for putting out interesting content... 

Dave Bittner: Yeah. 

Ben Yelin: ...And giving us a lot of food for thought. 

Dave Bittner: Yeah. My story this week comes from The Washington Post. This is written by Devlin Barrett and Spencer S. Hsu. Actually, this was drawn to my attention from Kim Zetter, also a well-known reporter in the space, on Twitter. The title of the article is "Trump Justice Department Effort to Learn Source of Leaks for Post Stories Came in Barr's Final Days as AG, Court Documents Show." 

Dave Bittner: So this story covers some of the efforts from the Trump administration's Justice Department trying to get to the bottom of some leaks, leaks of classified information. But the thing that really caught my eye and I think is particularly relevant to our conversation is they tried to go through a security company, a company called Proofpoint, a company that we discuss over on the CyberWire - well-known, well-respected cybersecurity company. I think they've even been an advertiser over on CyberWire. But... 

Ben Yelin: We better not say anything bad about them. 

Dave Bittner: (Laughter) But the Justice Department tried - served Proofpoint to get information from them to try to find data from reporters. Turns out Proofpoint was providing security services to The Washington Post. And so the Justice Department had a secret court order for Proofpoint to try to get some of that information. And that is not an avenue that I recall hearing about. We hear about them going after the Googles of the world... 

Ben Yelin: Right. 

Dave Bittner: ...And so on and so forth. So shall we dig into this, Ben? What is your take on this? 

Ben Yelin: Yeah, I mean, that's the really novel angle of the story. I don't think the actual investigation is particularly surprising. I mean, I think we now know - and we've talked about this in the past - that the Trump administration, from its earliest days to its latest days, were pretty obsessive about damaging leaks that were coming out and were being shared with national reporters. Some of those reporters, I might add, are people that we talk about all the time. 

Ben Yelin: We were just talking before we started - Ellen Nakashima, who is a Washington Post technology writer. We've referenced her articles repeatedly. She was one of the people whose records were sought as part of this investigation. 

Dave Bittner: Right, right. And I think worth pointing out, too, that this isn't necessarily a partisan kind of thing. I mean, this sort of thing really revved up during the Obama administration. 

Ben Yelin: Oh, yeah. The Obama administration was very obsessive about obtaining the records of journalists to root out leak investigations. It is certainly not something that's particularly partisan. 

Dave Bittner: Yeah. 

Ben Yelin: And this was done in the waning days of the Trump administration while Attorney General Barr was still there. So it was before the final days in office where the Department of Justice was kind of in shambles and was without leadership. 

Ben Yelin: So, I mean, this was authorized at the top. But as you said, this is not unusual. I mean, administrations of all parties become obsessed with who's leaking potential classified information, especially if it's potentially politically damaging. But yeah, the interesting part of the story is absolutely that they didn't go through what we now consider the standard process of going directly to the service providers, the Google, Microsoft, Facebook, Twitter, to try and obtain this information. I mean, that we're very used to. Going to a security company, which is what the Proofpoint Corporation is, is a novel method of trying to obtain these communications. 

Ben Yelin: Now, Proofpoint didn't respond for - to requests for comment, so we don't know the extent of their involvement. 

Dave Bittner: Right. 

Ben Yelin: You know, if they are legally required to retain these records, they are probably going to retain them. And what we know from the documents is that the federal government had strong reason to believe that disclosures of classified information were not only being shared to journalists, but they were potentially coming from members of Congress, which is a source of their concern. So you can understand why they'd be desperate enough to go to some of these security companies, if they just went to The Washington Post and said, hey, you know, who's leaking this information to you? 

Dave Bittner: Right, right. 

Ben Yelin: Washington Post would tell them to... 

Dave Bittner: Washington Post would hold up their copy of the First Amendment... 

Ben Yelin: Yeah, exactly. 

Dave Bittner: ...And say, go pound sand (laughter). 

