Towards the Insurance of Healthcare Systems

Insurance of digital assets is becoming an important aspect nowadays, in order to reduce the investment risks in modern businesses. GDPR and other legal initiatives makes this necessity even more demanding as an organization is now accountable for the usage of its client data. In this paper, we present a cyber insurance framework, called CyberSure. The main contribution is the runtime integration of certification, risk management, and cyber insurance of cyber systems. Thus, the framework determines the current level of compliance with the acquired policies and provide early notifications for potential violations of them. CyberSure develops CUMULUS certification models for this purpose and, based on automated (or semi-automated) certification carried out using them, it develops ways of dynamically adjusting risk estimates, insurance policies and premiums. In particular, it considers the case of dynamic certification, based on continuous monitoring, dynamic testing and hybrid combinations of them, to adapt cyber insurance policies as the conditions of cyber system operation evolve and new data become available for adjusting to the associated risk. The applicability of the whole approach is demonstrated in the healthcare sector, for insuring an e-health software suite that is provided by an IT company to public and private hospitals in Greece. The overall approach can reduce the potential security incidents and the related economic loss, as the beneficiary deploys adequate protection mechanisms, whose proper operation is continually assessed, benefiting both the insured and the insurer.

[1]  Sotiris Ioannidis,et al.  Review of Security and Privacy for the Internet of Medical Things (IoMT) , 2019, 2019 15th International Conference on Distributed Computing in Sensor Systems (DCOSS).

[2]  George Spanoudakis,et al.  Monitoring-Based Certification of Cloud Service Security , 2015, OTM Conferences.

[3]  Daniel W. Woods,et al.  Policy Measures and Cyber Insurance: A Framework , 2017 .

[4]  Konstantinos Psounis,et al.  Will cyber-insurance improve network security? A market analysis , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[5]  Fabio Martinelli,et al.  Cyber-insurance survey , 2017, Comput. Sci. Rev..

[6]  Konstantinos Psounis,et al.  Security Pricing as Enabler of Cyber-Insurance A First Look at Differentiated Pricing Markets , 2016, IEEE Transactions on Dependable and Secure Computing.

[7]  Ioannis Papaefstathiou,et al.  AmbISPDM - Managing embedded systems in ambient environments and disaster mitigation planning , 2018, Applied intelligence (Boston).

[8]  Therese Jones,et al.  Content analysis of cyber insurance policies: how do carriers price cyber risk? , 2019, J. Cybersecur..

[9]  George Hatzivasilis,et al.  Password-Hashing Status , 2017, Cryptogr..

[10]  Inger Anne Tøndel,et al.  Mitigating Risk with Cyberinsurance , 2015, IEEE Security & Privacy.

[11]  George Spanoudakis,et al.  Cloud Certification Process Validation Using Formal Methods , 2017, ICSOC.

[12]  Azrilah Abdul Aziz,et al.  Information Security Management System , 2017 .

[13]  Per Håkon Meland,et al.  When to Treat Security Risks with Cyber Insurance , 2018, 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).

[14]  Fabio Martinelli,et al.  Preventing the Drop in Security Investments for Non-competitive Cyber-Insurance Market , 2017, CRiSIS.