Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it's important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy. Here's why: A) You'll have to do it anyway, B) The safest approach is to avoid a breach in the first place, C) Your risk profile will enable a better tailored policy.
Many security vendors publish “top 10” or “top 5” lists of terrible things that can happen to you as a pretext for then telling you how their products or services help you avoid such a fate. It’s classic marketing – and actually an well-know debate strategy – define the problem for your prospect and then describe how you alone can solve it. While perhaps an effective marketing hook, its a bit disingenuous. A top 5 list implies a value calculation has been made – but usually, they are just statements of fact that support buying that vendors wares. From now on, think of those lists are simply features of the seller’s offering.
Now at Redspin, we’re not as pure as driven snow, but we are grounded in objectivity. We have no products or services to sell or up-sell. We view IT security assessments as a series of true or false conditions. When we find vulnerabilities, we list them in risk-adjusted order depending on the criticality of the data or systems that may be impacted and the likelihood that such a breach may occur. Our “Top 5” therefore is truly in context, relative to your specific environment.