39 Offices in 19 Countries

What Keeps You Up atNight?

Issues of Fraud and Abuse ComplianceSeries

My Data’s Been Stolen: Now What?Part II

November 21, 2013

2

Today’s Hosts

Thomas E. ZenoOf Counsel, Squire SandersT +1 513 361 1202thomas.zeno@squiresanders.com

Emily E. RootSenior Associate, Squire SandersT +1 614 365 2803emily.root@squiresanders.com

3

Review of Part I – September 19

• How to know a breach has occurred• Insider and outsider threats• Should you notify law enforcement?• What does HIPAA require about Business

Associates?

PowerPoint link:http://www.squiresanders.com/files/Event/14e2e0c3-5769-48e6-b68d-f87ef7d1ccff/Presentation/EventAttachment/2d7a653a-eb4a-4f27-bffd-0147fcdbecc4/My-Data's-Been-Stolen-Now-What-Part-I.pdf

Recording link:https://cc.readytalk.com/cc/playback/Playback.do?id=9466ij

4

Today’s Speakers

Scott A. EdelsteinPartner, Squire SandersT +1 202 626 6602scott.edelstein@squiresanders.com

Thomas J. HibargerManaging Director, Stroz FriedbergT +1 202 464 5803thibarger@strozfriedberg.com

5

Today’s Agenda

• What more does HIPAA require?

• Data breach remediation

• Tips to prevent a breach

• Pre-planning for a breach

6

HIPAA has Teeth

• HHS Office for Civil Rights (OCR)

• U.S. Department of Justice (DOJ)

• State Attorneys General

• Expanded role of FTC

7

HIPAA Penalties and Enforcement

• Civil Penalties $100 per violation up to a maximum of $1.5 million per

year

• Criminal Penalties Up to $50,000; one year jail for wrongful disclosure

Up to $250,000; ten years jail if intent to sell, transfer oruse PHI for commercial advantage

• Applies to both Covered Entities and BusinessAssociates

8

State Patient Privacy Lawsuits

• No HIPAA private right of actionPatients still can sue under state common law principles

– e.g., invasion of privacy

• HIPAA as standard of reasonableness?

9

State Data Breach Notification Laws

10

Other HIPAA Obligations

• Duty to mitigate

• Accounting of disclosures

• Review administrative, technical and physicalsafeguards

11

Federal Data Breach Notification –General Rule

After discovering a breach of unsecured PHI, aCovered Entity must notify each individual whoseinformation was, or reasonably is believed tohave been, accessed, acquired, used, disclosed asa result

12

Federal Data Breach Notification -Definitions

• “Unsecured PHI” Not rendered unusable, unreadable or indecipherable

– Encryption or destruction encouraged but not required

• “Breach”Unauthorized acquisition, access, use or disclosure of PHI

– Compromises the security or privacy of PHI.– Elimination of subjective standard (“significant risk of financial,

reputational, or other harm”)– New objective standard creates presumption of breach

unless CE/BA demonstrate low probability that PHI has beencompromised.

Exceptions– Certain unintentional or inadvertent disclosures– Good faith belief recipient reasonably would not retain data

13

Federal Breach Notification – RiskAssessment to Determine Low Probability

• Nature and extent of PHI involved (e.g., types ofidentifiers and likelihood of re-identification)

• The unauthorized person who used PHI or towhom PHI was disclosed

• Whether PHI was actually acquired or viewed

• Extent to which the risk to PHI has beenmitigated

14

Federal Data Breach Notification –Notification Obligations

• Notification required within 60 days of discovery Enforcement rule requires correction in 30 days

BA failing to notify CE can be penalized directly

State law may have shorter notice periods (e.g., Calif.)

• Notification: Briefly describe what happened and when

Describe types of unsecured PHI involved

Describe how individuals can protect themselves

Briefly describe investigation, mitigation and protection

Provide contact information

15

Federal Data Breach Notification –Form of Notice

• Plain language

• Written Via mail (or electronic if individual agrees)

If deceased, next of kin or personal representative

Also telephone or other means if urgent

• Substitute notice if contact info insufficient < 10, alternative written, telephone or other means

> 10, either 90-day website posting or media notice

PLUS 90-day toll-free number

16

Federal Data Breach Notification –Additional Required Notice

• Media Notification > 500 residents of State, notify prominent media outlets

Within 60 days of breach discovery

Same content as notice to individuals

• HHS Notification > 500, notify HHS at same time as individuals

< 500, maintain a breach log and notify HHS with 60

days after the end of calendar year

– Hospice of North Idaho settlement Dec. 2012

17

Lessons Learned

• Encryption will prevent a lot of headaches

• OCR will have access to everything

• State AGs may become involved

• Media attention

• Enterprise embarrassment

• Consider cyber insurance

• May prompt litigation Between covered entities and business associates

– Who will pay costs associated with notification?

