The Insurance Information Institute (Triple-I) 2020 Insurance Fact Book is now available.
The 234-page digital publication features facts, figures, statistical tables, and charts on U.S. and global insurance markets. It also includes detailed data on direct premiums written and factors affecting U.S. auto, homeowners, and business insurance costs.
Three unique insurance risks—cybersecurity, extreme weather, and social inflation—are highlighted in a new section called Emerging and Evolving Insurance Issues. Other new components include:
“As we welcome a new decade, the challenges before the insurance industry are vast,” said Triple-I CEO Sean Kevelighan. “The catastrophic shock and losses from the last few years, from California wildfires and the Atlantic hurricane season, are telling. What the last decade has foreshadowed could be, as some say, the new abnormal. Our new Insurance Fact Book reflects the new risks insurers face.”
The 2020 Insurance Fact Book is available for purchase from the Triple-I’s online store. Copies may be obtained free of charge by Triple-I member companies and associate members via the Triple-I’s members-only website. Previous editions have been popular with policymakers, journalists, academics, business leaders, and others.
Car insurance premiums have risen steadily since 2009 at a faster pace than inflation, according to a recent paper in the Journal of Insurance Regulation.
Transportation is essential to opportunity in the United States. Cost of driving, therefore, isn’t a trivial issue.
When you hear a stat like that, what’s your instinctive response? To blame “greedy insurers” who are making money hand over fist and still aren’t satisfied? It might be, if you don’t follow insurance profitability trends. If you do, you know they’ve been losing money on auto insurance for years, despite increasing rates.
Rising rates have caused some to call for regulation to help make car insurance more affordable. Transportation is essential to opportunity in the United States, and most Americans rely on cars. Cost of driving, therefore, isn’t a trivial issue.
The year 2009 was the beginning of the end of the “Great Recession.” In a recovering economy, more people drive – to work, stores, restaurants, et cetera. More vehicles traveling more miles means more accidents and more insurance claims.
The insurance term for this is “frequency.” In addition to more cars on the road, the report finds, distracted driving due to use of digital devices may contribute to increased accident frequency.
In an improving economy, more cars are on the road. More vehicles mean more accidents and insurance claims. Distracted driving due to use of hand-held digital devices also may contribute to increased accident frequency.
Another key term is “severity” – the average cost of claims. Severity has been high for several reasons:
Safety and fuel efficiency are expensive. Cars are safer and cheaper to operate than ever before – thanks to sensors and computers and new materials, all of which are expensive to repair or replace after an accident. This affects loss costs, which are reflected in premiums.
Medical costs are on the rise – especially for hospitalization. The paper cites U.S. Bureau of Labor Statistics data showing that medical and auto insurance inflation growth track closely and hospital cost inflation by far outstrips both. Since many crash victims wind up in the hospital, it’s possible these costs aren’t fully reflected in insurance rates. The paper also cites research indicating that hospitals may charge insurers more than other payers.
Litigation and generous juries. The report doesn’t go into detail about litigation, but the trend known as “social inflation” – marked by growing jury awards and “litigation funding,” in which investors pay plaintiffs to sue large companies in return for a share in the settlement – is well documented.
These factors drive up rates as insurers seek a return that justifies risk taking and operational spending. Nevertheless, the report finds no correlation between rising rates and insurer profitability.
Cracking the affordability nut
Literature on insurance affordability is diverse, with little consensus on the key term. The paper cites research that strongly suggests aggressive rate regulation actually reduces affordability.
“When rate regulation suppresses costs for the riskiest insureds,” the study states, “average premiums, losses, and injuries increase.”
So, what might improve auto insurance affordability?
Some contributors to rising rates – such as repair costs – “should partially self-correct over time,” the paper says. Others, like medical costs and “non-economic” damages (pain and suffering awards) could be addressed through changes in personal injury protection (PIP) laws, antifraud efforts, transparency in medical pricing, or civil justice reform. Stricter “distracted driving” laws and improved enforcement of existing ones could help reduce losses and premiums.
