fraud in your health plan—you’ve got it - ifebp · • bio-encryption, password encryption on...
TRANSCRIPT
The opinions expressed in this presentation are those of the speaker. The International Foundationdisclaims responsibility for views expressed and statements made by the program speakers.
Fraud in Your Health Plan—You’ve Got it
William J. EinhornTrusteePennsylvania Employee Benefits Trust FundTeamsters Health and Welfare and Pension Trust Funds of Philadelphia and VicinityAdministrative ConsultantWayne, Pennsylvania
John C. Garner,CEBS, GBA, RPA, CFCI, CLU, CMCChief Compliance OfficerBolton & CompanyPasadena, California
Linda K. Vincent, R.N., P.I., CITRMSPrincipalVincent & Associates/Affiliated Health FundsSan Pedro, California
H20-1
Today’s Plan
• Identity and medical identity fraud• Cyberhacking• Dealing with data breaches• Securing mobile devices—who’s
responsible• Areas of greatest risk and effective
controls• Cyberliability insurance vs. other fund
coverages
H20-2
Identity Fraud
• Loss of personal information– Names, addresses, date of birth– Employment information– Social Security numbers– Drivers license or credit cards– Banking information
H20-3
How the Information Is Stolen
• Dumpster diving• Mail theft • Check washing• Stolen wallets• Telephone and e-mail scams• Obtaining deceased people’s information• Loss of mobile devices• Use of “free” wi-fi hotspots
H20-4
Medical Identity Theft
• Loss of individual health care information– Divorce
• Loss of provider information– Employee errors
• Loss of hospital data information– Ransomware
• Loss of health care provider information
H20-5
Medical Identity Fraud
• Fraudulently procure medical services• Improperly acquire prescription drugs• Submit fake billings to Medicare or
private insurers• Obtain expensive medical
equipment
H20-6
The Impact
• Death• Medical records in shambles
– HIPAA is not your friend
• Physical harm• Credit issues • Fund liability• Inability to keep their jobs-drivers
H20-7
It May Have AlreadyHappened to You . . .
• The case of the bountiful bunion . . .– The sister who needed the surgery
• Straightening out the dubious dependent, his teeth, that is . . .– Hey, I’ve got some great orthodontic coverage
for kids . . .
H20-8
Cyberhacking—Just What Is It
• Attacks though computer networks• Employee errors• Insider collusion • Lack of BYOD to work policies• Lack for 2-factor authentication• Loss of laptops, thumb drives, etc
H20-9
Cyberhacking
• Currently 94% of providers have been compromised each year– Now 41% of hospitals have more than 10
breaches/yr– VA lost 26 million files– Blue Cross lost 80 million files– 24% of victims have true identity fraud issues
H20-10
Cyberhacking Dangers
• Data loss—names, DoB, social security numbers, credit card accounts and numbers, healthcare information
• Difficulty lies in detection of plan breach vs credit card breach
• Medical files have more info and longer “self life” and are more valuable– The “Dark Web” gets 10-20 times more cash for medical
information than credit cards• Wikipedia: The dark web is the World Wide Web content that exists
on darknets, overlay networks which use the public Internet but which require specific software, configurations or authorization to access.[2][3] The dark web forms a small part of the deep web, the part of the Web not indexed by search engines
• Consider who is maintaining data, and how it’s protected
H20-11
Cyberhacking/Ransomware
• Ransomware will block access to your files and systems• Allows no access until you pay• Two types
– Encrypting• Blocks system with algorithms—decryption—pay up
– Lockers• Locks you out—Pay or no access
• Request ransom is usually BitCoins– If you don’t pay in specific period, it may double or then may
never gain access again– Bitcoin (CNN money) a currency that was created in 2009 by an
unknown person using the alias Satoshi Nakamoto. Transactions are made with no middle men—meaning, no banks! There are no transaction fees and no need to give your real name.
H20-12
Minimizing the Riskof a Breach or Hack
• No BYOD!• Laptop use; restrictions on transfer or storage of
PHI or other participant data• Rules on thumb drive usage
– Tracking dumps to thumb drives or other external media
• Bio-encryption, password encryption on all mobile devices used in fund operations
• Remote deletion of data on lost or stolen laptops
H20-13
Oh Crap, Where’s That Laptop?
• Two relevant cases:– “The very expensive roast beef sandwich . . .”– “Gee, I thought I locked the laptop up . . .”
