View
26
Download
0
Category
Tags:
Preview:
DESCRIPTION
HEALTHCARE CYBER RISKS AND PRIVACY BREACHES Emergent Problem or Chronic Condition?. Introductions. MODERATOR: Theodore J. Kobus , III, Esq., Partner and National Co-Leader of the Privacy, Security and Social Media Team, Baker & Hostetler LLP PANELISTS: - PowerPoint PPT Presentation
Citation preview
HEALTHCARE CYBER RISKS AND PRIVACY
BREACHESEMERGENT PROBLEM OR
CHRONIC CONDITION?
Introductions
MODERATOR: • Theodore J. Kobus, III, Esq., Partner and National Co-Leader of the
Privacy, Security and Social Media Team, Baker & Hostetler LLP
PANELISTS: • Michael Carr, ARM, Vice President, E&O Underwriting, Argo Pro • Beth D. Diamond, Esq., Claims Focus Group Leader-Technology, Media
and Business Services, Beazley Group • Lynn Sessions, Esq., Counsel, Baker & Hostetler LLP • Mark Silvestri, Vice President of Product Development and Director of
NetProtect, CNA • Charles M. Vieau, MBA, First Vice President, Alliant Healthcare
Solutions
• Breach Basics
• Exposures
• Preparedness and Prevention
• Post breach Response
• Predictions
Agenda
Headlines
• Cignet assessed $4.3 million penalty
• $1 million penalty against Mass General
• WellPoint breach affects 600,000
• UCLA settles privacy case for $865,000
COMPLIANCE
PCI-DSS
HIPAA/HITECH
STATE MEDICAL
PRIVACY LAWS
(e.g. TX, CA)
INTERNATIONAL DATA
PROTECTION
(e.g. EU, CANADA)
FTC
GLBA
STATE BREACH
NOTIFICATION
LAWS
Compliance Complexity
Nearly every type of business has been a victim. The trend for healthcare is
worse than many others1
Tele
com
/Med
ia
Tech
Hea
lthca
re
Gov
ernm
ent
Fin.
Ser
vice
s
Educ
ation O
ther
– e
.g. C
PAs,
Law
, Con
stru
ction
etc
.
Dat
a &
Info
rmati
on B
roke
rs
Reta
il
NA
Indu
stry
/Man
ufac
turin
g
NA
= Getting Better
= Getting Worse
NA = No Trend
HIPAA/HITECH
• American Recovery and Reinvestment Act• Health Information Technology for Economic and
Clinical Health Act (HITECH)– Administrative regulations for national EHR
infrastructure, standards and stimulus funding– Medicare/Medicaid meaningful use incentives for EHR
adoption– Enhanced HIPAA privacy and security standards
Impact of HITECH
• Biggest change to health care privacy since the introduction of HIPAA
• Response by states
• Audit and enforcement authority
• Continued evolution
• Average breach frequency = 2 per month(April 2005 to Nov 2009)
• Severity - size of breach reflected in # of affected patients*:
Median = 3,000 Mean = 24,00090th percentile = 52,000* Excludes outliers
1. Privacy Rights Clearinghouse. June 2007. Privacy Rights Clearinghouse. Accessed July 26, 2007, www.privacyrights.org/ar/idtheftsurveys.htm. 2. Open Security Foundation Dataloss db 1-1-05 through 11-23-09. Accessed Nov 23, 2009, http://datalossdb.org/
Hospital Breach Statistics – Just One Small Slice of Healthcare
Exposure2
What is a Healthcare Breach?
