The opinions expressed in this presentation are those of the speaker. The International Foundationdisclaims responsibility for views expressed and statements made by the program speakers.

Fraud in Your Health Plan—You’ve Got it

William J. EinhornTrusteePennsylvania Employee Benefits Trust FundTeamsters Health and Welfare and Pension Trust Funds of Philadelphia and VicinityAdministrative ConsultantWayne, Pennsylvania

John C. Garner,CEBS, GBA, RPA, CFCI, CLU, CMCChief Compliance OfficerBolton & CompanyPasadena, California

Linda K. Vincent, R.N., P.I., CITRMSPrincipalVincent & Associates/Affiliated Health FundsSan Pedro, California

H20-1

Today’s Plan

• Identity and medical identity fraud• Cyberhacking• Dealing with data breaches• Securing mobile devices—who’s

responsible• Areas of greatest risk and effective

controls• Cyberliability insurance vs. other fund

coverages

H20-2

Identity Fraud

• Loss of personal information– Names, addresses, date of birth– Employment information– Social Security numbers– Drivers license or credit cards– Banking information

H20-3

How the Information Is Stolen

• Dumpster diving• Mail theft • Check washing• Stolen wallets• Telephone and e-mail scams• Obtaining deceased people’s information• Loss of mobile devices• Use of “free” wi-fi hotspots

H20-4

Medical Identity Theft

• Loss of individual health care information– Divorce

• Loss of provider information– Employee errors

• Loss of hospital data information– Ransomware

• Loss of health care provider information

H20-5

Medical Identity Fraud

• Fraudulently procure medical services• Improperly acquire prescription drugs• Submit fake billings to Medicare or

private insurers• Obtain expensive medical

equipment

H20-6

The Impact

• Death• Medical records in shambles

– HIPAA is not your friend

• Physical harm• Credit issues • Fund liability• Inability to keep their jobs-drivers

H20-7

It May Have AlreadyHappened to You . . .

• The case of the bountiful bunion . . .– The sister who needed the surgery

• Straightening out the dubious dependent, his teeth, that is . . .– Hey, I’ve got some great orthodontic coverage

for kids . . .

H20-8

Cyberhacking—Just What Is It

• Attacks though computer networks• Employee errors• Insider collusion • Lack of BYOD to work policies• Lack for 2-factor authentication• Loss of laptops, thumb drives, etc

H20-9

Cyberhacking

• Currently 94% of providers have been compromised each year– Now 41% of hospitals have more than 10

breaches/yr– VA lost 26 million files– Blue Cross lost 80 million files– 24% of victims have true identity fraud issues

H20-10

Cyberhacking Dangers

• Data loss—names, DoB, social security numbers, credit card accounts and numbers, healthcare information

• Difficulty lies in detection of plan breach vs credit card breach

• Medical files have more info and longer “self life” and are more valuable– The “Dark Web” gets 10-20 times more cash for medical

information than credit cards• Wikipedia: The dark web is the World Wide Web content that exists

on darknets, overlay networks which use the public Internet but which require specific software, configurations or authorization to access.[2][3] The dark web forms a small part of the deep web, the part of the Web not indexed by search engines

• Consider who is maintaining data, and how it’s protected

H20-11

Cyberhacking/Ransomware

• Ransomware will block access to your files and systems• Allows no access until you pay• Two types

– Encrypting• Blocks system with algorithms—decryption—pay up

– Lockers• Locks you out—Pay or no access

• Request ransom is usually BitCoins– If you don’t pay in specific period, it may double or then may

never gain access again– Bitcoin (CNN money) a currency that was created in 2009 by an

unknown person using the alias Satoshi Nakamoto. Transactions are made with no middle men—meaning, no banks! There are no transaction fees and no need to give your real name.

H20-12

Minimizing the Riskof a Breach or Hack

• No BYOD!• Laptop use; restrictions on transfer or storage of

PHI or other participant data• Rules on thumb drive usage

– Tracking dumps to thumb drives or other external media

• Bio-encryption, password encryption on all mobile devices used in fund operations

• Remote deletion of data on lost or stolen laptops

H20-13

Oh Crap, Where’s That Laptop?

• Two relevant cases:– “The very expensive roast beef sandwich . . .”– “Gee, I thought I locked the laptop up . . .”