Insurers are investing in technology and improved analytics to streamline their workflows, improve service, and bolster their bottom lines. Some are even discussing getting out of auto entirely – which, should it become a trend, would not bode well for affordability or availability.
ABC News in North Carolina reports that a driver in the state looked up and saw a bird carrying a huge fish.
“It was one of those slow-motion moments in life. I saw the fish and I saw him drop it,” said Rhesa Walston of Beaufort, North Carolina.
The catfish smashed straight into her windshield.
It happened so quickly she didn’t have time to react.
“There was glass all over my front seat…glass on my lap,” Walston told ABC News.
After making sure her daughter in the back seat was safe, Walston contacted her family and her insurance company. Family members tracked down the fish (apparently, catfish dropped from high altitudes bounce) and took pictures to corroborate her catch.
Walston told ABC News she will have to pay the $250 deductible on her comprehensive auto policy — not a huge price for a story the family will be telling for years to come. Animal damage is covered if you have optional comprehensive coverage. If you only have collision coverage, then you’re not covered.
It’s getting harder for California homeowners in fire-prone areas to buy and keep insurance.
Homeowners insurance non-renewals were on many listeners’ minds during last week’s Insurance Information Institute (I.I.I.) radio satellite media tour (SMT) on the aftermath of the 2017-18 California wildfires.
With 20 media outlets throughout the state participating, I.I.I. CEO Sean Kevelighan, Head of Media and Public Affairs Michael Barry, and Director of Strategic Communications Janet Ruiz were on hand to answer questions from journalists.
As the frequency and cost of California wildfires increase, it’s getting harder for homeowners in fire-prone areas to buy and keep insurance. In August 2019, the California Department of Insurance released data showing insurers are non-renewing an increasing number of residents in areas with high wildfire risk.
The guidance the I.I.I. provided to Californians faced with this dilemma included:
If your insurer says they won’t renew your policy, ask them to reconsider. Your situation may involve factors they don’t know about.
Try another insurer. The insurance market is competitive, and insurers don’t profit from not writing business. Risk appetites and underwriting vary.
When all else fails, California’s Fair Access to Insurance Requirements (FAIR) plan is available as an insurer of last resort, after “a diligent effort to obtain coverage in the voluntary market has been made.”
The I.I.I.’s speakers also emphasized during the SMT that property owners can make their homes more resilient to wildfires by mitigating their own risks; how California’s insurers disbursed nearly $25 billion to their customers to help them recover financially from the 2017-18 wildfires; and how state regulators are working with insurers to price accurately the risks of covering homes in wildfire-prone communities.
Within hours of I.I.I.’s SMT, California Insurance Commissioner Ricardo Lara announced mandatory protections from insurance non-renewals extending into new areas of Northern and Southern California. The one-year moratorium covers residential policies in ZIP codes adjacent to recent wildfire disasters. The law cited by Commissioner Lara (Senate Bill 824) protects homeowners adjacent to a declared wildfire emergency who didn’t suffer a total loss — recognizing the disruption non-renewals cause in communities after wildfire disasters.
Below is a list of the participating radio stations and podcasters who taped the I.I.I. conversations for either broadcast or streaming in January 2020:
KCAA 1050-AM/KRLA 870-AM/KSPA 1510-AM Los Angeles/KDIA 1640-AM/KFAX 1100-AM Radio San Francisco-Oakland-San Jose “Bill Martinez Live”
Business Radio X-IND Podcast National, “The Mark Bishop Podcast”
KOCI 101.5-FM Los Angeles/Liberty Express Radio Network-AM/FM Radio Syndicated “School for Startups”
KSZL 1230-AM Radio Los Angeles “America Tonight with Kate Delaney”
KMET 1490-AM Los Angeles – KEST 1450-AM Radio San Francisco-Oakland-San Jose, “Talk! With Audrey”
Transformation Talk Radio-Online Podcast National, “The Dr. Pat Show”
KVTA 1590-AM Radio Los Angeles, “The Kim Pagano Show”
KSTE 650-AM Radio Sacramento-Stockton-Modesto, “The Chad Benson Show”
The most primal ones – those associated with wind, fire, and water – often travel in pairs. Modern, more complicated risks – supply chain, business interruption, cyber, political, and financial – are like tapestries so tightly woven that any effort to address this or that hazard can threaten to unravel much of what you’re trying to protect.