– Security incident versus breach

– Enforcement of agreements with offshore BAs

By affected individuals

18

Key Steps

• Organize your network data

• Update Policies and Procedures

• Develop a Response Plan

• Perform a Risk Assessment

19

Organize Your Network Data

• Map your critical assets

• Record backup schedules and inventories

• Update user lists

• Centralize logging functions

20

Update Policies and Procedures

• Conform them to HIPAA Security and PrivacyAudit Protocols

• Account for New Technology Text Messaging

Social Media

BYOD

Cloud Computing

21

BYOD – Bring Your Own Device

http://blogs.wsj.com/riskandcompliance/2013/09/26/hospitals-allowing-byod-face-complications-with-new-hipaa-rule/

• Consider the risk implications of BYOD vs. convenience• Where is the perimeter of your network and who controls

it?• ePHI transmitted via emails, texts, attached documents• ePHI must be secured in transit and at rest - container• iOS vs. Android

22

Develop a Response Plan

• Management endorsement

• Contact lists

• Legal analysis and timeline

• Categories of adverse events

• Facilities and equipment list

• Outreach plan

• An effective team

23

The Cloud

• OCR Guidance that Cloud providers areBusiness Associates

24

Develop a Response Plan – Effective Team

25

Communication

• Other Key Constituents

Team Members

− Outside & in-house counsel

− Compliance, HR, IT

− Business managers, public affairs

− Experts

Board/CEO, Executives

Employees

Shareholders

Unaffected Patients, Providers, or Customers

26

Perform a Risk Assessment

• The HIPAA Security Rule requires it

• HHS auditors report it as one of the mostcommon compliance failures

27

Preservation

• Unhook infected machines

Do NOT poke around

Insert clean and patched machines

• Call experts to image infected machines

• Save off log files

• Pull needed backup(s) out of rotation

• Save keycard data and surveillance tapes

• Start real-time packet capture

• Force password changes

28

Breach Timeline

29

Mitigating Your Risks

Simple steps to reduce risk ofcompromising your data and systems

• Encrypt data – in motion and at rest

• Install software security patches

• Train employees to avoid security threats

• Robust passwords; changed; no default passwords

• Use multi-factor authentication for remote access Employees from outside the office

Sensitive on-line accounts such as financial and cloudstorage of patient data

• Terminate dormant user accounts

• Use up-to-date virus scanning software

• Periodically audit compliance with data security

rules

30

Mitigating Your Risks

• Don’t store data you don’t need

• Know where your data is

• Use internal network walls toprotect sensitive data

• Train employees to spot andreport anomalies

• Monitor logs in your system todetect anomalies

Simple steps to reduce the damage if/whena compromise occurs

31

Mitigating Your Risks

Steps for reducing insider cybercrimeand data breach risk

• Create written employee conduct policies

Include social media use policies

• Restrict internet sites able to exfiltrate sensitive data

• Create tiered access to sensitive information

Not everyone needs access to everything

• Check background of employees with access tosensitive information

• Restrict use of external storage devices

32

Mitigating Your Risks

Steps for reducing insider cybercrime anddata breach risk (con’t)

• Implement employee exit procedures

Acknowledgement of post-employment obligations

Termination of account access

• Dual controls for access to certain sensitive data

33

Mitigating Your Risks

Reducing the risk of employee negligence

• Good risk management of malicious conduct

• Encryption

• Don’t store data unnecessarily

• Encryption

• Data security policies and audits

• Encryption

• Employee training

• Audit compliance with data security rules

34

Tips for Avoiding Data Breaches

• Conduct random security audits

• Perform random reviews of access logs

• Have strong physical safeguards for areas wherepaper records are stored and used

• Don't store PHI on laptop hard drive or desktop

• Address administrative and physical safeguardsclearly for storage devices and removable media

35

Hypothetical

A Business Associate contracted to send invoicesto patients experiences a computer error whichmismatches the patient’s name and addressresulting in 200 bills sent to the wrong address.Eighty bills were returned unopened.

36

Stay Alert

37

Thank You for Joining Our Webinar

Questions?

38

Thank You for Joining Our Webinar

Contact us with other topics, questions or issues:

• Scott Edelstein: scott.edelstein@squiresanders.com

• Tom Hibarger: thibarger@strozfriedberg.com

• Tom Zeno: thomas.zeno@squiresanders.com

• Emily Root: emily.root@squiresanders.com

39 Offices in 19 Countries

What Keeps You Up atNight?

Issues of Fraud and Abuse ComplianceSeries