Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security & Privacy Discussion Colorado Community Health Network April 14, 2014 Presented by: Kevin Keilbach – Client Executive – Health Care Jeff.

Published byRoger Fields Modified over 8 years ago

Similar presentations

Presentation on theme: "Network Security & Privacy Discussion Colorado Community Health Network April 14, 2014 Presented by: Kevin Keilbach – Client Executive – Health Care Jeff."— Presentation transcript:

1 Network Security & Privacy Discussion Colorado Community Health Network April 14, 2014 Presented by: Kevin Keilbach – Client Executive – Health Care Jeff Van Gulick - Executive Risk Practice Leader

2 Cyber Risk Issues around the protection of personally identifiable data are a growing concern and not a day goes by that we do not see news of some organization having a breach of that data. Questions that you should ask yourself in the event that some of the data you hold is breached, lost or stolen: Who do I contact to assess the extent of the breach? Who do I need to notify?, what state or federal agencies need to be involved? What are my legal obligations? What are the timeframes for my actions? Do I have coverage for the costs involved? These and many other questions need to be addressed in a very tight timeframe should you become aware that some or all of your patient data has been compromised. Patient Data Privacy/Cyber Insurance

3 Cyber Risk For any organization that utilizes a computer network, maintains a website, accesses the internet or stores personally identifiable information (PII) or personal health information (PHI), Network Security/Privacy or “Cyber” risks are a growing concern. Health Care organizations are one of the highest risk industries for patient data privacy claims. Cyber (Network Security / Privacy) insurance policies can be customized to protect your business from the following: Claims made by 3rd parties arising from a breach in network security that results in damage to the 3rd party’s network or data, or dissemination of private / confidential information (electronic or hard copy) Cost to respond to a security breach (notification, credit monitoring, public relations, forensics, legal expenses) Replacement of lost income due to a security breach Cost to restore the business’ own damaged / destroyed data Cost to address a cyber extortion threat Patient Data Privacy/Cyber Insurance

4 Coverages available (in any combination) to respond to the various cyber risk exposures: Network Security Liability – Coverage due to unauthorized access, theft of or destruction of data, ID theft, denial of service attack and virus transmission. Privacy 3rd Party Liability – Coverage for theft, loss or unauthorized disclosure of personally identifiable information or other 3rd party confidential information. Coverage for regulatory proceedings is also available. 1st Party Protection – Coverage for costs to comply with notification requirements of data breach laws, credit monitoring for affected parties, computer forensics, and public relations / crisis management. Media / Electronic Media Liability – Coverage for claims of personal injury and intellectual property offenses including: copyright / trademark infringement, slander, defamation, invasion of privacy. (Existence of a website creates exposure) Cyber Extortion (1st Party Protection) – Coverage for threats from hackers making demands in exchange for not bringing down computer network, disseminating or destroying data. Provides reimbursement for extortion payment and investigation costs. Cyber Business Interruption (1st Party Protection) – Coverage for financial loss suffered due to an interruption or failure on an insured's computer network resulting from a security failure. Information Asset Coverage (1st Party Protection) – Covers the cost to restore or recreate electronic data, and other information assets that are damaged by a computer attack. Patient Data Privacy/Cyber Insurance

5 Privacy / Security Laws The following laws create 1 st and 3 rd party exposures to loss as well as the possibility of regulatory proceedings / fines & penalties:  State notification laws (in all but four states: AL, KY, NM and SD)  Red Flag Rule (FTC)  MA data security  HIPAA – Health Insurance Portability & Accountability Act  HITECH – Health Information Technology For Economic & Clinical Health Act  Graham Leach Bliley  International Privacy Laws Exposure 5

6  HIPAA  Privacy Rule  The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization  Security Rule  The Security Rule defines standards, procedures and methods for protecting electronic PHI with attention to how PHI is stored, accessed, transmitted, and audited (written procedures and protocols, along with business associate agreements)  Enforcement Rule  Governs the process by which the Office of Civil Rights (OCR) investigates and resolves alleged violations of the HIPAA Privacy & Security Rules.  Omnibus Final Rule September 23, 1013, implemented most of the privacy amendments mandated by HITECH. Privacy rule also now applies to Business Associates and their contracts by 9/22/14  HITECH Act  Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates  Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates – ie. 500+ patient data records specify you must notify the media & HHS  Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements  Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods Vest limited enforcement power to the state AG  Mandates that the new security requirements must be incorporated into all Business Associate contracts  DIRECT Liability for Business Associates Exposure 6

7 Claims Discussion Highlights of Claims Findings Type of Data  PII was the most frequently exposed data 29% of breaches  PHI followed closely with 27% of breaches Cause of Loss Lost or stolen laptop/device was the most frequent cause of loss with 21% Hackers followed with 15% Business Sector Healthcare was the sector most frequently breached with 29% Financial Services followed with 15% Company Size Small-cap $300m - $2b -23% Nano-cap < $50m 22% Mega-cap >$100b companies lost the most records 46% © 2013 Net Diligence

8 Claims Discussion Highlights of Claims Findings Per Breach costs Average claim$1.3m Claim range$2.5k - $20m Median claim$242.5k Per Record costs Average per record cost$307 Median per record cost$97 Average records lost2.3m Median records lost1k Crisis services costs (forensics, notification, credit monitoring) Average cost$737k Median cost$220k Legal Costs (defense & settlement) Average cost of defense$575k Median cost of defense$7.5k Average Settlement$258k Median settlement$22.5k © 2013 Net Diligence

