Presentation is loading. Please wait.

Presentation is loading. Please wait.

HEALTHCARE CYBER RISKS AND PRIVACY BREACHES EMERGENT PROBLEM OR CHRONIC CONDITION?

Similar presentations


Presentation on theme: "HEALTHCARE CYBER RISKS AND PRIVACY BREACHES EMERGENT PROBLEM OR CHRONIC CONDITION?"— Presentation transcript:

1

2 HEALTHCARE CYBER RISKS AND PRIVACY BREACHES EMERGENT PROBLEM OR CHRONIC CONDITION?

3 Introductions MODERATOR: Theodore J. Kobus, III, Esq., Partner and National Co-Leader of the Privacy, Security and Social Media Team, Baker & Hostetler LLP PANELISTS: Michael Carr, ARM, Vice President, E&O Underwriting, Argo Pro Beth D. Diamond, Esq., Claims Focus Group Leader-Technology, Media and Business Services, Beazley Group Lynn Sessions, Esq., Counsel, Baker & Hostetler LLP Mark Silvestri, Vice President of Product Development and Director of NetProtect, CNA Charles M. Vieau, MBA, First Vice President, Alliant Healthcare Solutions

4 Breach Basics Exposures Preparedness and Prevention Post breach Response Predictions Agenda

5 Headlines Cignet assessed $4.3 million penalty $1 million penalty against Mass General WellPoint breach affects 600,000 UCLA settles privacy case for $865,000

6 COMPLIANCE PCI-DSS HIPAA/HITECH STATE MEDICAL PRIVACY LAWS (e.g. TX, CA) INTERNATIONAL DATA PROTECTION (e.g. EU, CANADA) FTCGLBA STATE BREACH NOTIFICATION LAWS Compliance Complexity

7 Nearly every type of business has been a victim. The trend for healthcare is worse than many others 1 Telecom/Media Tech Healthcare Government Fin. Services Education Other – e.g. CPAs, Law, Construction etc. Data & Information Brokers Retail NA Industry/Manufacturing NA = Getting Better = Getting Worse NA = No Trend

8 HIPAA/HITECH American Recovery and Reinvestment Act Health Information Technology for Economic and Clinical Health Act (HITECH) – Administrative regulations for national EHR infrastructure, standards and stimulus funding – Medicare/Medicaid meaningful use incentives for EHR adoption – Enhanced HIPAA privacy and security standards

9 Impact of HITECH Biggest change to health care privacy since the introduction of HIPAA Response by states Audit and enforcement authority Continued evolution

10 Average breach frequency = 2 per month (April 2005 to Nov 2009) Severity - size of breach reflected in # of affected patients*: Median = 3,000 Mean = 24, th percentile =52,000 * Excludes outliers 1.Privacy Rights Clearinghouse. June Privacy Rights Clearinghouse. Accessed July 26, 2007, 2.Open Security Foundation Dataloss db through Accessed Nov 23, 2009, Hospital Breach Statistics – Just One Small Slice of Healthcare Exposure 2

11 What is a Healthcare Breach? HITECH Defines: – Breach as the unauthorized acquisition, access, use or disclosure of PHI, which compromises the security or privacy of the information – That poses a significant risk of financial, reputational, or other harm to the individual – Risk of harm analysis contemplated

12 Each state where individual subject to the breach resides Differs from jurisdiction to jurisdiction Stricter or in conflict with federal law Additional state penalties Aggressive attorneys general State Laws

13 Exposures and Emerging Issues HITECH Act Regulations -- Final Electronic Health Records (EHR) and Patient Portals Wireless/Mobile Devices HIPAA Accounting Rule Changes HIPAA Compliance Audits Employer Issues – Social Media, Data Theft Cloud Computing International/Offshore Data

14 Increasing Frequency and Severity Privacy breaches are occurring more often - more than once a day The average rate of publicly reported privacy breaches has grown from about 5 per month in 2005 to a peak of about 60 per month in 2008 By 2009 the 5 year average was about 40 per month 1 Theyre getting bigger too The number of records compromised grew from 9.6M to over 723M in the same period 1 Individuals Affected per Breach 200, , , , Year # of Individuals Affected K 586K

15 Over 50% of the largest healthcare institutions have reported a breach Whats included in these costs? Estimated Costs Ponemon Institute 2008$6.3 m$197/record 2009$6.6 m$202/record 2010$7.2 m$318/record

16 Forensics Notification Costs Credit Monitoring Call Venter Public Relations/Crisis Response Legal Fees Costs of Response

17 Did You Know… Most breaches do not involve the internet or the web. Its hard for IT Security teams to prevent non–IT breaches. Approximately 30 to 40% of all breaches are caused by someone to whom you have entrusted sensitive information. 2 24% Network Hacking 76% Non-network Breach

18 Proactive Protection Policies and procedures for mobile devices Breach response team Collaboration among stakeholder groups Restrict and monitor sensitive data Vendor/business associate management – 30-40% of all breaches by vendors or business associates Staff education

19 Federal Breach Response No federal requirement to notify patients of breaches prior to HITECH Mandate for notification by Covered Entities (CE) when PHI breached Business Associates (BA) must notify CEs of breaches Expansion of BA definition Requires significant change to internal privacy policies and BA Agreements Increased costs for CEs to comply and respond State Attorneys General as enforcement arm of feds

20 Patients/Customers Governmental agencies – Office of Civil Rights – Attorneys General Law Enforcement – Local police departments – FBI Credit Reporting Agencies Notification

21 Response Requirements Notification to each individual whose unsecured PHI has been accessed, acquired or disclosed Substitute notice required if insufficient contact for 10 or more If 500+ in a state, notice to prominent media outlets and immediate report to OCR

22 Notification Without unreasonable delay, but no later than 60 days In writing, by first class mail, unless the patient has agreed in advance to communications By telephone, if imminent misuse of PHI is possible May get a law enforcement delay

23 Notice Content Description of event and date of discovery Type of PHI involved Steps recipient takes to protect from potential harm Description of the investigation, mitigation and protection from further breaches Toll-free number to contact for questions Dont forget state laws!

24 Administrative fines and penalties Attorney general audits, investigations, suits OCR audits Third party claims Class action lawsuits Post Breach Issues

25

26 Crisis Management Team 1.Information Technology 2.Legal 3.Communications 4.Customer Relations 5.Leadership

27 Crisis Management Process 1.Meet Daily 2.Set Goals 3.Assign Teams 4.Track Progress Start before you have a crisis!

28 Setting Priorities 1.End the Compromise of Security/Remedy Risk Control Deficiencies 2.Restore Functioning of Systems 3.Root Cause and Scope Analysis 4.Evaluate Notice Obligations Federal State Contractual 5.Key Customer Outreach 6.Press Release Internal Communications 7.Issue Notices

29 Not If, When Plan One Key Takeaway

30 Questions & Answers

31 Michael Carr Beth Diamond Ted Kobus Lynn Sessions Mark Silvestri Charles Vieau Many thanks to …


Download ppt "HEALTHCARE CYBER RISKS AND PRIVACY BREACHES EMERGENT PROBLEM OR CHRONIC CONDITION?"

Similar presentations


Ads by Google