Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Bowers and Bob Ludolph  Pepper Hamilton LLP Are Your Secrets Safe? Cyber Security In Today’s Healthcare Workplace.

Published byJaylin Baham Modified over 9 years ago

Similar presentations

Presentation on theme: "Ryan Bowers and Bob Ludolph  Pepper Hamilton LLP Are Your Secrets Safe? Cyber Security In Today’s Healthcare Workplace."— Presentation transcript:

1 Ryan Bowers and Bob Ludolph  Pepper Hamilton LLP Are Your Secrets Safe? Cyber Security In Today’s Healthcare Workplace

2 Ryan Bowers 248.359.7745 bowersr@pepperlaw.com Privacy, Security and Data Protection Practice Group Focus on technology law, IP transactions, software licensing Companies of all sizes - startups through established tech companies In-house counsel and software company experience

3 Robert Ludolph 248.359.7368 ludolphr@pepperlaw.com Labor and Employment Practice Group Supervises investigations of misappropriated proprietary and personal information Advises on employment discrimination, executive agreements and ERISA issues Drafts non-competition and non- solicitation agreements

4 What’s the Big Deal Data breaches are becoming more prevalent and costly. Laws are in a state of flux. HIPAA adds extra requirements and consequences. New technologies present new and varied problems. Amount and transmission of data is increasing at unprecedented rates!

5 Data – New Hardware Google Glass Health wearables Apple Healthkit Google Fit Pill Scanning Technology

6 Data – Wearables Global Wearable Medical Device Market: −$2.0B in 2012 −$5.8B in 2019 Applications: −Heart Rate and Vitals −Activity Monitors −ECG, EEG, EMG −Baby Monitoring −Diabetes

7 Data – Explosion of Health IT Startups Medical records and imaging Tele-medicine Off-shore transcription Physician collaboration Clinical trials Post-discharge patient monitoring Physician-only social networking FICO scores for health?

8 Data – What could go wrong? Data accuracy Standard of care Trust in startups and third party software Physician learning curve Privacy Data Security and Data Breaches!

9 Target Breach Hacked via vendor - refrigeration contractor Information of 110 Million people compromised $61 million in hacking- related expenses VP Technology / CIO / CEO resigns

10 Community Health Systems Breach Data from 5.4M patients, including social security numbers Cost: $75-$150M Class action filed immediately Hackers used the Heartbleed bug to access VPN credentials CHS used a lot of open source or free security software Bug reported in April – records still being stolen in June

11 Community Health Systems Breach FBI: −“Health care providers typically do not use the same high levels of security technology as companies in other industries.” −Health care providers and payers could be targeted −Health Information Exchanges may be particularly tempting for hackers

12 HIPAA Concerns The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.

13 HIPAA Concerns Individually identifiable health information” is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

14 HIPAA ViolationMinimum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation annual maximum for repeat violations $25,000 HIPAA violation due to reasonable cause but not due to willful neglect $1,000 per violation Annual maximum $100,000 HIPAA violation due to willful neglect but violation is corrected within required time $10,000 per violation annual maximum $250,000 HIPAA violation is due to willful neglect and is not corrected $50,000 per violation annual maximum of $1.5 million HIPAA Violation Penalties – ‘Nuff said!

15 Anonymous Hackers ? Cyber Threats

16

17 Employee Practices Recent Study 63% of employees use personal email for sensitive work documents −74% believe that their companies approve! 63% use remote storage (USB) for work files 45% use sites like Dropbox and Box to share sensitive business information 30% use cloud storage for work-related files Reasons 52% Convenience over company system 18% Mobile access

18 1.Preparation 2.Detection 3.Analysis and Prioritization 4.Investigation and Mitigation 5.Notification −47 different statutes! −Time frames critical 6.Post-incident activity Practical Steps Companies Must Take

19 How to Prepare Failing to prepare is preparing to fail. John Wooden

20 How to Prepare Know Your Data! Nature of data (encrypted?) Flow of data (online connectivity? Cloud?) Location of data / users Ownership v. License Open Source? Access

21 How to Prepare Set up Response Team Assess the environment Train for the attack and counterattack

22 Prepare For Your Next Data Breach Establish written policies and procedures to regulate compliance −Privacy Policy (data collection, sharing and retention/destruction) −Data Breach Policy −Institute a Business Continuity Plan −Bring Your Own Device (BYOD) Policy Most data breach laws have “own notification policy exception”

23 BYOD: Definition Bring Your Own Device Permitting employees to bring personally-owned mobile devices (laptops, tablets, and smart phones) to their workplace, and Defining the use of those devices to access confidential proprietary information and applications.