A new report from Verisk looks at complex emerging risks and why they matter to insurers and risk managers.
Between 1990 and 2008, natural hazards were the cause of 16,600 hazardous material releases.
“Accidents in the industrial sector can be catastrophic, and up to five percent of all accidents in this sector are caused by natural events,” writes Alastair Clarke of Verisk’s AIR Worldwide in an article titled “Where Climate Change and Natech Risk Meet.”
Between 1990 and 2008, Clarke reports, natural hazards were the cause of 16,600 reported hazardous releases.
“In each case,” he writes, “a natural event triggered a technological malfunction that led to the release of hazardous material.”
That’s a natech, and the insurance implications are significant.
Many examples exist of catastrophic casualty claims from natechs. The report cites the 2010 collapse of a dam at the Ajka alumina plant in Hungary. The dam broke after days of heavy rain, releasing toxic sludge and causing 10 deaths and 150 injuries, along with the contamination.
In 2005, Hurricane Katrina triggered 200 hazmat releases. When storm surge ruptured a storage tank at a Louisiana oil refinery, Clarke writes, “the release of 25,000 barrels of crude oil affected 1,800 homes and resulted in a $330 million settlement.”
“Natechs show how liability can arise from natural events that can be traced back to the suppliers of a faulty service,” Clarke writes. “With climate change, the threads are deeply tangled. ”
IoT unites us, for better and worse
Globalization has connected the world through commerce and culture as never before, and the Internet of Things (IoT) aims to finish the job. But supply-chain risks – already subject to the vagaries of weather, politics, and global finance – only become more complex as machines whisper among themselves.
Utilities alone are expected to deploy more than 800 million connected IoT devices by the end of 2019. Each one is a potential cyberattack portal.
In “Cyber Risks Loom Large in an Interconnected World,” Tim Campbell of Verisk Maplecroft and Kamban Parasuraman of AIR report that a survey of more than 1,000 U.K. and U.S. risk professionals indicated the average company shares confidential information with about 583 third parties. Of those surveyed, 59 percent experienced a data breach linked to a vendor or other third party in 2018.
“Just as companies need to be aware of the cyber risks introduced by third parties in their supply chains,” Campbell and Parasuraman write, “insurers may need to consider how the insureds within its own book of business are interconnected. In fact, the lack of full visibility into each insured’s interdependencies may create risks that are unidentifiable from an underwriting standpoint.”
Utilities alone are expected to deploy more than 800 million connected IoT devices by the end of 2019, reports Ben Kellison of Verisk’s Wood Mackenzie in “Power Utilities Face Emerging Cyber Threats.”
Each one is a potential cyberattack portal.
“The power grid is also becoming more decentralized,” Kellison writes. “Tens of millions of small generators and loads are being integrated into more power markets and local power systems that may or may not be owned or operated by the utility.”
The risks go on
The Verisk report, produced by the data and analytics provider’s ISO Emerging Issues team, examines these and other risk areas. As I reflect on these articles in the context of many hours spent reading about, discussing, and listening to others discuss risk and insurance, it becomes clear – from a resilience perspective – that a more holistic, epidemiological approach to risk management is needed.
Your building can be designed and built well above code; if your neighbors’ buildings aren’t, you’re at risk when a tornado turns their HVAC units into projectiles. This reality becomes more insidious when your billing system is threatened by malware introduced through a customer’s “smart” lightbulb.