Ben Yelin: Yeah. I think they might even use saltier language than that. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: But, you know, and I suspect that they probably tried the standard avenues we see of going directly to the service providers. But this is where, you know, they were really desperate to find that information and using a company or a firm that supplies data security services as a novel, creative way of trying to obtain this information, especially since they know that some of the journalistic outfits have purchased the services of this corporation. So yeah, I mean, I think that definitely is the interesting angle here. 

Dave Bittner: There's some interesting details, as well, following the release of this information. The U.S. Magistrate Judge Zia Faruqui - she noted - it says in the article, she noted in an order that even after acknowledging the investigation's existence, prosecutors continued to try to keep secret the specific stories under investigation. The judge refused, questioning why the scope of unsealing was so narrow, given that the investigation was closed without any criminal charges. 

Dave Bittner: Now, this is what I - this is - I just get a chuckle out of this, that she goes back to Merrick Garland in his former position as a judge on the Court of Appeals. 

Ben Yelin: Yeah, this is funny. 

Dave Bittner: She says she - the judge noted that the government's sealing power may not be exercised indiscriminately and cited a July 2020 opinion written by the current attorney general, Merrick Garland. Faruqui wrote, a sealed matter is not generally, as the government persists in imagining, nailed into a nondescript crate stored deep in a sprawling, uncatalogued warehouse. 

Ben Yelin: Spoiler alert here, by the way. 

Dave Bittner: (Laughter) So I don't know how often folks reference "Raiders of the Lost Ark," the end of "Raiders of the Lost Ark," which, as this article points out - the movie that ends with one of history's greatest treasures being buried inside a sprawling bureaucracy. I think there's a little bit of a little bit of poetry there on the on the behalf of Judge Faruqui. 

Ben Yelin: Yeah, and also on Merrick Garland, who has more in him than I imagined... 

Dave Bittner: (Laughter). 

Ben Yelin: ...In terms of his literary references. 

Dave Bittner: Right, right. 

Ben Yelin: The serious part is, you know, nondisclosure is very important when there's no reason to continually classify information. And now that we know that the Justice Department has admitted they're not going to file charges against the reporters who were tracked as part of the story or against the members of Congress, rather, who were tracked as part of the story - so there's no reason now not to lift these nondisclosure provisions. It's in the public interest, and there is no longer any law enforcement justification for keeping this all secretive. 

Dave Bittner: Right, right. And the Biden administration has said that they're going to dial back pursuing reporters' sources. 

Ben Yelin: That's what they've said, yeah. And as... 

Dave Bittner: Time will tell (laughter). 

Ben Yelin: Yeah, absolutely. And as I've said, I think, previously on this podcast, where the rubber meets the road is if there's a piece of incriminating information that comes out about the Biden administration. Will this principle still hold? A lot of administrations come in and say, you know, we're not going to spy on journalists. 

Dave Bittner: Right, right. 

Ben Yelin: But, you know, someone gets some incriminating information about Hunter Biden or whatever, whatever the scandal of the day is, then... 

Dave Bittner: Yeah, yeah. 

Ben Yelin: ...You know, maybe they'll change their tune on it. So we certainly have to be very vigilant, even though they have professed a desire to stop investigating leaks by looking into journalists. 

Dave Bittner: Yeah, interesting. All right. Well, we will have a link to that story in the show notes. We would love to hear from you. If you have a story you'd like us to cover, you can send us an email. It's caveat@thecyberwire.com. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Sumit Sehgal. He is the former CISO of Boston Medical, and he works with a company called Armis now. And our conversation centered on the uptick in cyberattacks on health care institutions and why, in his opinion, it's no longer an option not to have cyber insurance. Here's my conversation with Sumit Sehgal. 

Sumit Sehgal: In the context of health care cyber insurance, this has been around, I would say, since the early 2000s at this point. So it goes back about 20 years. And really, the genesis of all of this was when the information security incidents against health care organizations started to become more complex, where organizations realized that it actually costs money to not only figure out how to contain an incident but how to respond to it, how to recover from it and, in addition, outside of the IT work that's involved, having to manage the data elements of it with regard to exposure - so how to handle communications with their patients, how to handle PR and how to handle all the logistics that go along with that process. They quickly realized probably in the mid-2000s that this is very expensive from a perspective of the result of an information security incident. And that's kind of what the - obviously, the insurance organizations realized that as well, and that's what kind of give birth to the cyber insurance industry. 

