Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Bowers and Bob Ludolph  Pepper Hamilton LLP Are Your Secrets Safe? Cyber Security In Today’s Healthcare Workplace.

Similar presentations


Presentation on theme: "Ryan Bowers and Bob Ludolph  Pepper Hamilton LLP Are Your Secrets Safe? Cyber Security In Today’s Healthcare Workplace."— Presentation transcript:

1 Ryan Bowers and Bob Ludolph  Pepper Hamilton LLP Are Your Secrets Safe? Cyber Security In Today’s Healthcare Workplace

2 Ryan Bowers Privacy, Security and Data Protection Practice Group Focus on technology law, IP transactions, software licensing Companies of all sizes - startups through established tech companies In-house counsel and software company experience

3 Robert Ludolph Labor and Employment Practice Group Supervises investigations of misappropriated proprietary and personal information Advises on employment discrimination, executive agreements and ERISA issues Drafts non-competition and non- solicitation agreements

4 What’s the Big Deal Data breaches are becoming more prevalent and costly. Laws are in a state of flux. HIPAA adds extra requirements and consequences. New technologies present new and varied problems. Amount and transmission of data is increasing at unprecedented rates!

5 Data – New Hardware Google Glass Health wearables Apple Healthkit Google Fit Pill Scanning Technology

6 Data – Wearables Global Wearable Medical Device Market: −$2.0B in 2012 −$5.8B in 2019 Applications: −Heart Rate and Vitals −Activity Monitors −ECG, EEG, EMG −Baby Monitoring −Diabetes

7 Data – Explosion of Health IT Startups Medical records and imaging Tele-medicine Off-shore transcription Physician collaboration Clinical trials Post-discharge patient monitoring Physician-only social networking FICO scores for health?

8 Data – What could go wrong? Data accuracy Standard of care Trust in startups and third party software Physician learning curve Privacy Data Security and Data Breaches!

9 Target Breach Hacked via vendor - refrigeration contractor Information of 110 Million people compromised $61 million in hacking- related expenses VP Technology / CIO / CEO resigns

10 Community Health Systems Breach Data from 5.4M patients, including social security numbers Cost: $75-$150M Class action filed immediately Hackers used the Heartbleed bug to access VPN credentials CHS used a lot of open source or free security software Bug reported in April – records still being stolen in June

11 Community Health Systems Breach FBI: −“Health care providers typically do not use the same high levels of security technology as companies in other industries.” −Health care providers and payers could be targeted −Health Information Exchanges may be particularly tempting for hackers

12 HIPAA Concerns The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

13 HIPAA Concerns Individually identifiable health information” is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

14 HIPAA ViolationMinimum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation annual maximum for repeat violations $25,000 HIPAA violation due to reasonable cause but not due to willful neglect $1,000 per violation Annual maximum $100,000 HIPAA violation due to willful neglect but violation is corrected within required time $10,000 per violation annual maximum $250,000 HIPAA violation is due to willful neglect and is not corrected $50,000 per violation annual maximum of $1.5 million HIPAA Violation Penalties – ‘Nuff said!

15 Anonymous Hackers ? Cyber Threats

16

17 Employee Practices Recent Study 63% of employees use personal for sensitive work documents −74% believe that their companies approve! 63% use remote storage (USB) for work files 45% use sites like Dropbox and Box to share sensitive business information 30% use cloud storage for work-related files Reasons 52% Convenience over company system 18% Mobile access

18 1.Preparation 2.Detection 3.Analysis and Prioritization 4.Investigation and Mitigation 5.Notification −47 different statutes! −Time frames critical 6.Post-incident activity Practical Steps Companies Must Take

19 How to Prepare Failing to prepare is preparing to fail. John Wooden

20 How to Prepare Know Your Data! Nature of data (encrypted?) Flow of data (online connectivity? Cloud?) Location of data / users Ownership v. License Open Source? Access

21 How to Prepare Set up Response Team Assess the environment Train for the attack and counterattack

22 Prepare For Your Next Data Breach Establish written policies and procedures to regulate compliance −Privacy Policy (data collection, sharing and retention/destruction) −Data Breach Policy −Institute a Business Continuity Plan −Bring Your Own Device (BYOD) Policy Most data breach laws have “own notification policy exception”

23 BYOD: Definition Bring Your Own Device Permitting employees to bring personally-owned mobile devices (laptops, tablets, and smart phones) to their workplace, and Defining the use of those devices to access confidential proprietary information and applications.

24 BYOD: Statistics 80% of employees presently use personal technology for business purposes. By 2017, 50% of US employers will stop providing devices to employees.

25 BYOD: Why? Cost reduction Employee freedom of choice Increased productivity and responsiveness Innovation and collaboration

26 54% of organizations have had 5 or more data breach incidents involving a mobile device containing regulated data in the past two years. On average, 6,000 records were lost or stolen in each such data breach. Only Two Kinds of Companies

27 Trade Secret Issues Trade Secret Any “formula, pattern, compilation, program, device, method, technique” in which Employers have taken “reasonable measures” under the circumstances to protect the secrecy of the information.

28 Misappropriation of Trade Secrets Is the information “misappropriated” if employer gives employee permission to access confidential information on his or her personal device?

29 BYOD

30 BYOD: Issues Employment issues Security risks Restrictions on employers’ ability to access and control Are the savings and efficiencies worth the costs and exposure?

31 BYOD Policy Reduce risks by: Having a clear policy in place Limiting employees entitled to use personal devices Training management on company’s right to access and employee’s reasonable expectations of privacy Segregate personal and work data where possible Prohibiting circumventing or disabling security features

32 BYOD Policy Components No expectation of privacy in the workplace Prohibit sharing of devices Must report lost or stolen devices Prohibit use of cloud-based storage of proprietary data Obtain employee consent to monitoring Obtaion employee consent to remote wiping Instruction to employee to preserve data

33 Other Policies Implicated by BYOD Electronic Communications/Social Media Confidentiality Code of Conduct Return of Company Property Intellectual Property EEO & Harassment Recording Time and Overtime Leaves of Absence Workplace Safety

34 Other Practices Implicated by BYOD Employment Agreements Non-competition and Non-solicitation Agreements Separation Agreements Independent Contractor Agreements Records Management and Retention Litigation Holds

35 Do You Have a Cyber Security Strategy? Collection and management personally identifiable information Design and implementation of effective security means Training of supervisors and employees Review contractors and vendors Monitoring compliance Development of breach response procedures

36 Comprehensive Security Environment On Boarding Periodic Reminders Sunset Passwords Confidentiality Acknowledgements Restrict Storage Exit Strategies

37 Compliance Strategy Understand the legal environment Survey the risk landscape Assess the benefit of cyber insurance Prepare for the inevitable data breach Organize data security teams − IT − Legal − Communications −Human Resources

38 Do Not Simply REACT Review Your P olicies Monitor the Cyber R isks Foster an O rganizational Commitment to Security Conduct Regular A udits Understand the Legal C ompliance Environment Train Your T eam Members

39 Questions & Answers

40 Ryan Bowers Bob Ludolph


Download ppt "Ryan Bowers and Bob Ludolph  Pepper Hamilton LLP Are Your Secrets Safe? Cyber Security In Today’s Healthcare Workplace."

Similar presentations


Ads by Google