A case quietly settled in the Ohio Supreme Court earlier this month contains language that could signal further issues in the context of ongoing changes in cyber insurance, particularly for healthcare providers who s rely on alternative insurance policies to protect the business in the event of a network outage.
Seven Ohio judges ruled unanimously in favor of Owners Insurance Company in a case filed against the insurer by EMOI, a healthcare medical billing software provider. Owners Insurance provided EMOI with an all-risk policy and denied a claim for damages caused by a September 2019 ransomware attack.
In the ruling, the judges affirmed that the policy’s approval of electronic equipment was unambiguous in requiring direct physical loss or damage to electronic media.
The language that directly follows this statement should confuse most technology and cybersecurity leaders: “Since software is an intangible item that cannot sustain direct physical loss or direct physical damage, endorsement does not does not apply in this case.”
The defined section of EMOI’s policy describes media as being physical in nature, which the judges ruled could not be applied to software because it does not physically exist under those definitions. “‘Covered media’ refers to media that has a physical existence,” according to the ruling.
“Computer software cannot sustain ‘direct physical loss or physical damage’ because it has no physical existence,” the ruling continues. “Software is essentially nothing more than a set of instructions that a computer follows to perform specific tasks…While a computer or other electronic medium has physical electronic components that are tangible in nature , the information stored therein has no physical presence.”
“In other words, the information – the software – is entirely intangible,” he added.
From a purely technical point of view, this language clearly misses the point. As Dave Bailey, VP of Security Services for Clearwater’s CynergisTek explains, “If it’s no longer usable, even though it may not be ‘physically destroyed’, it’s literally something that you throw in the trash.”
Obviously, no security company would use a disk that cannot be cleaned or recovered after an attack, as there would be no guarantee that the threat would be completely eliminated. The drive would instead go through a process of destruction and no longer be used.
EMOI’s policy with owners may, indeed, include language that goes beyond these technical elements, which is a broader issue from an overall business risk perspective.
Owners Insurance Company dismissed EMOI’s claim for damaged software
The court case stemmed from a claim denial by Owners Insurance, brought in response to the 2019 ransomware attack. After weighing the time and cost of restoration, EMOI opted to pay a ransom demand of 35 $000 to restore his systems. While the supplied decryptor restored the majority of his systems, his automated phone system server remained encrypted.
EMOI filed a claim to recover its losses from the damaged software. But the owners denied the claim on the grounds that there was no physical loss or damage directly related to the attack, as required by the wording of the policy.
The denial sparked a lawsuit that was initially dismissed before an appeal led to a lower court judge ruling in favor of EMOI. But the Ohio Supreme Court decision overturned that decision.
The owners issued an “all-risks policy” and in order for the decision to be made by the Supreme Court of Ohio, the insurer had to go through a “pretty tortured interpretation of the language of the policy”, said Cristina M. Shea, partner at ReedSmith.
One decision, Shea said, was completely wrong.
“I think the Supreme Court of Ohio got the face of the policy wrong,” Shea said, namely that the problem is that the definition of “media” in the policy includes the language of software, which “implies or assumes that the software may be covered” and “may suffer physical loss or damage”.
“Otherwise, there’s no reason to have the word software in there; if the rationale they apply to this decision should make sense,” she continued.
Although Shea noted that the case may have limited reach outside of Ohio, for now she and Bailey have provided information to SC Media on what organizations should consider now in the face of the evolving insurance landscape.
Experts say healthcare entities should review policy language
As widely reported by SC Media, healthcare has been one of the hardest hit by evolving cyber insurance requirements. Even health systems with well-equipped security programs struggled to meet the new guidelines. The changes have led many people to consider policy alternatives to cyber insurance, such as self-insurance or other non-cyber policies.
To do this, without understanding risk profiles and policy language, many entities could find themselves without a safety net in the event of a network outage or related cyberattack.
When a policyholder purchases an all-perils policy, it is assumed that the coverage includes “all perils except those that are very specifically excluded,” Shea explained. This case didn’t turn out that way, which should serve as a lesson to review all policies to verify contract wording, especially if they don’t have a traditional, standalone cybersecurity policy.
EMOI’s policy was not cyber insurance, which is a potential vulnerability. Shea stressed that policyholders should really look at their insurance coverage to make sure their business activities and “existing risks are covered by the policies they have purchased.”
“It’s a lot more nuanced, I think, under a traditional policy that has a kind of cyber endorsement,” she added.
For the EMOI case, it appears the underwriting language used in the font was potentially outdated for a modern digital landscape, Bailey explained. The carrier was unwilling to pay the claim and focused on dated language, which enabled the state’s decision.
All organizations should review their publishing policies, focusing on what they actually cover, what to expect after an incident, and whether the policy covers key risk areas.
Traditionally, cyber insurance policies have been designed for the sole purpose of paying for the incident and supporting ongoing operations, Bailey explained. But now, entities are using policies to pay for communication, dispute tracking, and similar response needs.
With the emergence of destructive ransomware and what it has done to organizations around the world, these policies can no longer support this model.
While this is additional pressure on security teams to achieve these goals, it also provides an opportunity to gain greater investment in security needs from the C-Suite and consultancies. administration. Security leaders need to flip the script and assess how critical systems are to the patient care function and overall business operations, like billing, and then have those difficult conversations with management.
When speaking with the CFO, questions should relate to the loss of revenue each day a system is down, the cost of care diversion, and the amount lost in billing each day a system is down. As seen with the recent temporary closure of an Illinois hospitalthere is concrete evidence to provide to organizational decision makers to secure broader cyber funding.
Bailey was pressed to add that from a security purist perspective, all cyber insurance companies require from systems are functions and tools that organizations should do in the modern threat landscape.
In healthcare, however, the ability to implement these requirements is a huge challenge. Many entities are operating on 1% to 2% margins, even before COVID-19 hit. There are reasons behind the lack of implementation of security best practices, “and it’s not because they’re stupid”.
These requirements are “an investment”. Bailey pointed out that what carriers are really saying is “if you want to prevent today’s threats, you need to focus on identities,” multi-factor authentication, EDR technology, and good security plans. incident response. “It’s going to potentially be the difference between continuing to operate as a business or not.”