HEALTHCARE CYBER RISKS AND PRIVACY

BREACHESEMERGENT PROBLEM OR

CHRONIC CONDITION?

Introductions

MODERATOR: • Theodore J. Kobus, III, Esq., Partner and National Co-Leader of the

Privacy, Security and Social Media Team, Baker & Hostetler LLP

PANELISTS: • Michael Carr, ARM, Vice President, E&O Underwriting, Argo Pro • Beth D. Diamond, Esq., Claims Focus Group Leader-Technology, Media

and Business Services, Beazley Group • Lynn Sessions, Esq., Counsel, Baker & Hostetler LLP • Mark Silvestri, Vice President of Product Development and Director of

NetProtect, CNA • Charles M. Vieau, MBA, First Vice President, Alliant Healthcare

Solutions

• Breach Basics

• Exposures

• Preparedness and Prevention

• Post breach Response

• Predictions

Agenda

Headlines

• Cignet assessed $4.3 million penalty

• $1 million penalty against Mass General

• WellPoint breach affects 600,000

• UCLA settles privacy case for $865,000

COMPLIANCE

PCI-DSS

HIPAA/HITECH

STATE MEDICAL

PRIVACY LAWS

(e.g. TX, CA)

INTERNATIONAL DATA

PROTECTION

(e.g. EU, CANADA)

FTC

GLBA

STATE BREACH

NOTIFICATION

LAWS

Compliance Complexity

Nearly every type of business has been a victim. The trend for healthcare is

worse than many others1

Tele

com

/Med

ia

Tech

Hea

lthca

re

Gov

ernm

ent

Fin.

Ser

vice

s

Educ

ation O

ther

– e

.g. C

PAs,

Law

, Con

stru

ction

etc

.

Dat

a &

Info

rmati

on B

roke

rs

Reta

il

NA

Indu

stry

/Man

ufac

turin

g

NA

= Getting Better

= Getting Worse

NA = No Trend

HIPAA/HITECH

• American Recovery and Reinvestment Act• Health Information Technology for Economic and

Clinical Health Act (HITECH)– Administrative regulations for national EHR

infrastructure, standards and stimulus funding– Medicare/Medicaid meaningful use incentives for EHR

adoption– Enhanced HIPAA privacy and security standards

Impact of HITECH

• Biggest change to health care privacy since the introduction of HIPAA

• Response by states

• Audit and enforcement authority

• Continued evolution

• Average breach frequency = 2 per month(April 2005 to Nov 2009)

• Severity - size of breach reflected in # of affected patients*:

Median = 3,000 Mean = 24,00090th percentile = 52,000* Excludes outliers

1. Privacy Rights Clearinghouse. June 2007. Privacy Rights Clearinghouse. Accessed July 26, 2007, www.privacyrights.org/ar/idtheftsurveys.htm. 2. Open Security Foundation Dataloss db 1-1-05 through 11-23-09. Accessed Nov 23, 2009, http://datalossdb.org/

Hospital Breach Statistics – Just One Small Slice of Healthcare

Exposure2

What is a Healthcare Breach?

• HITECH Defines:

– Breach as the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of the information

– That poses a significant risk of financial, reputational, or other harm to the individual

– Risk of harm analysis contemplated

• Each state where individual subject to the breach resides

• Differs from jurisdiction to jurisdiction

• Stricter or in conflict with federal law

• Additional state penalties• Aggressive attorneys general

State Laws

Exposures and Emerging Issues

• HITECH Act Regulations -- Final• Electronic Health Records (EHR) and Patient Portals• Wireless/Mobile Devices• HIPAA Accounting Rule Changes• HIPAA Compliance Audits• Employer Issues – Social Media, Data Theft• Cloud Computing• International/Offshore Data

Increasing Frequency and Severity

• Privacy breaches are occurring more often - more than once a day─ The average rate of publicly reported privacy breaches has grown from about 5 per

month in 2005 to a peak of about 60 per month in 2008 ─ By 2009 the 5 year average was about 40 per month1

• They’re getting bigger too─ The number of records compromised grew from 9.6M to over 723M in the same period1

Individuals Affected per Breach

200,000

400,000

600,000

800,000

1 2 3 4

Year

# of

Indi

vidu

als

Affec

ted

2006 2007 2008 2009

96K

586K

Over 50% of the largest healthcare institutions have reported a breach

What’s included in these costs?

Estimated Costs

Ponemon Institute

2008 $6.3 m $197/record

2009 $6.6 m $202/record

2010 $7.2 m $318/record

• Forensics

• Notification Costs

• Credit Monitoring

• Call Venter

• Public Relations/Crisis Response

• Legal Fees

Costs of Response

Did You Know…

• Most breaches do not involve the internet or the web. It’s hard for IT Security teams to prevent non–IT breaches.

• Approximately 30 to 40% of all breaches are caused by someone to whom you have entrusted sensitive information.2

24% Network Hacking

76% Non-network Breach

Proactive Protection

• Policies and procedures for mobile devices• Breach response team• Collaboration among stakeholder groups• Restrict and monitor sensitive data• Vendor/business associate management

– 30-40% of all breaches by vendors or business associates

• Staff education

Federal Breach Response

• No federal requirement to notify patients of breaches prior to HITECH

• Mandate for notification by Covered Entities (CE) whenPHI breached

• Business Associates (BA) must notify CEs of breaches• Expansion of BA definition• Requires significant change to internal privacy policies and BA

Agreements• Increased costs for CEs to comply and respond• State Attorneys General as enforcement arm of feds

• Patients/Customers• Governmental agencies

– Office of Civil Rights– Attorneys General

• Law Enforcement– Local police departments– FBI

• Credit Reporting Agencies

Notification

Response Requirements

• Notification to each individual whose unsecured PHI has been accessed, acquired or disclosed

• Substitute notice required if insufficient contact for 10 or more

• If 500+ in a state, notice to prominent media outlets and immediate report to OCR

Notification

• Without unreasonable delay, but no later than60 days

• In writing, by first class mail, unless the patient has agreed in advance to email communications

• By telephone, if imminent misuse of PHI is possible

• May get a law enforcement delay

Notice Content

• Description of event and date of discovery• Type of PHI involved• Steps recipient takes to protect from potential harm• Description of the investigation, mitigation and

protection from further breaches• Toll-free number to contact for questions

Don’t forget state laws!

• Administrative fines and penalties

• Attorney general audits, investigations, suits

• OCR audits

• Third party claims

• Class action lawsuits

Post Breach Issues

Crisis Management Team

1. Information Technology

2. Legal

3. Communications

4. Customer Relations

5. Leadership

Crisis Management Process

1. Meet Daily

2. Set Goals

3. Assign Teams

4. Track Progress

Start before you have a crisis!

Setting Priorities

1. End the Compromise of Security/Remedy Risk Control Deficiencies

2. Restore Functioning of Systems

3. Root Cause and Scope Analysis

4. Evaluate Notice Obligations• Federal• State• Contractual

5. Key Customer Outreach

6. Press Release Internal Communications

7. Issue Notices

Not If, WhenPlan

One Key Takeaway

Questions&

Answers

• Michael Carr

• Beth Diamond

• Ted Kobus

• Lynn Sessions

• Mark Silvestri

• Charles Vieau

Many thanks to …