310 likes | 424 Views
HEALTHCARE CYBER RISKS AND PRIVACY BREACHES Emergent Problem or Chronic Condition?. Introductions. MODERATOR: Theodore J. Kobus , III, Esq., Partner and National Co-Leader of the Privacy, Security and Social Media Team, Baker & Hostetler LLP PANELISTS:
E N D
HEALTHCARE CYBER RISKS AND PRIVACY BREACHESEmergent Problem or Chronic Condition?
Introductions MODERATOR: • Theodore J. Kobus, III, Esq., Partner and National Co-Leader of the Privacy, Security and Social Media Team, Baker & Hostetler LLP PANELISTS: • Michael Carr, ARM, Vice President, E&O Underwriting, Argo Pro • Beth D. Diamond, Esq., Claims Focus Group Leader-Technology, Media and Business Services, Beazley Group • Lynn Sessions, Esq., Counsel, Baker & Hostetler LLP • Mark Silvestri, Vice President of Product Development and Director of NetProtect, CNA • Charles M. Vieau, MBA, First Vice President, Alliant Healthcare Solutions
Agenda • Breach Basics • Exposures • Preparedness and Prevention • Post breach Response • Predictions
Headlines • Cignet assessed $4.3 million penalty • $1 million penalty against Mass General • WellPoint breach affects 600,000 • UCLA settles privacy case for $865,000
Nearly every type of business has been a victim. The trend for healthcare is worse than many others1 = Getting Better Industry/Manufacturing Data & Information Brokers = Getting Worse Other – e.g. CPAs, Law, Construction etc. Telecom/Media NA = No Trend NA Healthcare Retail NA Government Fin. Services Education Tech
HIPAA/HITECH • American Recovery and Reinvestment Act • Health Information Technology for Economic and Clinical Health Act (HITECH) • Administrative regulations for national EHR infrastructure, standards and stimulus funding • Medicare/Medicaid meaningful use incentives for EHR adoption • Enhanced HIPAA privacy and security standards
Impact of HITECH • Biggest change to health care privacy since the introduction of HIPAA • Response by states • Audit and enforcement authority • Continued evolution
Hospital Breach Statistics – Just One Small Slice of Healthcare Exposure2 • Average breach frequency = 2 per month(April 2005 to Nov 2009) • Severity - size of breach reflected in # of affected patients*: Median = 3,000 Mean = 24,000 90th percentile = 52,000 * Excludes outliers • Privacy Rights Clearinghouse. June 2007. Privacy Rights Clearinghouse. Accessed July 26, 2007, www.privacyrights.org/ar/idtheftsurveys.htm. • Open Security Foundation Dataloss db 1-1-05 through 11-23-09. Accessed Nov 23, 2009, http://datalossdb.org/
What is a Healthcare Breach? • HITECH Defines: • Breach as the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of the information • That poses a significant risk of financial, reputational, or other harm to the individual • Risk of harm analysis contemplated
State Laws • Each state where individual subject to the breach resides • Differs from jurisdiction to jurisdiction • Stricter or in conflict with federal law • Additional state penalties • Aggressive attorneys general
Exposures and Emerging Issues • HITECH Act Regulations -- Final • Electronic Health Records (EHR) and Patient Portals • Wireless/Mobile Devices • HIPAA Accounting Rule Changes • HIPAA Compliance Audits • Employer Issues – Social Media, Data Theft • Cloud Computing • International/Offshore Data
Increasing Frequency and Severity • Privacy breaches are occurring more often - more than once a day • The average rate of publicly reported privacy breaches has grown from about 5 per month in 2005 to a peak of about 60 per month in 2008 • By 2009 the 5 year average was about 40 per month1 • They’re getting bigger too • The number of records compromised grew from 9.6M to over 723M in the same period1 Individuals Affected per Breach 800,000 586K 600,000 # of Individuals Affected 400,000 96K 200,000 2006 1 2 2008 3 2009 4 2007 Year
Estimated Costs Over 50% of the largest healthcare institutionshave reported a breach What’s included in these costs?
Costs of Response • Forensics • Notification Costs • Credit Monitoring • Call Venter • Public Relations/Crisis Response • Legal Fees
24% Network Hacking 76% Non-network Breach Did You Know… • Most breaches do not involve the internet or the web. It’s hard for IT Security teams to prevent non–IT breaches. • Approximately 30 to 40% of all breaches are caused by someone to whom you have entrusted sensitive information.2
Proactive Protection • Policies and procedures for mobile devices • Breach response team • Collaboration among stakeholder groups • Restrict and monitor sensitive data • Vendor/business associate management • 30-40% of all breaches by vendors or business associates • Staff education
Federal Breach Response • No federal requirement to notify patients of breaches prior to HITECH • Mandate for notification by Covered Entities (CE) whenPHI breached • Business Associates (BA) must notify CEs of breaches • Expansion of BA definition • Requires significant change to internal privacy policies and BA Agreements • Increased costs for CEs to comply and respond • State Attorneys General as enforcement arm of feds
Notification • Patients/Customers • Governmental agencies • Office of Civil Rights • Attorneys General • Law Enforcement • Local police departments • FBI • Credit Reporting Agencies
Response Requirements • Notification to each individual whose unsecured PHI has been accessed, acquired or disclosed • Substitute notice required if insufficient contact for 10 or more • If 500+ in a state, notice to prominent media outlets and immediate report to OCR
Notification • Without unreasonable delay, but no later than60 days • In writing, by first class mail, unless the patient has agreed in advance to email communications • By telephone, if imminent misuse of PHI is possible • May get a law enforcement delay
Notice Content • Description of event and date of discovery • Type of PHI involved • Steps recipient takes to protect from potential harm • Description of the investigation, mitigation and protection from further breaches • Toll-free number to contact for questions Don’t forget state laws!
Post Breach Issues • Administrative fines and penalties • Attorney general audits, investigations, suits • OCR audits • Third party claims • Class action lawsuits
Crisis Management Team • Information Technology • Legal • Communications • Customer Relations • Leadership
Crisis Management Process • Meet Daily • Set Goals • Assign Teams • Track Progress Start before you have a crisis!
Setting Priorities • End the Compromise of Security/Remedy Risk Control Deficiencies • Restore Functioning of Systems • Root Cause and Scope Analysis • Evaluate Notice Obligations • Federal • State • Contractual • Key Customer Outreach • Press Release Internal Communications • Issue Notices
One Key Takeaway Not If, When Plan
Questions & Answers
Many thanks to … • Michael Carr • Beth Diamond • Ted Kobus • Lynn Sessions • Mark Silvestri • Charles Vieau