There’s a road in my town that’s widely regarded as a speed trap. We all know drivers who say they were unfairly stopped and ticketed on it. I’ve never been and, come to think of it, neither has anyone I talk to about it. Maybe it’s because we live in town and “everyone knows” about the trap.
Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure.
Sure, people get ticketed. The road is straight and wide, and I guess some feel they should be able to drive faster than the clearly posted speed limit. Or maybe they think the “real” limit is somewhat north of the number posted.
Is that really a “speed trap”?
I think of this road when I hear people say they don’t buy cyber insurance because “everyone knows” cyber claims don’t get paid.
Poster child for “cyber” denial
The example on everyone’s lips when this topic comes up is Mondelez International, the food and beverage giant hit by the NotPetya ransomware attack in 2017. Mondelez incurred losses exceeding $100 million, and its insurer denied coverage based on a war exclusion.
The irony? The policy in question covered property, not cyber. One can argue – as Mondelez does in a lawsuit – that the war exclusion is being unfairly applied, but businesses aren’t ceasing to buy property insurance on account of it!
Cyber claims data are hard to come by, but for nine years NetDiligence has published a Cyber Claims Study analyzing paid claims. The 2019 study looks at more than 2,000 such claims aggregated in over 20 ways, including types and amounts of losses, incident causes, data types exposed, business sectors affected, revenue size of claimants, and financial impact.
Verisk, whose cyber products help insurers write coverage based on their policyholders’ risk characteristics, doesn’t publish claims data but aggregates and incorporates them into its analytics.
NetDiligence publishes an annual Cyber Claims Study. Verisk aggregates and incorporates claims data into its analytics. Why do so many believe cyber claims don’t get paid?
Why the perception/reality gap?
Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure. Indeed, in a recent survey by J.D. Power and the Insurance Information Institute, small-business owners named “too many exclusions” among the top reasons they don’t buy cyber coverage.
Claims are often denied because of exclusions policyholders might not have known about or understood. Some insurers, for example, include “failure to follow” exclusions for claims arising from inadequate security standards.
Everyone’s responsibility
If insurers want businesses to buy cyber policies and not be hit with unpleasant surprises at claims time, they need to be aggressively transparent about what’s included and excluded. Relegating this to fine print is not a good strategy.
Brokers and agents need to educate themselves about their clients’ needs and be fastidious in aligning coverage recommendations with those needs.
And insurance buyers – those with most at stake – need to understand cyber perils and insurance. For example, insurers require a cyber hygiene self-assessment from applicants. If, after an incident, that assessment proves inaccurate – say, if encryption practices were misrepresented – coverage can be denied.
Insurance isn’t a replacement for cyber diligence. But it can complement it as part of a well-planned risk management program.
A couple of articles crossed our desk recently that discussed the benefits and pitfalls of algorithms and artificial intelligence (AI). Neither discussed insurance, but they offered important lessons for the industry.
Algorithms and AI can work quickly, but they aren’t perfect.
An algorithm is a simple set of instructions for a computer. Artificial intelligence is a group of algorithms that can modify and create new algorithms as it processes data. Broadly, these smart technologies can drive untold change for the industry.
As the Financial Times wrote earlier this year, “Insurance claims are, by their nature, painful processes. They happen only when something has gone wrong and they can take months to resolve.”
Chinese insurer Ping An uses AI to accelerate decision making, and New York-based insurance start-up Lemonade employs algorithms and AI to help pay clients more quickly. Other insurers use smart technologies for fraud detection, risk management, marketing, and other functions.
What could go wrong?
Algorithms and AI can work quickly, but they aren’t perfect. A recent article by Osonde A. Osoba, an information scientist and professor with the RAND Corporation, details what data scientists call an “algorithm audit.” An algorithm audit detects biases or blind spots that skew results, making it necessary to review and test the underlying data.