H20-14
Mobile Devices
• HHS initiative• Online tools and practical tips• www.HealthIT.gov/mobiledevices• Mobile devices
– Laptops– Tablets– Smart phones– Flash drives
H20-15
Mobile Devices
1. Use a password or other user authentication
2. Install and enable encryption
3. Install and activate remote wiping and/or remote disabling
4. Disable and do not install or use file sharing applications
H20-16
Mobile Devices
5. Install and enable a firewall
6. Install and enable security software
7. Keep your security software up to date
8. Research mobile applications (apps) before downloading
9. Maintain physical control
H20-17
Mobile Devices
10. Use adequate security to send or receive health information over public wi-finetworks
11. Delete all stored health information before discarding or reusing the mobile device
H20-18
Dealing With a Breach
• Respond to allegations• Provide copies of documents related to
internal investigation and risk assessment• Provide policies and procedure regarding
PHI uses, safeguards and disclosure• Provide business associate agreements
H20-19
Dealing With a Data Breach (continued)
• Provide documents of networks scans or testing• Provide access management policy• Provide security awareness and training
materials• Give evidence of anti-virus software, access
controls, password management
H20-20
Striking a Balance on Security
Low
High
Cost ofSecurity
Security Level High
Exposure
Security
Balance
H20-21
Key Principles
• Scalability and flexibility– No two entities will implement the
requirements exactly the same way– No specific technologies mandated– Implementation should fit your organization
• Resources• Document your decision-making
H20-22
Administrative Safeguards
• Security management process– Risk analysis (R)– Risk management (R)– Sanction policy (R)– Information system activity review (R)
• Assigned security responsibility (R)• Workforce security
– Authorization and/or supervision (A)
H20-23
Administrative Safeguards
• Workforce security (continued)
– Workforce clearance procedure (A)– Termination procedure (A)
• Information access management– Isolating health care clearinghouse
function (R)– Access authorization (A)– Access establishment and modification (A)
H20-24
Administrative Safeguards
• Security awareness and training– Security reminders (A)– Protection from malicious software (A)– Log-in monitoring (A)– Password management (A)
• Security incident procedures– Response and reporting (R)
H20-25
Administrative Safeguards
• Contingency plan– Data backup plan (R)– Disaster recovery plan (R)– Emergency mode operation plan (R)– Testing and revision procedure (A)– Applications and data critically analysis (A)
H20-26
Administrative Safeguards
• Evaluation (R)• Business associate contracts and other
arrangements– Written contract or other arrangement (R)
H20-27
Physical Safeguards
• Device and media controls– Disposal (R)– Media re-use (R)– Accountability (A)– Data backup and storage (A)
H20-28
Technical Safeguards
• Access control– Unique user identification (R)– Emergency access procedure (R)– Automatic logoff (A)– Encryption and decryption (A)
• Audit controls (R)
H20-29
Technical Safeguards
• Integrity– Mechanism to authenticate electronic
protected health information (A)
• Person or entity authentication (R)• Transmission security
– Integrity controls (A)– Encryption (A)
H20-30
Cyberliability Insurance
• Availability• Great variability in coverages and
exclusions• Negotiable items• Cost
H20-31
Cyberliability Insurance
• Generally covers– Defense costs– Forensic analysis– Notification costs
• Cyberliability insurance companies have already researched all the state laws and have language ready to go and have negotiated discounts for ID theft protection
H20-32
Online Educational Resources
• Heimdal Security ~ https://heimdalsecurity.com• Bloomberg BNA ~ www.bna.com• DataBreach Today ~ http://www.databreachtoday.com• CISCO ~ www.cisco.com/c/en/us/index.html• United States Computer Emergency Team ~ https://www.us-
cert.gov/ncas/alerts• Department of Homeland Security-Cyber ~
https://www.dhs.gov/office-cybersecurity-and-communications• American Hospital Association Solutions ~ AHA.org
H20-33
Session #H20
Fraud in Your Health Plan—You’ve Got It
• Always back up your data• Review all business associate agreements• Know the greatest liability is still your
employees, despite hackers• Implement background checks• Establish rules on laptop/thumb
drive/mobile device use• Consider cyber liability insurance• For even more info, check out:
https://www.youtube.com/watch?v=gIn2p3zkeHs#t=17 and https://www.ifebp.org/inforequest/ifebp/0200144.pdf
Website Resourceswww.ifebp.org/resources/infoQuick/default/htm Records Retention Requirements for Benefit Plans (members only)
Website Resourceshttps://www.youtube.com/watch?v=gIn2p3zkeHs#t=17 https://www.ifebp.org/inforequest/ifebp/0200144.pdf
62nd Annual Employee Benefits ConferenceNovember 13-16, 2016Orlando, Florida
H20-34
2017 Educational ProgramsHealth and Welfare
63rd Annual Employee Benefits Conference October 22-25, 2017 Las Vegas, Nevadawww.ifebp.org/usannual
Certificate SeriesFebruary 27-March 4, 2017 Lake Buena Vista (Orlando), FloridaJuly 24-29, 2017 Denver, Coloradowww.ifebp.org/certificateseries
Health Care Management ConferenceMay 1-3, 2017 New Orleans, Louisianawww.ifebp.org/healthcare
Certificate of Achievement in Public Plan Policy (CAPPP®)Part I and Part II, June 13-16, 2017 San Jose, CaliforniaPart II Only, October 21-22, 2017 Las Vegas, Nevadawww.ifebp.org/cappp
Related ReadingVisit one of the on-site Bookstore locations or see www.ifebp.org/bookstore for more books.
Self-Funding Health Benefit PlansItem #7563www.ifebp.org/SelfFunding
816
H20-35