H20-14

Mobile Devices

• HHS initiative• Online tools and practical tips• www.HealthIT.gov/mobiledevices• Mobile devices

– Laptops– Tablets– Smart phones– Flash drives

H20-15

Mobile Devices

1. Use a password or other user authentication

2. Install and enable encryption

3. Install and activate remote wiping and/or remote disabling

4. Disable and do not install or use file sharing applications

H20-16

Mobile Devices

5. Install and enable a firewall

6. Install and enable security software

7. Keep your security software up to date

8. Research mobile applications (apps) before downloading

9. Maintain physical control

H20-17

Mobile Devices

10. Use adequate security to send or receive health information over public wi-finetworks

11. Delete all stored health information before discarding or reusing the mobile device

H20-18

Dealing With a Breach

• Respond to allegations• Provide copies of documents related to

internal investigation and risk assessment• Provide policies and procedure regarding

PHI uses, safeguards and disclosure• Provide business associate agreements

H20-19

Dealing With a Data Breach (continued)

• Provide documents of networks scans or testing• Provide access management policy• Provide security awareness and training

materials• Give evidence of anti-virus software, access

controls, password management

H20-20

Striking a Balance on Security

Low

High

Cost ofSecurity

Security Level High

Exposure

Security

Balance

H20-21

Key Principles

• Scalability and flexibility– No two entities will implement the

requirements exactly the same way– No specific technologies mandated– Implementation should fit your organization

• Resources• Document your decision-making

H20-22

Administrative Safeguards

• Security management process– Risk analysis (R)– Risk management (R)– Sanction policy (R)– Information system activity review (R)

• Assigned security responsibility (R)• Workforce security

– Authorization and/or supervision (A)

H20-23

Administrative Safeguards

• Workforce security (continued)

– Workforce clearance procedure (A)– Termination procedure (A)

• Information access management– Isolating health care clearinghouse

function (R)– Access authorization (A)– Access establishment and modification (A)

H20-24

Administrative Safeguards

• Security awareness and training– Security reminders (A)– Protection from malicious software (A)– Log-in monitoring (A)– Password management (A)

• Security incident procedures– Response and reporting (R)

H20-25

Administrative Safeguards

• Contingency plan– Data backup plan (R)– Disaster recovery plan (R)– Emergency mode operation plan (R)– Testing and revision procedure (A)– Applications and data critically analysis (A)

H20-26

Administrative Safeguards

• Evaluation (R)• Business associate contracts and other

arrangements– Written contract or other arrangement (R)

H20-27

Physical Safeguards

• Device and media controls– Disposal (R)– Media re-use (R)– Accountability (A)– Data backup and storage (A)

H20-28

Technical Safeguards

• Access control– Unique user identification (R)– Emergency access procedure (R)– Automatic logoff (A)– Encryption and decryption (A)

• Audit controls (R)

H20-29

Technical Safeguards

• Integrity– Mechanism to authenticate electronic

protected health information (A)

• Person or entity authentication (R)• Transmission security

– Integrity controls (A)– Encryption (A)

H20-30

Cyberliability Insurance

• Availability• Great variability in coverages and

exclusions• Negotiable items• Cost

H20-31

Cyberliability Insurance

• Generally covers– Defense costs– Forensic analysis– Notification costs

• Cyberliability insurance companies have already researched all the state laws and have language ready to go and have negotiated discounts for ID theft protection

H20-32

Online Educational Resources

• Heimdal Security ~ https://heimdalsecurity.com• Bloomberg BNA ~ www.bna.com• DataBreach Today ~ http://www.databreachtoday.com• CISCO ~ www.cisco.com/c/en/us/index.html• United States Computer Emergency Team ~ https://www.us-

cert.gov/ncas/alerts• Department of Homeland Security-Cyber ~

https://www.dhs.gov/office-cybersecurity-and-communications• American Hospital Association Solutions ~ AHA.org

H20-33

Session #H20

Fraud in Your Health Plan—You’ve Got It

• Always back up your data• Review all business associate agreements• Know the greatest liability is still your

employees, despite hackers• Implement background checks• Establish rules on laptop/thumb

drive/mobile device use• Consider cyber liability insurance• For even more info, check out:

https://www.youtube.com/watch?v=gIn2p3zkeHs#t=17 and https://www.ifebp.org/inforequest/ifebp/0200144.pdf

Website Resourceswww.ifebp.org/resources/infoQuick/default/htm Records Retention Requirements for Benefit Plans (members only)

Website Resourceshttps://www.youtube.com/watch?v=gIn2p3zkeHs#t=17 https://www.ifebp.org/inforequest/ifebp/0200144.pdf

62nd Annual Employee Benefits ConferenceNovember 13-16, 2016Orlando, Florida

H20-34

2017 Educational ProgramsHealth and Welfare

63rd Annual Employee Benefits Conference October 22-25, 2017 Las Vegas, Nevadawww.ifebp.org/usannual

Certificate SeriesFebruary 27-March 4, 2017 Lake Buena Vista (Orlando), FloridaJuly 24-29, 2017 Denver, Coloradowww.ifebp.org/certificateseries

Health Care Management ConferenceMay 1-3, 2017 New Orleans, Louisianawww.ifebp.org/healthcare

Certificate of Achievement in Public Plan Policy (CAPPP®)Part I and Part II, June 13-16, 2017 San Jose, CaliforniaPart II Only, October 21-22, 2017 Las Vegas, Nevadawww.ifebp.org/cappp

Related ReadingVisit one of the on-site Bookstore locations or see www.ifebp.org/bookstore for more books.

Self-Funding Health Benefit PlansItem #7563www.ifebp.org/SelfFunding

816

H20-35