This past September I got a call out of the blue from an insurance agency manager who attended one of my first cyber security risk management classes two years ago. They wanted to know if I still offered my safeguard program and would that help them show compliance with the HIPAA Security Rule, also called the Omnibus Rule, which was about to become effective September 23, 2013. You see, I planted the seed of information by teaching a class about cyber security best practices and due diligence, then demonstrated the compliance framework adapted specifically for small businesses, non-profits and local government agencies. The Omnibus Rule requires business associates of HIPAA covered entities to have a business associate agreement (BAA) that includes a risk management plan and employee training for safeguarding Protected Health Information (PHI) in the course of doing business. This was the first time I had an agency take the initiative to become compliant with a Federal mandate, and for good reason.
The Dept of Health and Human Services (HHS) is definitely enforcing compliance on this particular section of HIPAA (Health Insurance Privacy and Accountability Act) and have increased fines and penalties, but that’s not the only reason. According to the recent Lloyd’s of London report ranking risk perception internationally, Cyber-threat is the 3rd biggest and fastest growing risk factor in the survey of nearly 600 C-Suite and board-level executives, right behind high taxes and customer loss. Until now most businesses have been largely complacent about cyber-threats but the cost and damage to reputation is driving them to implement safeguards and obtain specialty cyber insurance coverage. Insurance Agencies who adopt a safeguard program themselves are better protected and prepared to help their clients mitigate cyber-risk exposures.
So right now this agency is going through the employee training phase of their safeguard program, and after that they will have established a “cyber-security culture” which is an affirmative defense whenever they experience a data loss or breach. They will document this in their compliance matrix which serves as a roadmap to achieving and documenting their good faith efforts toward cyber-risk due diligence. The next step is to help them get their clients under the same safeguard program which in turn makes them a safer risk and protects their best interests as well. I look forward to seeing the results of this agency. I am actually proud of them, I’ve never seen an agency be this proactive before.