1 / 14

Cyberliability Risk Management Program- SCAN Group

Cyberliability Risk Management Program- SCAN Group. Presented for OCRIMS June 11, 2013 Deborah Schlesinger, HIPAA Privacy & Security Officer, Director of Corporate Risk Management. SCAN Group. Medicare Advantage Plan (2) 150,000 beneficiaries Located in California & Arizona

chava
Download Presentation

Cyberliability Risk Management Program- SCAN Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyberliability Risk Management Program- SCAN Group Presented for OCRIMS June 11, 2013 Deborah Schlesinger, HIPAA Privacy & Security Officer, Director of Corporate Risk Management

  2. SCAN Group • Medicare Advantage Plan (2) • 150,000 beneficiaries • Located in California & Arizona • Contracts with • Centers for Medicare & Medicaid Services (CMS) • CA Department of Health Care Services (DHCS) • Independence at Home- grant programs • SCAN Foundation • Assessment Centers

  3. Applicable Law/Regulations • HIPAA • CA Civil Code Section 1798.82 • CMIA H & S Code Section 130203 • PCI DSS Payment Credit Card Industry Data Security Standards

  4. Trends & Impacts on Risk • Consumerization • BYOD • Mobility • Remote workers • Cloud • Hosted Applications • Social media • Twitter, Facebook, Linked-In • Cyber threats • Increasingly sophisticated virus’ & worms • “Hacktivism”

  5. Exposures/Threats • Internal • Employee violation of security/privacy policies- failure to encrypt, etc. • Sabotage • Committing ID theft or fraud • Social engineering • Physical Building Access • External- • Business associates • Hackers • Catastrophic Event/Disasters • Email threats (SPAM, Viruses, Bots, Malware, Phishing) • Offsite Storage & Transport of Back up Media

  6. Exposures/Threats • Network • DDoS- Denial of Service Attacks • Hijack attempts of data in transit

  7. Loss Control • IT Security Technology • Encryption • Devices & Email • Firewalls block 17% of all incoming email • Remote Wipe for lost/stolen devices • Data leakage software- tells you where confidential data resides • File sharing sites restricted- No Drop Box, etc. • Force secure file transfer protocols (FTP) • Limit access to internet sites- Gmail, non work, etc. • Shredding done on site

  8. Loss Control (continued) • IT Auditing Program • Combination of internal and external audits, focused audits • Network firewalls, penetration testing, system credentials • Business Associate Pre-contractual Evaluation of IT Security & Privacy Compliance- Tool/Insurance Requirements • Privacy & Security Rule Compliance monitoring • HIPAA Training- CBT & IT Security Awareness Offerings • Disaster Plan- SunGard • Cyber liability Insurance

  9. Cyberliability Insurance • First purchased after passage of HITECH 2009 • Costs of Data Breaches- • Notice to Affected Individuals/x $214 per person which includes the cost of: • Credit/reputation monitoring • Defense costs • Forensics • Regulatory fine/civil penalties • Crisis Management • Data asset loss • Cyber extortion

  10. What Cyberliability will not cover • Diminished employee productivity • Public perception/ unmitigated reputation loss • Loss of customer base • Diminished goodwill • Devalued intellectual property • Cost of Business distraction • Loss or required reinstatement of accreditation

  11. Data Breach Management • Policy and Procedure • Software application- work flow • On line form • Conduct Risk Assessments • Mitigate • Forensics possible • Breach Response Team

  12. Incident Response • Contracts with Incident Response Providers • All Clear ID • Kroll • Template Letters

  13. Costs Associated with Data Breaches • Notification of Affected Individuals • Forensic Analysis to determine cause • Crisis Management -public relations costs • Remediation of security vulnerabilities • Credit protection and/or reputation monitoring • Defense costs • Regulatory fines/civil penalties • Abnormal Customer turnover/ Acquisition costs

  14. Tips for Success • Get to know your IT department • Learn as much as you can about the technology • Conduct your Risk Analysis and know where your PHI or PII resides • Reinforce key security training items

More Related