First Industry-Specific Cyber Insurance Program to Leverage HITRUST CSF

Frisco, TX – July 22, 2015: The Health Information Trust Alliance (HITRUST), the leading organization supporting the healthcare industry in advancing the state of information protection, today announced a partnership with Willis North America. The unit of Willis Group Holdings, plc., the global risk advisory, reinsurance broking, and human capital and benefits firm and industry leader in the cyber insurance marketplace, will collaborate with HITRUST to identify a common approach and develop solutions to better align insurance premiums with cyber risk profiles, tailor insurance coverage and establish a more streamlined process of securing cyber insurance for organizations that process and store protected health information (PHI).

The increase in cyber-related threats, attacks and breaches at organizations that process and store PHI has led to significant challenges for businesses trying to secure cyber risk insurance. Substantial premium increases and a reduction in available policy limits have reduced the ability for organizations to secure adequate coverage. At the same time, more healthcare organizations are including cyber insurance requirements as part of their third party assurance programs.

Currently, there is no generally accepted assessment and risk scoring method in the industry. As such, the evaluation and reporting of risk can vary significantly from one organization to another. There is also limited data available to understand cyber risk profiles, including the maturity of an organization’s information security and privacy programs and residual risk. Program maturity and changes in security controls can significantly impact organizational cyber risk profiles, and subsequently cyber insurance premiums and coverage.

The new Willis-HITRUST platform will improve insurance coverage and premiums for healthcare organizations by:

  • Making the process of securing cyber insurance easier, more efficient and improving consistency by leveraging an existing comprehensive information privacy and security framework, the HITRUST CSF, the healthcare industry’s most widely adopted privacy and security framework and model implementation of the NIST Cybersecurity Framework.
  • Improving the accuracy of risk assessments by using a robust assurance methodology that incorporates the ability to score the effectiveness of the organization’s controls.
  • Supporting the identification and ranking of information security controls associated with cyber risk and the impact of any changes in scoring.
  • Rewarding organizations that can document and demonstrate effective information security programs related to insurable cyber risks.

“We have already recognized the benefits in reductions in our cyber insurance premiums and streamlined process by leveraging our CSF Assessment with our cyber insurance carrier,” said Pamela Arora, senior vice president and chief information officer, Children’s Health. “HITRUST establishing a formal program will streamline the process and allow for greater benefits in the way of coverages and premium reductions.”

“The partnership will demonstrate to underwriters the value of the HITRUST CSF in making the underwriting process more efficient, consistent, accurate and predictive. By integrating the security framework into the underwriting process we will be well positioned to drive better results for organizations in securing cyber coverage, said Geoffrey K. Allen, executive vice president, FINEX North America, a division of Willis Group

“This is a win-win for insurers and the insured. It will provide additional incentives for organizations to improve their information security and privacy programs, as it would provide a financial incentive to do so,” said Daniel Nutkis, CEO, HITRUST. “By implementing this program with Willis, not only will the insurance industry end up with better quality data on the security controls that equate to the greatest risks, but HITRUST will leverage the program to improve industry guidance and prioritization of the CSF controls.”

Willis and HITRUST expect the solutions to be available by the end of 2015.

About HITRUST CSF and CSF Assurance Program

The CSF and the CSF Assurance program offer the only highly flexible implementation and management framework for healthcare information protection by providing a standardized way of scaling and tailoring security and privacy safeguards based on an organization’s specific risk factors, including cyber risk. The CSF and CSF Assurance program enable an “assess once, report many” approach, so organizations can implement one set of controls, and conduct an assessment that allows measurement and reporting for numerous purposes such as HIPAA, NIST Cybersecurity Framework, SOC 2, MARS-E or other standards and regulations.

About Willis Group

Willis Group Holdings plc is a global risk advisory, re/insurance broking, and human capital and benefits firm. With roots dating to 1828, Willis operates today on every continent with more than 18,000 employees in over 400 offices. Willis offers its clients superior expertise, teamwork, innovation and market-leading products and professional services in risk management and transfer. Our experts rank among the world’s leading authorities on analytics, modelling and mitigation strategies at the intersection of global commerce and extreme events. Find more information at our website, www.willis.com, our leadership journal, Resilience, or our up-to-the-minute blog on breaking news, WillisWire. Across geographies, industries and specialisms, Willis provides its local and multinational clients with resilience for a risky world.

About HITRUST

Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry.

For more information, visit HITRUSTalliance.net.

All product and company names herein may be trademarks of their respective owners.