• HITECH Defines:
– Breach as the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of the information
– That poses a significant risk of financial, reputational, or other harm to the individual
– Risk of harm analysis contemplated
• Each state where individual subject to the breach resides
• Differs from jurisdiction to jurisdiction
• Stricter or in conflict with federal law
• Additional state penalties• Aggressive attorneys general
State Laws
Exposures and Emerging Issues
• HITECH Act Regulations -- Final• Electronic Health Records (EHR) and Patient Portals• Wireless/Mobile Devices• HIPAA Accounting Rule Changes• HIPAA Compliance Audits• Employer Issues – Social Media, Data Theft• Cloud Computing• International/Offshore Data
Increasing Frequency and Severity
• Privacy breaches are occurring more often - more than once a day─ The average rate of publicly reported privacy breaches has grown from about 5 per
month in 2005 to a peak of about 60 per month in 2008 ─ By 2009 the 5 year average was about 40 per month1
• They’re getting bigger too─ The number of records compromised grew from 9.6M to over 723M in the same period1
Individuals Affected per Breach
200,000
400,000
600,000
800,000
1 2 3 4
Year
# of
Indi
vidu
als
Affec
ted
2006 2007 2008 2009
96K
586K
Over 50% of the largest healthcare institutions have reported a breach
What’s included in these costs?
Estimated Costs
Ponemon Institute
2008 $6.3 m $197/record
2009 $6.6 m $202/record
2010 $7.2 m $318/record
• Forensics
• Notification Costs
• Credit Monitoring
• Call Venter
• Public Relations/Crisis Response
• Legal Fees
Costs of Response
Did You Know…
• Most breaches do not involve the internet or the web. It’s hard for IT Security teams to prevent non–IT breaches.
• Approximately 30 to 40% of all breaches are caused by someone to whom you have entrusted sensitive information.2
24% Network Hacking
76% Non-network Breach
Proactive Protection
• Policies and procedures for mobile devices• Breach response team• Collaboration among stakeholder groups• Restrict and monitor sensitive data• Vendor/business associate management
– 30-40% of all breaches by vendors or business associates
• Staff education
Federal Breach Response
• No federal requirement to notify patients of breaches prior to HITECH
• Mandate for notification by Covered Entities (CE) whenPHI breached
• Business Associates (BA) must notify CEs of breaches• Expansion of BA definition• Requires significant change to internal privacy policies and BA
Agreements• Increased costs for CEs to comply and respond• State Attorneys General as enforcement arm of feds
• Patients/Customers• Governmental agencies
– Office of Civil Rights– Attorneys General
• Law Enforcement– Local police departments– FBI
• Credit Reporting Agencies
Notification
Response Requirements
• Notification to each individual whose unsecured PHI has been accessed, acquired or disclosed
• Substitute notice required if insufficient contact for 10 or more
• If 500+ in a state, notice to prominent media outlets and immediate report to OCR
Notification
• Without unreasonable delay, but no later than60 days
• In writing, by first class mail, unless the patient has agreed in advance to email communications
• By telephone, if imminent misuse of PHI is possible
• May get a law enforcement delay
Notice Content
• Description of event and date of discovery• Type of PHI involved• Steps recipient takes to protect from potential harm• Description of the investigation, mitigation and
protection from further breaches• Toll-free number to contact for questions
Don’t forget state laws!
• Administrative fines and penalties
• Attorney general audits, investigations, suits
• OCR audits
• Third party claims
• Class action lawsuits
Post Breach Issues
Crisis Management Team
1. Information Technology
2. Legal
3. Communications
4. Customer Relations
5. Leadership
Crisis Management Process
1. Meet Daily
2. Set Goals
3. Assign Teams
4. Track Progress
Start before you have a crisis!
Setting Priorities
1. End the Compromise of Security/Remedy Risk Control Deficiencies
2. Restore Functioning of Systems
3. Root Cause and Scope Analysis
4. Evaluate Notice Obligations• Federal• State• Contractual
5. Key Customer Outreach
6. Press Release Internal Communications
7. Issue Notices
Not If, WhenPlan
One Key Takeaway
Questions&
Answers
• Michael Carr
• Beth Diamond
• Ted Kobus
• Lynn Sessions
• Mark Silvestri
• Charles Vieau
Many thanks to …
Recommended