1 / 31

HEALTHCARE CYBER RISKS AND PRIVACY BREACHES Emergent Problem or Chronic Condition?

HEALTHCARE CYBER RISKS AND PRIVACY BREACHES Emergent Problem or Chronic Condition?. Introductions. MODERATOR: Theodore J. Kobus , III, Esq., Partner and National Co-Leader of the Privacy, Security and Social Media Team, Baker & Hostetler LLP PANELISTS:

Download Presentation

HEALTHCARE CYBER RISKS AND PRIVACY BREACHES Emergent Problem or Chronic Condition?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HEALTHCARE CYBER RISKS AND PRIVACY BREACHESEmergent Problem or Chronic Condition?

  2. Introductions MODERATOR: • Theodore J. Kobus, III, Esq., Partner and National Co-Leader of the Privacy, Security and Social Media Team, Baker & Hostetler LLP PANELISTS: • Michael Carr, ARM, Vice President, E&O Underwriting, Argo Pro • Beth D. Diamond, Esq., Claims Focus Group Leader-Technology, Media and Business Services, Beazley Group • Lynn Sessions, Esq., Counsel, Baker & Hostetler LLP • Mark Silvestri, Vice President of Product Development and Director of NetProtect, CNA • Charles M. Vieau, MBA, First Vice President, Alliant Healthcare Solutions

  3. Agenda • Breach Basics • Exposures • Preparedness and Prevention • Post breach Response • Predictions

  4. Headlines • Cignet assessed $4.3 million penalty • $1 million penalty against Mass General • WellPoint breach affects 600,000 • UCLA settles privacy case for $865,000

  5. Compliance Complexity

  6. Nearly every type of business has been a victim. The trend for healthcare is worse than many others1 = Getting Better Industry/Manufacturing Data & Information Brokers = Getting Worse Other – e.g. CPAs, Law, Construction etc. Telecom/Media NA = No Trend NA Healthcare Retail NA Government Fin. Services Education Tech

  7. HIPAA/HITECH • American Recovery and Reinvestment Act • Health Information Technology for Economic and Clinical Health Act (HITECH) • Administrative regulations for national EHR infrastructure, standards and stimulus funding • Medicare/Medicaid meaningful use incentives for EHR adoption • Enhanced HIPAA privacy and security standards

  8. Impact of HITECH • Biggest change to health care privacy since the introduction of HIPAA • Response by states • Audit and enforcement authority • Continued evolution

  9. Hospital Breach Statistics – Just One Small Slice of Healthcare Exposure2 • Average breach frequency = 2 per month(April 2005 to Nov 2009) • Severity - size of breach reflected in # of affected patients*: Median = 3,000 Mean = 24,000 90th percentile = 52,000 * Excludes outliers • Privacy Rights Clearinghouse. June 2007. Privacy Rights Clearinghouse. Accessed July 26, 2007, www.privacyrights.org/ar/idtheftsurveys.htm. • Open Security Foundation Dataloss db 1-1-05 through 11-23-09. Accessed Nov 23, 2009, http://datalossdb.org/

  10. What is a Healthcare Breach? • HITECH Defines: • Breach as the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of the information • That poses a significant risk of financial, reputational, or other harm to the individual • Risk of harm analysis contemplated

  11. State Laws • Each state where individual subject to the breach resides • Differs from jurisdiction to jurisdiction • Stricter or in conflict with federal law • Additional state penalties • Aggressive attorneys general

  12. Exposures and Emerging Issues • HITECH Act Regulations -- Final • Electronic Health Records (EHR) and Patient Portals • Wireless/Mobile Devices • HIPAA Accounting Rule Changes • HIPAA Compliance Audits • Employer Issues – Social Media, Data Theft • Cloud Computing • International/Offshore Data

  13. Increasing Frequency and Severity • Privacy breaches are occurring more often - more than once a day • The average rate of publicly reported privacy breaches has grown from about 5 per month in 2005 to a peak of about 60 per month in 2008 • By 2009 the 5 year average was about 40 per month1 • They’re getting bigger too • The number of records compromised grew from 9.6M to over 723M in the same period1 Individuals Affected per Breach 800,000 586K 600,000 # of Individuals Affected 400,000 96K 200,000 2006 1 2 2008 3 2009 4 2007 Year

  14. Estimated Costs Over 50% of the largest healthcare institutionshave reported a breach What’s included in these costs?

  15. Costs of Response • Forensics • Notification Costs • Credit Monitoring • Call Venter • Public Relations/Crisis Response • Legal Fees

  16. 24% Network Hacking 76% Non-network Breach Did You Know… • Most breaches do not involve the internet or the web. It’s hard for IT Security teams to prevent non–IT breaches. • Approximately 30 to 40% of all breaches are caused by someone to whom you have entrusted sensitive information.2

  17. Proactive Protection • Policies and procedures for mobile devices • Breach response team • Collaboration among stakeholder groups • Restrict and monitor sensitive data • Vendor/business associate management • 30-40% of all breaches by vendors or business associates • Staff education

  18. Federal Breach Response • No federal requirement to notify patients of breaches prior to HITECH • Mandate for notification by Covered Entities (CE) whenPHI breached • Business Associates (BA) must notify CEs of breaches • Expansion of BA definition • Requires significant change to internal privacy policies and BA Agreements • Increased costs for CEs to comply and respond • State Attorneys General as enforcement arm of feds

  19. Notification • Patients/Customers • Governmental agencies • Office of Civil Rights • Attorneys General • Law Enforcement • Local police departments • FBI • Credit Reporting Agencies

  20. Response Requirements • Notification to each individual whose unsecured PHI has been accessed, acquired or disclosed • Substitute notice required if insufficient contact for 10 or more • If 500+ in a state, notice to prominent media outlets and immediate report to OCR

  21. Notification • Without unreasonable delay, but no later than60 days • In writing, by first class mail, unless the patient has agreed in advance to email communications • By telephone, if imminent misuse of PHI is possible • May get a law enforcement delay

  22. Notice Content • Description of event and date of discovery • Type of PHI involved • Steps recipient takes to protect from potential harm • Description of the investigation, mitigation and protection from further breaches • Toll-free number to contact for questions Don’t forget state laws!

  23. Post Breach Issues • Administrative fines and penalties • Attorney general audits, investigations, suits • OCR audits • Third party claims • Class action lawsuits

  24. Crisis Management Team • Information Technology • Legal • Communications • Customer Relations • Leadership

  25. Crisis Management Process • Meet Daily • Set Goals • Assign Teams • Track Progress Start before you have a crisis!

  26. Setting Priorities • End the Compromise of Security/Remedy Risk Control Deficiencies • Restore Functioning of Systems • Root Cause and Scope Analysis • Evaluate Notice Obligations • Federal • State • Contractual • Key Customer Outreach • Press Release Internal Communications • Issue Notices

  27. One Key Takeaway Not If, When Plan

  28. Questions & Answers

  29. Many thanks to … • Michael Carr • Beth Diamond • Ted Kobus • Lynn Sessions • Mark Silvestri • Charles Vieau

More Related