managing hipaa data breaches...data breaches by the numbers $6.5 million – average cost of a data...
TRANSCRIPT
©Shipman&GoodwinLLP2016.Allrightsreserved.
WilliamJ.Roberts,Esq.
June15,2016
ManagingHIPAADataBreaches
Agenda• WhataretheRisksofaBreach?
• IdenPfyingInternalThreats• IdenPfyingExternalThreats• RespondingtoaDataBreach
2
DataBreachesbytheNumbers$6.5million–averagecostofadatabreach
11%-increaseincostbetween2014and2015
$217–averagecostperlostorstolenrecord
112million–numberofindividuals(U.S.only)affectedbyahealthcaredatabreachin2015
432million–numberofhackedaccounts(U.S.only)in2014
Sources:(1)2015CostofDataBreachStudy:UnitedStates,PonemonInsPtuteResearch;(2)DataBreachesInHealthcareTotaledOver112MillionRecordsIn2015,Forbes,12/31/2015
3
DataBreaches
• BreachesareincreasinginsophisPcaPon,frequencyandseverity
• HealthcareisaprimarytargetofbreachacPvityandissubjecttoheightenedgovernmentscruPnyandenforcement
• Threatscanbecategorizedintwoways:u External
u Internal
4
IdenPfyingInternalThreats
• Insiderthreatsaretwofold:u “MaliciousInsider”–Wishtodoharmtocompany
Ø Canbeemployeethegforpersonalorbusinessgain
Ø Terminatedemployeestakingdata
Ø Accessingdataoutsidescopeofemployment
Ø Employeespurposelymisusingdata
5
IdenPfyingInternalThreats• Insiderthreatsaretwofold:
u “Careless”or“Negligent”InsiderØ Noillwill,butthroughcarelessness,negligenceorlackoftraining,createsopeningsfordataloss
Ø Study:“TheHumanFactorinDataProtecPon”(hhp://www.ponemon.org/local/upload/file/The_Human_Factor_in_data_ProtecPon_WP_FINAL.pdf)
Ø EmployeesarelikelygreatestthreattoPHI
Ø Includeslostfiles,laptops,mobiledevices
6
IdenPfyingExternalThreats
• Externalthreatstaketwoforms–u AnahackonyourinformaPonsystemsorthegofphysicalfiles,or
u AnahempttotrickanemployeetodivulgesensiPveinformaPon
7
Cybersecurity–TheStats
Averageannualnumberofcybersecurityincidents:80to90million
Increaseincybersecurityincidentsfrom2014–2015:38%
Projectedglobalcostofcyberahacksin2019:2.1trillionUSdollars
hhp://expandedramblings.com/index.php/cybersecurity-staPsPcs/Source:
8
It’sPhishingSeason!• “Phishing”isanahempttouseemailtotrickarecipientintodisclosingpersonalinformaPon,suchasfinancialaccountinformaPon
• WeareseeingincreasedsophisPcaPonandvolumeofahempts
hhps://blog.cyveillance.com/cyveillance-phishing-report-top-targets-june-22-2015/
9
Masquerading• “Masquerading”isascaminwhichtheperpetratorassumestheidenPtyofaknown,trustedcolleaguetotrickthecolleagueintotakingsomeacPon,ogensendingemployeeorfinancialdataorwiringfunds
10
ARansomforYourData• AransomwareahackisoneinwhichaperpetratorassumescontrolofyourdataandwillnotreleaseitunPlpaymentismade(orthreatenstofurtherdiscloseitunlesspaymentismade)
• Paymentisogenrequestedinbitcoin
11
You’veBeenHacked• Hackingahemptsare
increasinglycommoninallindustrysectors
• Healthcare,educaPon,government,retailandfinancearethemostpopulartargets
• SmallenPPesarejustaslikely(ifnotmorelikely)tobetargetsaslarge,well-knowncorporaPons
Source:IndianapolisStar,12/15/14
12
RespondingtoaDataBreachDiscovery
InvesPgaPon
NoPficaPon(s)MiPgaPon
DamageControl
13
Discovery• ReporPngStructure:
u IncidentnoPficaPonpolicyu Employee/stafftrainingu Cultureoftransparency,notfearu Considermockbreaches
• Needtohaveabreachresponseplaninplacetoguideresponse.Consider:u TheRightTeam:IT,compliance,HR,paPent/publicrelaPons,legalcounsel
u Back-upsforeachkey,responsibleindividual(e.g.leave,vacaPon)
14
InvesPgaPon
• ThecoveredenPtymustinvesPgatethereportofthebreachwithoutdelayu Ahorney-clientprivilegeisvitaltoprotectyourinterests
u Haveexternalresourceslined-upaheadofPme:PR,forensicIT,lawenforcementcontacts,externalcounsel
u OnlyinvolvethenecessaryparPes–confidenPalityisimportant
15
NoPficaPontoIndividuals• Rule:CoveredenPPesmustnoPfyaffectedindividualsfollowingthe
discoveryofabreachofunsecuredprotectedhealthinformaPonu NoPcemustbewrihenandsentbyfirst-classmail,oralternaPvely,by
e-mailiftheaffectedindividualhasagreedtoreceivesuchnoPceselectronically
u NoPcemustbeprovidedwithoutunreasonabledelayandinnocaselaterthan60daysfollowingdiscovery
u NoPcemustinclude,totheextentpossible,abriefdescripPonofthebreach,adescripPonofthetypesofinformaPonthatwereinvolvedinthebreach,thestepsaffectedindividualsshouldtaketoprotectthemselvesfrompotenPalharm,abriefdescripPonofwhatthecoveredenPtyisdoingtoinvesPgatethebreach,miPgatetheharm,andpreventfurtherbreaches,aswellascontactinformaPon
16
NoPficaPontoIndividuals• Consider:
u DevelopcommunicaPonlines–tollfreenumber,email,postaladdress
u Whowillrespondtoinquiries?Internalresourcessufficientorcallcenterneeded?