Sumit Sehgal: So what we've seen so far is that organizations have had a lot of time now to grow up from an information security perspective, and the insurance industry has also had to grow up from how they offer the policies, how they underwrite them and what they're willing - what they are willing to and what they're not willing to cover as part of their insurance riders. So where we find ourselves is, over the last 15 years, when the first insurance policies came out, they were mostly centered around information security risk management. They were centered around self-attestation from the health care organizations. And they largely covered the expenses that were made as a result of that specific incident, not in general information security. 

Sumit Sehgal: Fast-forward, you know, through that time to today, now we have a smorgasbord of different types of policies that cover everything from direct expense to indirect expense to third parties to, you know, even slicing and dicing with regard to - do you let the insurance company, for example, handle the forensic efforts or the PR efforts? Or do you do it yourself and the insurance company reimburses you? Those kind of, I would say, a la carte options have come about. So that's kind of how the overall landscape has changed. Education is still a big, I would say, benefit of having an insurance policy as well that helps risk information security - professionals within health care organizations understand what, really, their purview is, as well as access to third-party legal counsel. 

Sumit Sehgal: So those features have kind of stayed through the times. And what we see now is the insurance company has - insurance companies have wisened (ph) up to say, hey, we're not just going to sometimes take your word for it of what you're doing with security; we want to actually have you use a third party for attestation for how well you're doing security, or we need to see a concrete approach to your security program and security strategy aligning with your enterprise risk management approach, which is - you know, it's - I would call it maturing over time. So that's the - I would say that's the high-level kind of landscape of what things look like today. 

Dave Bittner: And are the insurance companies in a position of sort of, you know, driving improvement on the part of the health care providers? You know, I'm thinking of, you know, for example, for your homeowner's insurance. 

Sumit Sehgal: Yes (laughter). 

Ben Yelin: They're going to ask you, do you have a fire extinguisher in your kitchen? And do you have smoke detectors? You know, those sorts of things that... 

Sumit Sehgal: Yes. 

Dave Bittner: ...If you have them, chances are you're going to get some kind of a discount. Does that mindset apply to health care as well? 

Sumit Sehgal: It's coming. I don't think it's there across the board yet if you're talking globally and even if you're talking just from North America perspective. I think we have become much better as an industry in general to understand the benefits of having insurance. Like, in your example, I understand conceptually what a fire extinguisher does for me, but if I don't know how to actually take the pin out when you actually press the button, it doesn't do me any good, right? So... 

Dave Bittner: Right. Right, right, right. 

(LAUGHTER) 

Sumit Sehgal: So that's kind of where we are within the security industry right now, where the health care organizations understand that that is needed and there's definitely value in it. They're kind of in this mixed, weird stage where it's a love-hate relationship between them and the insurance providers because a lot of times, when the claims are actually made, to give you an idea, if it costs an organization a couple million dollars to have an insurance policy, their deductible may be a couple hundred thousand dollars before the policy will actually cover anything, right? 

Sumit Sehgal: So the organization introspectively - the organization, I mean the health care organization introspectively has to figure out at what point of their risk cycle is it actually worthwhile to transfer that cost to the insurance company. So in other words, is it make - does it make financial sense for me to submit a claim or not? 

Dave Bittner: Right. Right. 

Sumit Sehgal: Right? So - and a good example just happened to me yesterday on this - was, you know, we had close call with a couple tornadoes where I live that went through. And when I called the insurance company to say, hey, we had some bad storms; can you come take a look at my house for external damage, they said, well, why don't you get a third party to come in and do it before we do it? And then if that cost that comes out is more than a deductible, then it would make sense to submit a claim. Otherwise, it may be actually cheaper for you to absorb the cost. 

