Presentation is loading. Please wait.

Presentation is loading. Please wait.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

Published byElwin Bell Modified over 8 years ago

Similar presentations

Presentation on theme: "A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber."— Presentation transcript:

1 A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber

2 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com I.HYPOTHETICAL DATA SECURITY INCIDENT II.INVESTIGATION III.NOTICES TO VICTIMS AND GOVERNMENT IV.LAW ENFORCEMENT V.SUMMARY AND RECOMMENDATIONS

3 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com HYPOTHETICAL INCIDENT

4 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com  On Monday morning you learn of the theft of a laptop from the oncology department at your hospital.  The laptop was stolen on Saturday or Sunday. It was not physically secured, nor was the PHI on the laptop encrypted.  There were two files of unsecured PHI on the laptop: (1) MRI images with the name of the hospital and the patient’s name; (2) patient payment information including SSN and healthcare insurance number

5 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com  Preserve Evidence  Activate Breach Response Plan  Assemble the Team

6 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com  Designating an Incident Response Manager who is responsible for coordinating the response to a Data Breach Incident  Creating an obligation for employees to report Data Breach Incidents to the Incident Response Manager  Outlining Employee responsibilities in the event of a Data Breach Incident  Ensuring prompt notice by employees  Creating a culture of awareness and compliance through training, communication and periodic updates

7 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com  WHAT PHI WAS INVOLVED?  IS THERE A REASONABLE BELIEF THAT THE PHI WAS ACCESSED OR ACQUIRED BY AN UNAUTHORIZED PERSON IN VIOLATION OF HIPAA PRIVACY RULE?  DID THE IMPERMISSIBLE USE OR DISCLOSURE RESULT IN A SIGNIFICANT RISK OF FINANCIAL, REPUTATIONAL OR OTHER HARM TO INDIVIDUALS?  DO ANY EXCEPTIONS APPLY?

8 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com  HOW MANY PATIENTS IMPACTED?  WHAT IS THE STATE OF RESIDENCE OF THE VICTIMS?  NOTIFY LAW ENFORCEMENT?

9 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com Based on what we know thus far is there acquisition, access, use, or disclosure? Missing laptop =‘s unauthorized access Specific Treatment – oncology leads to a presumption of reputational harm SSN and billing information leads to a presumption of financial harm BASED ON WHAT WE KNOW NOTICE REQUIRED BUT KEEP INVESTIGATING

10 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com  CONTENT -- PLAIN LANGUAGE  CONTENT WHAT MUST BE INCLUDED Brief description of what happened Description of the type of information involved Steps the victim should take to protect themselves Description of investigation, efforts to mitigate harm and protect against further breaches Contact procedure

11 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com  Breach affects 500 or more individuals –notice to HHS at same time as victims  Breach affects less than 500 people –submit to HHS within 60 days of end of calendar year  Breach affects 500 or more residents of a single state media notice is required

12 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com  Federal Secret Service, FBI, DOJ, local  Establish working relationship  Be responsive to requests for information  Make employees available  Possible Safe Harbor in the even notice would compromise investigation

13 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com You learn that a billing clerk inadvertently took the Laptop home thinking it was his. When he got home to begin work looked at MRIs and billing information and realized he had the wrong computer. IS NOTICE REQUIRED?

14 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com On the way to the hospital the billing clerk stops at his local coffee shop and decides to log on to the laptop to check the weather and the stock market. After he logs on he goes to the counter to get his coffee. When he returns he sees that a friend of his is on the computer and has switched the screen from the Internet to the MRI screens IS NOTICE REQUIRED?

15 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com The employee finally brings the laptop to the hospital. The IT team conducts a forensic examination of the computer and determines that on Friday someone made a copy of the social security numbers of the patients in the billing file? IS NOTICE REQUIRED?

16 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com Summary and Recommendations

17 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com  A methodic and thorough initial investigation is critical  Implement a comprehensive written information security policy approved by senior management or the board  Conduct periodic assessments of known and foreseeable risks to sensitive data held by the company  Outline and implement security breach response plan and the forensic capability of determining which information assets have been compromised in a breach

18 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com Have tools and processes designed to detect, prevent and respond to attacks and intrusions on company systems Inventory, encrypt and password protect remote and off- network devices used in the conduct of company business Designate employees who have overall responsibility for information security compliance Periodically train and refresh employees in the company’s information security policies and their role in prevention Develop an organizational culture of awareness and a respect for information security safeguards

19 California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com Matthew H. Meade 412 562 5271 matthew.meade@bipc.com Stephanie Winer-Schreiber 412 392 2148 stephanie.schreiber@bipc.com

Download ppt "A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber."

Similar presentations

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health information security & compliance

Health information security & compliance
Health Insurance Portability & Accountability Act (HIPAA)

Health Insurance Portability & Accountability Act (HIPAA)
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.

Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works

Security Controls – What Works
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Similar presentations

Ads by Google