In the case Osoba discusses, Apple Pay was assailed on Twitter by tech executive David Heinemeier Hansson for giving him a credit limit 20 times larger than his wife’s, despite their sharing all assets, among other factors. Hansson concluded that the algorithm was sexist – causing a furor on the social media platform among both those who vehemently agreed and disagreed with him.
Apple Pay said it doesn’t have information about applicants’ gender or marital status. Yet no one from Apple could answer why Hansson received a significantly higher credit limit. They responded: “Credit limits are determined by an algorithm.”
Still, these algorithms and AI are informed by something – perhaps the implicit biases of the programmers. For example, systems using facial recognition software have yielded decisions that appear biased against darker-skinned women.
Are algorithms easier to fix than people?
An article in The New York Times by Sendhil Mullainathan, a professor of behavioral and computational science at the University of Chicago, discusses human and algorithmic biases. He cites a study in which he and his co-authors examined an algorithm that is commonly used to determine who requires extra levels of health care services. This algorithm has affected approximately 100 million people in the U.S. In this case, black patients were routinely rated to be at lower risk. However, the algorithm was inherently flawed: it used data on who receives the highest amount of health care expenditures.
Black patients already spend less money on health care than white patients with the same chronic conditions, so the algorithm only served to reinforce this bias. Indeed, without the algorithmic bias, the study estimated that the number of black patients receiving extra care would more than double. Yet Mullainathan believes that the algorithm can be fixed fairly easily.
Contrast this to a 2004 study Mullainathan conducted. He and his co-author responded to job listings with fabricated resumes: half the time they sent resumes with distinctively black names; the other half with distinctively white names. Resumes with black names received far fewer responses than those with white names.
This bias was verifiably human and, therefore, much harder to define.
“Humans are inscrutable in a way that algorithms are not,” Mullainathan says. “Our explanations for our behavior are shifting and constructed after the fact.”
Don’t write algorithms off
As RAND’s Osoba writes, algorithms and AI “help speed up complex decisions, enable wider access to services, and in many cases make better decisions than humans.” It’s the last point that one must be particularly mindful of; while algorithms can reproduce and intensify biases of their programmers, they don’t possess inherent prejudices, as people do.
As Mullainathan puts it, “Changing algorithms is easier than changing people: software on computers can be updated; the ‘wetware’ in our brains has so far proven much less pliable.”
Perhaps it’s a symptom of buzzword fatigue that everyone in the insurance industry seems to use the word “insurtech” without agreeing on – or maybe even really thinking about – what it means.
Some use it as a noun, suggesting a type of company – typically a startup – that applies cutting-edge technology to insurance-related challenges. Others use it as an adjective to describe the technologies and applications themselves. Still others seem to take the position of U.S. Supreme Court Justice Potter Stewart, writing on a very different topic: “I know it when I see it.”
Whatever it is, insurtech is a rapidly growing feature of the insurance landscape, and many traditional insurers and venture capitalists are investing in it.
Insurtech doesn’t just mean offering products more quickly online. It means transforming the offerings and the customer experience.
Modernizing the value chain
Insurtech emerged around 2010 as an offshoot of a similar movement in banking, known as “fintech.” With providers of just about every other product and service embracing “Amazonation,” consumers have come to expect absolutely seamless service – wherever and whenever. Like those industries, insurers need to satisfy their customers while growing profitably and managing operational costs.
But insurtech doesn’t just mean offering products more quickly online. It means transforming the offerings and the customer experience.
Insurtech most consistently refers to the use of apps, wearables, big data, machine learning, and other technologies to automate and improve processes across the insurance value chain – from marketing and policy origination through underwriting, services, and claims.
Some applications focus on reducing friction in transactions; the time required to fill out an application and receive a quote is a classic example. Others seek to streamline and enhance back-end functions, such as risk assessment, pricing, loss control, and settling claims.