Sumit Sehgal: So same kind of analysis is starting to happen now from the health care institutions out of the house. Because what I would call the integration between information security as a discipline of IT to now becoming a practice within the enterprise risk management group has largely increased. So they're having those conversations. But as of today, I haven't seen anything that predicates the fact that the costs are going to be cheaper if you have good processes. (Laughter) It's actually on the flipside. It is, I will cover you better if I'm - if you prove to me that you do security better. That's more like the approach at this point. 

Dave Bittner: Yeah. Do you have any insights on the approach that the insurance providers are taking in terms of what the types of coverage and the amounts of coverage that they're willing to provide? 

Sumit Sehgal: Yeah. And I don't think there's a baseline for that because the types and amount of coverage is dependent upon what is the policy riders, the underwriters are willing to issue and what the premium costs are that organization is willing to take. 

Sumit Sehgal: So to give you an example, when I was giving you the high-level - the lay of the land, so to speak, you may have a policy that only covers your costs as it pertains to the incident that you're dealing with but doesn't cover the cost of implementing the changes that need to be implemented so that doesn't happen again - right? - versus another institution may have that piece of it as part of the rider as well. 

Sumit Sehgal: So those a la carte options are available today, and it's largely predicated upon direct impact - so impact to you as David's company, for example, versus you having the insurance company provide coverage for not only you, Dave, for your company, but downstream companies that are part of your health system as well. So we have a situation right now where coverages can extend anywhere from the low couple hundred thousands from a financial perspective that can go all the way up to, you know, a percentage of revenue, for example, for a health system. So that could go up in the 10 million, 20 million, 30 million, 50 million, hundred million dollars range, right? It depends upon what the organization is willing to pay. 

Sumit Sehgal: A more important question becomes - is for the health care organizations to not just focus on the premium and coverage, but to focus on value that the insurance provides. So, for example, when I told you that, hey, health care organizations have realized that it's one thing to respond on the IT side but some whole other thing to stand up a call center for the barrage of calls that I'm going to get of, what happened to my data? Why did you mess with that type of thing? Right? 

Dave Bittner: Right. Right. 

Sumit Sehgal: So it may be more useful to have a lower coverage for the direct financial impact, but it may be more useful to have bigger coverage to say, hey, you're not only going to cover my call center; you're going to cover the process by which I actually put the letters in the envelope and send it out and then track the responses that come back. You're going to cover the cost of external counsel that I need to hire to actually deal with all the legal situation that comes from these. 

Sumit Sehgal: So where we sit is the cost and value of the policy goes far beyond just the financial cost of - from a regulatory exposure perspective - right? - which I'm assuming that's what you're asking of what is the dollar amount. 

Dave Bittner: Yeah. 

Sumit Sehgal: The - so a lot of the health care organizations actually do take that kind of analysis to say, hey, does this policy help you get educated? Because I'm a health system that spans 28 states. Every state has their own requirement on what do I need to do for data. Does this help me navigate that? Does it give me access to resources for best practices or incident response or legal counsel that are cheaper than what I can get on my own? Does this help me get access to forensic technology that I don't have? Right? Does this help manage, like I said, the third-party logistics efforts of incident response? So those become part of the additives that go into determining what the money either into the policy looks like or what they cover. But in general, these policies are not cheap. I've seen, you know - in my career itself, I've seen premium amounts be as low as 20,000, $30,000 a month, upwards of, you know, a couple hundred thousand dollars a month, depending upon the size of the organization. 

Dave Bittner: The relationship between the health care organizations and the providers of the cyber insurance - is that - is it a collaborative relationship? Is it adversarial? Does it, you know... 

Sumit Sehgal: (Laughter). 

Dave Bittner: Is it collaborative right up until the point they have to make a claim? Like, you know, how does that typically play out? 

Sumit Sehgal: No, I think it's collaborative and for two reasons. One, most enterprise risk - so most of the time, most health care organizations are self-insured, right? And that rolls up into the enterprise risk group within the health systems. In general, they do not have the expertise to self-insure for cyber-risk. So it becomes more of a conversation of say, hey, I don't have that capacity or capability in-house, so I'm going to get somebody to help me with that. 

