Presentation on theme: "Ryan Bowers and Bob Ludolph Pepper Hamilton LLP Are Your Secrets Safe? Cyber Security In Today’s Healthcare Workplace."— Presentation transcript:
Ryan Bowers and Bob Ludolph Pepper Hamilton LLP Are Your Secrets Safe? Cyber Security In Today’s Healthcare Workplace
Ryan Bowers Privacy, Security and Data Protection Practice Group Focus on technology law, IP transactions, software licensing Companies of all sizes - startups through established tech companies In-house counsel and software company experience
Robert Ludolph Labor and Employment Practice Group Supervises investigations of misappropriated proprietary and personal information Advises on employment discrimination, executive agreements and ERISA issues Drafts non-competition and non- solicitation agreements
What’s the Big Deal Data breaches are becoming more prevalent and costly. Laws are in a state of flux. HIPAA adds extra requirements and consequences. New technologies present new and varied problems. Amount and transmission of data is increasing at unprecedented rates!
Data – New Hardware Google Glass Health wearables Apple Healthkit Google Fit Pill Scanning Technology
Data – Wearables Global Wearable Medical Device Market: −$2.0B in 2012 −$5.8B in 2019 Applications: −Heart Rate and Vitals −Activity Monitors −ECG, EEG, EMG −Baby Monitoring −Diabetes
Data – Explosion of Health IT Startups Medical records and imaging Tele-medicine Off-shore transcription Physician collaboration Clinical trials Post-discharge patient monitoring Physician-only social networking FICO scores for health?
Data – What could go wrong? Data accuracy Standard of care Trust in startups and third party software Physician learning curve Privacy Data Security and Data Breaches!
Target Breach Hacked via vendor - refrigeration contractor Information of 110 Million people compromised $61 million in hacking- related expenses VP Technology / CIO / CEO resigns
Community Health Systems Breach Data from 5.4M patients, including social security numbers Cost: $75-$150M Class action filed immediately Hackers used the Heartbleed bug to access VPN credentials CHS used a lot of open source or free security software Bug reported in April – records still being stolen in June
Community Health Systems Breach FBI: −“Health care providers typically do not use the same high levels of security technology as companies in other industries.” −Health care providers and payers could be targeted −Health Information Exchanges may be particularly tempting for hackers
HIPAA Concerns The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
HIPAA Concerns Individually identifiable health information” is information, including demographic data, that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
HIPAA ViolationMinimum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation annual maximum for repeat violations $25,000 HIPAA violation due to reasonable cause but not due to willful neglect $1,000 per violation Annual maximum $100,000 HIPAA violation due to willful neglect but violation is corrected within required time $10,000 per violation annual maximum $250,000 HIPAA violation is due to willful neglect and is not corrected $50,000 per violation annual maximum of $1.5 million HIPAA Violation Penalties – ‘Nuff said!
Anonymous Hackers ? Cyber Threats
Employee Practices Recent Study 63% of employees use personal for sensitive work documents −74% believe that their companies approve! 63% use remote storage (USB) for work files 45% use sites like Dropbox and Box to share sensitive business information 30% use cloud storage for work-related files Reasons 52% Convenience over company system 18% Mobile access
1.Preparation 2.Detection 3.Analysis and Prioritization 4.Investigation and Mitigation 5.Notification −47 different statutes! −Time frames critical 6.Post-incident activity Practical Steps Companies Must Take
How to Prepare Failing to prepare is preparing to fail. John Wooden
How to Prepare Know Your Data! Nature of data (encrypted?) Flow of data (online connectivity? Cloud?) Location of data / users Ownership v. License Open Source? Access
How to Prepare Set up Response Team Assess the environment Train for the attack and counterattack
BYOD: Definition Bring Your Own Device Permitting employees to bring personally-owned mobile devices (laptops, tablets, and smart phones) to their workplace, and Defining the use of those devices to access confidential proprietary information and applications.
BYOD: Statistics 80% of employees presently use personal technology for business purposes. By 2017, 50% of US employers will stop providing devices to employees.
BYOD: Why? Cost reduction Employee freedom of choice Increased productivity and responsiveness Innovation and collaboration
54% of organizations have had 5 or more data breach incidents involving a mobile device containing regulated data in the past two years. On average, 6,000 records were lost or stolen in each such data breach. Only Two Kinds of Companies
Trade Secret Issues Trade Secret Any “formula, pattern, compilation, program, device, method, technique” in which Employers have taken “reasonable measures” under the circumstances to protect the secrecy of the information.
Misappropriation of Trade Secrets Is the information “misappropriated” if employer gives employee permission to access confidential information on his or her personal device?
BYOD: Issues Employment issues Security risks Restrictions on employers’ ability to access and control Are the savings and efficiencies worth the costs and exposure?
BYOD Policy Reduce risks by: Having a clear policy in place Limiting employees entitled to use personal devices Training management on company’s right to access and employee’s reasonable expectations of privacy Segregate personal and work data where possible Prohibiting circumventing or disabling security features
BYOD Policy Components No expectation of privacy in the workplace Prohibit sharing of devices Must report lost or stolen devices Prohibit use of cloud-based storage of proprietary data Obtain employee consent to monitoring Obtaion employee consent to remote wiping Instruction to employee to preserve data
Other Policies Implicated by BYOD Electronic Communications/Social Media Confidentiality Code of Conduct Return of Company Property Intellectual Property EEO & Harassment Recording Time and Overtime Leaves of Absence Workplace Safety
Other Practices Implicated by BYOD Employment Agreements Non-competition and Non-solicitation Agreements Separation Agreements Independent Contractor Agreements Records Management and Retention Litigation Holds
Do You Have a Cyber Security Strategy? Collection and management personally identifiable information Design and implementation of effective security means Training of supervisors and employees Review contractors and vendors Monitoring compliance Development of breach response procedures
Compliance Strategy Understand the legal environment Survey the risk landscape Assess the benefit of cyber insurance Prepare for the inevitable data breach Organize data security teams − IT − Legal − Communications −Human Resources
Do Not Simply REACT Review Your P olicies Monitor the Cyber R isks Foster an O rganizational Commitment to Security Conduct Regular A udits Understand the Legal C ompliance Environment Train Your T eam Members