Claims: Ripe for insurtech
The claims process is particularly well suited for transformation. Insurers typically hire adjusters to determine the extent of their liability for a loss, damage, or injury and come up with a settlement. This can be time consuming, expensive, error prone, and, in some cases, dangerous.
Drivers can submit photos to their insurers via app immediately after an accident. Some insurers use machine learning and publicly available data to detect fraud.
Today, new approaches aid the claims process.
For example, drivers can submit photos to their insurers via app immediately after an accident. Some insurers also use machine learning and publicly available datasets to detect and flag potentially fraudulent claims.
As technology helps improve underwriting, policy administration and claims, new products are being developed and traditional ones can be handled differently.
One emerging approach – enabled by the intersection of telecommunications and big data known as “telematics” – is usage-based insurance (UBI), priced according to drivers’ own voluntarily provided behavioral data. A more recent stage in UBI’s evolution is pay-as-you-drive insurance, with monthly billing that varies based on mileage driven.
A similar trend involves using data from smart-home technology, such as water-monitoring systems that can anticipate and prevent leaks that might otherwise lead to claims. Advances in telematics and the Internet of Things are increasing the quantity and range of the data insurers will have at their disposal.
Obstacles remain
Insurtech offers tremendous opportunities for innovation, but – as one of the most heavily regulated and publicly scrutinized industries – it faces obstacles. Many technologists driving the movement come from outside insurance. Few have navigated the legal, regulatory, and cultural minefields surrounding personal privacy and security.
Unlike many other industries, in which maximizing speed and satisfaction has become the prime directive, insurers are required by law to protect customers from privacy breaches and bias. Perusing social media for insights to help optimize user experience or using machine learning to anticipate and address changes in users’ buying behavior may be acceptable if you’re selling cars or cosmetics – but for insurers, their clients, and regulators it raises a host of red flags that have to be addressed.
Hotels and motels are routinely used for sex trafficking. Two recent lawsuits highlight the complexity of determining who bears legal costs associated with trafficking.
Human trafficking is a crime with enormous individual and societal impacts, and it relies on legitimate businesses to sustain it. Motels, for example – and, arguably, insurers.
“Hotels and motels are routinely used for sex trafficking,” reports the Polaris Project, a nonprofit that aims to “eradicate modern slavery.” Two recent lawsuits involving insurers of motels used by traffickers highlight the complexity of determining who bears legal costs associated with such activities.
Duty to defend
Both cases revolve around “duty to defend” — an insurer’s obligation to provide a legal defense for claims made under a liability policy. Before proceeding, let me say: I’m not a lawyer. Everything that follows is based on published reporting, and no one should act on anything I write without first consulting an attorney.
In the first case, a woman sued motel operators for letting her be trafficked at their motels when she was a minor. The Insurance and Reinsurance Disputes Blog says, “The allegations of physical harm, threats, being held at gun point, and failure to intervene were wrapped up into claims ranging from negligence per se to intentional infliction of emotional harm.”
One of the motels sought defense from its insurer, Nautilus Insurance Co. Nautilus argued it was not obligated to defend based on a policy exclusion for claims arising out of assault or battery. The court agreed, and an appellate court affirmed.
In other words, the motel owners were on the hook for their own legal costs.
In the second case, a court found the insurer – Peerless Indemnity Insurance Co. – must defend its client in a suit brought by a woman claiming she was imprisoned by a man grooming her for prostitution while the owners turned a blind eye. A lower court had dismissed the case, finding insufficient evidence the motel was engaged in trafficking. An appeals court overturned that decision.
“The relevant question,” the judge said, is whether the victim’s injuries constitute personal injury. This is because the definition of personal injury under the policy included injuries arising from false imprisonment.
Because her injuries, at least in part, arose from false imprisonment, the judge said, “the answer to that question is ‘Yes’.”
So, the court said, Peerless must pay to defend the motel.