24 BYOD: Statistics 80% of employees presently use personal technology for business purposes. By 2017, 50% of US employers will stop providing devices to employees.

25 BYOD: Why? Cost reduction Employee freedom of choice Increased productivity and responsiveness Innovation and collaboration

26 54% of organizations have had 5 or more data breach incidents involving a mobile device containing regulated data in the past two years. On average, 6,000 records were lost or stolen in each such data breach. Only Two Kinds of Companies

27 Trade Secret Issues Trade Secret Any “formula, pattern, compilation, program, device, method, technique” in which Employers have taken “reasonable measures” under the circumstances to protect the secrecy of the information.

28 Misappropriation of Trade Secrets Is the information “misappropriated” if employer gives employee permission to access confidential information on his or her personal device?

29 BYOD

30 BYOD: Issues Employment issues Security risks Restrictions on employers’ ability to access and control Are the savings and efficiencies worth the costs and exposure?

31 BYOD Policy Reduce risks by: Having a clear policy in place Limiting employees entitled to use personal devices Training management on company’s right to access and employee’s reasonable expectations of privacy Segregate personal and work data where possible Prohibiting circumventing or disabling security features

32 BYOD Policy Components No expectation of privacy in the workplace Prohibit sharing of devices Must report lost or stolen devices Prohibit use of cloud-based storage of proprietary data Obtain employee consent to monitoring Obtaion employee consent to remote wiping Instruction to employee to preserve data

33 Other Policies Implicated by BYOD Electronic Communications/Social Media Confidentiality Code of Conduct Return of Company Property Intellectual Property EEO & Harassment Recording Time and Overtime Leaves of Absence Workplace Safety

34 Other Practices Implicated by BYOD Employment Agreements Non-competition and Non-solicitation Agreements Separation Agreements Independent Contractor Agreements Records Management and Retention Litigation Holds

35 Do You Have a Cyber Security Strategy? Collection and management personally identifiable information Design and implementation of effective security means Training of supervisors and employees Review contractors and vendors Monitoring compliance Development of breach response procedures

36 Comprehensive Security Environment On Boarding Periodic Reminders Sunset Passwords Confidentiality Acknowledgements Restrict Storage Exit Strategies

37 Compliance Strategy Understand the legal environment Survey the risk landscape Assess the benefit of cyber insurance Prepare for the inevitable data breach Organize data security teams − IT − Legal − Communications −Human Resources

38 Do Not Simply REACT Review Your P olicies Monitor the Cyber R isks Foster an O rganizational Commitment to Security Conduct Regular A udits Understand the Legal C ompliance Environment Train Your T eam Members

39 Questions & Answers

40 Ryan Bowers bowersr@pepperlaw.com 248.359.7745 Bob Ludolph ludolphr@pepperlaw.com 248.359.7368

Download ppt "Ryan Bowers and Bob Ludolph  Pepper Hamilton LLP Are Your Secrets Safe? Cyber Security In Today’s Healthcare Workplace."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics.

HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics.
Confidentiality and HIPAA

Confidentiality and HIPAA
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Free HIPAA Training BCI Computers Free HIPAA Training (c) 2014 BCI Computers all rights reserved.

Free HIPAA Training BCI Computers Free HIPAA Training (c) 2014 BCI Computers all rights reserved.
Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.

Invasion of Smart Phones in Clinical Areas Chrissy Kyak Privacy Officer University of Maryland Upper Chesapeake Health.
© 2015 Sherman & Howard L.L.C. TO B OR NOT TO B YOD Emily Keimig, Esq. 303-299-8240

© 2015 Sherman & Howard L.L.C. TO B OR NOT TO B YOD Emily Keimig, Esq
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)

HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Similar presentations

Ads by Google