Judith Camp attended a conference session about three years ago and "came out of there scared out of my wits" after learning about risks related to information technology security.

Ms. Camp, director of insurance and risk management for Triad Hospitals Inc. in Plano, Texas, turned her fear of liability into action. "I just made myself get educated," she said.

Articles about IT security-related exposures became her regular lunch companion. "I was like a sponge," Ms. Camp said of her voracious appetite for knowledge on these issues.

The research proved one major assumption wrong. Ms. Camp said that since Triad's 1999 spinoff from Hospital Corp. of America and purchasing IT services from HCA, she incorrectly thought HCA was responsible for any IT security liability stemming from its systems. "Once I gleaned that, I had some concerns," Ms. Camp said.

She called a friend, who introduced her to an expert on IT security risks. Meanwhile, Triad put its IT services contract out for bids, eventually drafting a contract with Perot Systems Corp. Ms. Camp wanted to require the vendor to cover third-party consequential damages. She also shopped for errors and omissions coverage as a backup for Triad. She found that third-party consequential damage is available, but must be specifically requested.

"Make sure whomever you're getting information from understands the risks," she said.

Many brokers have products to cover or mitigate such exposures, but they don't necessarily understand the new and specialized IT security risk, she said.

Ms. Camp tapped resources to assist her, including a law firm specializing in enterprise risks and a consultant, before she met with Triad's vp of information technology. "I didn't want to go barging in and say, 'Are you doing this? Are you doing that?"'

As a result of the dialogue she started with the IT department, the hospital system hired an IT security officer. "I put together issues that I thought we needed to talk about," Ms. Camp said of the dialogue that's ongoing.

For Triad's system of 53 hospitals and 13 outpatient surgery centers--particularly under the privacy provisions of the Health Insurance Portability and Accountability Act of 1996--IT security is a "big part of our everyday lives," Ms. Camp said.

Risk managers' involvement with IT security is likely to vary by industry and company, she said. However, after organizing conference sessions for the Risk & Insurance Management Society Inc. and the American Society for Healthcare Risk Management on IT security exposures, Ms. Camp found that most risk managers now are informed about the issues but "feeling a little overwhelmed with what they don't know."

Major factors of that awareness come from the enterprise risk management approach that is putting greater emphasis on unfunded risk, including IT exposures, because of the Sarbanes-Oxley Act corporate governance law that requires senior management to certify financial reports.

Ms. Camp believes that IT departments "are very good at identifying true IT risks," but risk managers can spot other exposures. For example, she said, the IT staff would see the technical risks of making patients' rooms computer accessible, but may not consider that it could create a stressful environment for patients who are supposed to be resting rather than working.

--By Roseanne White Geisel