Trafficking is a $32 billion-a-year industry. Insurers might want to review their policy language to avoid funding defenses of criminals and businesses that enable them.
Language matters
The differences between these rulings seem to have more to do with nuances in policy language than trafficking facts.
In the Nautilus case, the appeals court found the exclusion – stating Nautilus “will have no duty to defend or indemnify any insured in any action or proceeding alleging damages arising out of any assault or battery” – unambiguous. It declared: “Nautilus had no duty to defend and indemnify” because the claims “arose from facts alleging negligent failure to prevent an assault or battery.”
The Peerless case involved two policies – a general liability and an umbrella – both of which contained exclusions for “‘personal and advertising injury’ arising out of a criminal act committed by or at the direction of the insured.”
The “personal” in “personal and advertising injury” includes false imprisonment.
To a non-lawyer like me, this seems as unambiguous as the Nautilus case: the Peerless policies excluded personal injury “arising out of one or more” of a variety of offenses, including false imprisonment.
The U.S. District Court for the District of Massachusetts disagrees. Its analysis goes into semantic tall grass, parsing phrases like “arising out of” and “but for” and is peppered with case law citations like:
“Ambiguities are to be construed against the insurer and in favor of the insured” and
“The insurer bears the burden of demonstrating that an exclusion exists that precludes coverage.”
It would exceed the bounds of my non-existent legal training – and the length of a blog post – to critique the court’s analysis. I recommend reading the decision.
But it doesn’t take a lawyer to see insurers have a stake in reviewing and possibly tightening their policy language to avoid having to fund defenses of criminals and businesses that enable them.
Trafficking is a $32 billion-a-year (and growing) industry, according to the Polaris Project. With that kind of money involved, cases like these won’t just go away.
Cyberattacks on hospitals can lead to increased death rates among heart patients, recent research suggests. This research emerges as attacks on health facilities are reported to have increased 60 percent in 2019.
Researchers at Vanderbilt University‘s Owen Graduate School of Management drilled down into Department of Health and Human Services records on data breaches from more than 3,000 Medicare-certified hospitals. They found that, for facilities that experienced a breach, the time for suspected heart attack patients to receive an electrocardiogram (ECG) increased by more than two minutes.
Health care is the seventh-most targeted industry, but attacks on this sector are on the rise.
When seconds count
The study focused on the impact of remediation efforts on health care outcomes following a data breach. It found that common remediation approaches, such as additional verification layers during system sign-on, can “delay the access to patient data and may lead to inefficiencies or delays in care.”
Common remediation approaches, such as additional verification during system sign-on, can delay access to patient data and lead to delays in care.
“Especially in the case of a patient with chest pain,” the report says, “any delay in registering the patient and accessing the patient’s record will lead to delay in ordering and executing an ECG.”
The researchers found that “a data breach was associated with a 2.7-minute increase in time to ECG three years after the breach.”
A bit over two minutes may not seem like much – but during a coronary or a stroke it can be the difference between life and death.
Increasingly targeted
Vanderbilt’s research was based on data collected before ransomware attacks against health care facilities became common. The authors caution that such attacks – in which systems or data are held hostage until a ransom can be paid – “are considered more disruptive to hospital operations than the breaches considered in this study.”
The medical sector is the seventh-most targeted industry, according to a report by internet security firm Malwarebytes, based on data gathered between October 2018 and September 2019. But Malwarebytes warns that attacks on this sector are on the rise.
“Threat detections have increased for this vertical,” the report says, “from about 14,000 healthcare-facing endpoint detections in Q2 2019 to more than 20,000 in Q3, a growth rate of 45 percent.”
Comparing all of 2018 against the first three quarters of 2019, Malwarebytes said it has observed a 60 percent increase in such attempted intrusions.
“If the trend continues,” Malwarebytes reports, “we expect to see even higher gains in a full year-over-year analysis.”