Sumit Sehgal: The friction comes in when the - either at times of policy renewal, when the terms are being changed. So you had one policy for five years, and then the insurance company comes back and says, I'm not going to cover that now because I've gotten screwed by other people... 

Dave Bittner: Right. Right. 

Sumit Sehgal: ...Say they do something, and then when, you know, poop hits the fan, nothing that you said you did was evident in the response criteria that I helped you with. So it was blatantly obvious that you weren't doing what you were saying you're doing. 

Sumit Sehgal: So that's where the friction comes in, where - when you have these massive policy changes or rider changes that get enforced on the health care organization part that I see some combative - not combative. I would call them fierce conversations... 

Dave Bittner: Yeah. 

Sumit Sehgal: ...That happen, and which they should because you don't want it one way, right? So... 

Dave Bittner: Right, right. 

Sumit Sehgal: So insurance - and insurance policy is only as much as the organization is willing to accept the cost of transferring the risk. So that's where I see most of the friction happens. 

Sumit Sehgal: At time of incident, it's a, please do whatever you need to help this go away or get - this get better. 

Dave Bittner: Right. 

Sumit Sehgal: That's not the time that I see any friction. Friction also happens when it comes time to cover costs. So when the bills actually come forth, either from the government that you didn't do your work and they passed it on to the insurance provider and the insurance provider said, well, you didn't do what you say you're doing, so this bill for 200,000 - we're only going to give you 20,000, right? So that's where I see a lot of the friction happening. 

Sumit Sehgal: We've seen multiple times a couple lawsuits that have occurred for the concept of third-party risk, right? How does insurance cover third-party risk where the contracts have been signed, and this, I would say, discrepancy in the language in the rider of what third-party risk is for health care organizations. 

Sumit Sehgal: So that's - those are the areas where there's some friction with regard to the relationship. Otherwise, I would call it a fairly collaborative thing where companies know that you need it. Kind of your example of you need homeowners insurance, right? 

Dave Bittner: Right. Right, right. 

Sumit Sehgal: So that's not an option. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: Really interesting. I mean, I think the industry around cyber insurance for health care institutions is kind of meandering on the same path that other industries probably went through when they were developing that very market. It seems like it took them a while to analyze the risk profile. 

Dave Bittner: Right. 

Ben Yelin: And then they really had to start collaborating their products to the true cost of mitigating these threats. 

Dave Bittner: Right, right. It seemed like there was an explosion in ransomware, and these insurance companies were like, holy crap. 

Ben Yelin: Yeah. I don't want to pay for all this. Yeah. 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: And I think that probably happens in every market. Like, you try and set out - you know, you use the smart accountants. You try and set up policies that reflect the actual risk. 

Dave Bittner: Well, and you want to do a land grab to get as many customers as possible as quickly as possible. 

Ben Yelin: Right, right. Then it turns out that ransomware, as we now know, is a thing - a big thing. 

Dave Bittner: Yeah. 

Ben Yelin: It's happening to all different types of institutions, including health care organizations, providers all across the country. And it's not just the cost, as he said, of recovering the data. It's a rebuilding your entire system to prevent future attacks. 

Dave Bittner: Yeah. 

Ben Yelin: And you can understand why insurance companies are going to be reluctant to pay out to cover all of that. 

Dave Bittner: Right. 

Ben Yelin: So I think this means that the market is still going to be developing going forward just because we're still in the early stages of ransomware as a risk that has to, you know, be evaluated by the actuaries. 

Dave Bittner: Yeah, and the prices are doing nothing but going up right now. 

Ben Yelin: Yes. It's one of those vertical bars on the graph... 

Dave Bittner: Right. 

Ben Yelin: ...Where it's not going to get cheaper anytime soon. 

Dave Bittner: Yeah. All right, well, our thanks to Sumit for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.