9 Claims Findings PII and PHI leading causes of loss Lost/stolen laptop /device Hacker & Rogue employees Leading causes of loss © 2013 Net Diligence

10 Claims Findings Healthcare overwhelming majority Nano & small cap companies lead in claims Nano & small cap companies lead in claims © 2013 Net Diligence

11 Cyber Claims Overview Privacy Claim Examples Emory Healthcare, Emory University Hospital – Emory Healthcare revealed that 10 backup discs that contained patient information are missing from a storage location at Emory University Hospital. The discs were determined to have been removed sometime between February 7, 2012, and February 20, 2012. The patient information was related to surgery and included names, Social Security numbers, diagnoses, dates of surgery, procedure codes or the name of the surgical procedures, surgeon names, anesthesiologist names, device implant information, and other protected health information. Patients treated between September of 1990 and April of 2007 were affected. Number of records breached: – 315,000 Financial impact – Undisclosed Peninsula Orthopaedic Associates – As many as 100,000 patients of Peninsula Orthopaedic Associates are being warned to protect themselves against identity theft after tapes containing patient information were stolen. Patients also were advised to keep an eye on benefits statements from their health insurance companies since they may also be at risk for medical identity theft. The records from Peninsula Orthopaedic were stolen March 25 while in transport to an off-site storage facility. Patients' personal information including their Social Security numbers, employers and health insurance plan numbers may have been among the information stolen. Number of records breached – 100,000 Financial impact – Undisclosed Pathology Group – Someone broke into a locked office building, several computers with flat screen monitors were stolen. One of those computers had patient information on about 75,000 people. This information included names, addresses, Social Security number, even medical information. Number of records breached – 75,000 Financial impact – Undisclosed 11

12 Data Breach Expenses Breach Scenario The average cost of a data breach in all sectors is $214 per record. The average cost of a data breach in the Healthcare industry is $301 per record. Of which, 34% are direct costs to respond to the breach and 66% are indirect costs, mostly comprised of the cost of lost business. 1 A breach occurs that results in the dissemination of the personally identifiable information of 25,000 patients; 100,000 patients. The following table approximates the direct expenses required to respond to the breach (data extrapolated form per record costs as published in 2010 Annual Study: U.S. Cost of a Data Breach Study, 3/2011, Ponemon Institute). Estimated Expenses – 25K Records Estimated Expenses – 100K Records Mitigation Expenses Computer Forensics / Legal Advice / Crisis Management – Public Relations $200K - $750K$1M - $2M Notification & Credit Monitoring$500K - $1.25M$3M - $5M Legal Defense Expenses to Defense Claims Brought by Breach Victims $300K - $1M$2M - $4M 12 Regulatory defense costs, fines and penalties are not contemplated in the estimates above, which may result in significant additional expenses. 1 2010 Annual Study: U.S. Cost of a Data Breach Study, 3/2011, Ponemon Institute

13 Loss Control – Security Assessment HUB has partnered with “NetDiligence”, a full-service Cyber Risk Management and Information Security Services firm based in PA. Net Diligence offers three levels of Cyber Risk Assessments and Vulnerability Testing: Level 0: Self Assessment - The Level 0 assessment allows a company to use NetDiligence's QuietAudit® online tool to evaluate its own security controls and privacy measures—a thorough, efficient way to prepare for regulator reviews or to perform general risk management housekeeping. QuietAudit® produces an online summary scorecard based on the answers to about 100 simple questions. Clients typically take about two hours to complete the questions, which focus on the ISO 27002 cyber security best practices standards associated with fourteen categories. The Level 0 executive level summary report reveals a network's strengths and vulnerabilities in a format suitable for presenting to senior management or a board of directors. It's an efficient approach to validating best practices and establishing the baseline level of due-care network security and privacy measures. First step prior to Level 1 or Level 2 assessments.QuietAudit® Level 1: Remote eRisk Security Assessment - The Level 1 assessment provides a cost-effective cyber risk security assessment and server vulnerability testing ideal for financial institutions that outsource their core bank processing, Internet banking firms, and Web hosts. This service balances the due diligence needed to gauge a client's security and privacy practices posture and the factors that might mitigate or increase cyber risks. The Level 1 assessment's deliverable includes an ISO 27002-based executive-level report that details the network's strengths, weaknesses, and vulnerabilities, along with recommendations for corrective action. Level 1 can be re- purposed to assist in maintaining or pre-qualifying for certain forms of network liability insurance. $8,000 Level 2: Comprehensive Onsite eRisk Security Assessment - The Level 2 assessment provides organizations who conduct internally managed e-commerce or Internet banking operations with a comprehensive on-site assessment and network vulnerability test. The assessment gauges an organization’s level of vigilance and compliance with federal regulations that govern the safeguarding of corporate information assets. The Level 2 assessment's deliverable includes a comprehensive findings report that addresses the outcomes associated with ISO 27002 security standards and dissects the network's strengths, weaknesses, and vulnerabilities. It also makes recommendations for corrective action. Level 1 can be re-purposed to assist in maintaining or pre-qualifying for certain forms of network liability insurance. $23,000 13

Download ppt "Network Security & Privacy Discussion Colorado Community Health Network April 14, 2014 Presented by: Kevin Keilbach – Client Executive – Health Care Jeff."

Similar presentations

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Information Security Awareness April 13, 2003. Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Similar presentations

Ads by Google