u FAQsu Languageanddisabilityconcerns?u Minors?u Decedents?u CanyouhandlethecommunicaPonsin-house?
17
SubsPtuteNoPce• Rule:Insufficientorout-of-datecontactinformaPonfor:u 10ormoreindividuals-thecoveredenPtymustprovidesubsPtutenoPcebyeitherposPngthenoPceonthehomepageofitswebsiteforatleast90daysorbyprovidingthenoPceinmajorprintorbroadcastmediawheretheaffectedindividualslikelyreside
Ø mustincludeatoll-freephonenumberthatremainsacPveforatleast90dayswhereindividualscanlearniftheirinformaPonwasinvolvedinthebreach
u Fewerthan10individuals-thecoveredenPtymayprovidesubsPtutenoPcebyanalternaPveformofwrihennoPce,bytelephone,orothermeans
18
NoPficaPontotheMedia• Rule:CoveredenPPesthatexperienceabreachaffecPngmorethan500
residentsofastateorjurisdicPonare,inaddiPontonoPfyingtheaffectedindividuals,requiredtoprovidenoPcetoprominentmediaoutlets
u Ogenintheformofapressrelease
u Withoutunreasonabledelayandinnocaselaterthan60daysfollowingdiscovery
u MustincludethesameinformaPonrequiredfortheindividualnoPce
• Consider:u PRprofessionalassistance
u Mediatalkingpoints
u Mediapointperson–whospeaksforyourorganizaPon(andwhodoesnot)
u Controllingthemessage/coordinaPngwithemployees
u Becognizantofmedialeaks/stealthinquiries
19
NoPficaPontoHHS• Rule:CoveredenPPesmustnoPfyHHSbysubmisngabreachreportformonlineu 500ormoreindividuals,coveredenPPesmustnoPfyHHSwithoutunreasonabledelayandinnocaselaterthan60daysfollowingabreach
u Fewerthan500individuals,thecoveredenPtymaynoPfyHHSofsuchbreachesonanannualbasis,duetoHHSnolaterthan60daysagertheendofthecalendaryearinwhichthebreachesarediscovered
• Consider:u Accuracyisvitalu Summarystatementmayhavesignificantconsequences
20
OtherNoPficaPonObligaPons?• Dependinguponyoursector,contractualarrangementsorlocaPon,considerthefollowingaddiPonalnoPficaPonsthatmaybenecessary:u StateAhorneyGeneral(s)u Stateregulatoryagencies(e.g.DepartmentsofHealth,InsuranceorConsumerProtecPon)
u Businesspartners(e.g.HIEs,affiliates)u DepartmentsofEducaPon(stateandfederal)u PoliPcalstakeholders(esp.ifgovernmentalenPty)u Funders(looktogrants,donors)u Employees(e.g.email,IntranetposPng)
21
ThoughtsonBABreaches
• AtPmes,abreachiscausedbyoroccursatyourbusinessassociate.Whenplanningforandrespondingtosuchabreach,consider:u BAAreporPng,cooperaPon,miPgaPonandliabilityissues–istheBAAyourfriendorfoe?
u WhoshouldnoPfy?
u Controlofmessaging
22
MiPgaPon• Rule:AcoveredenPtymusttakereasonablestepstomiPgateharmtoindividualscausedbythebreachu HIPAAislightonspecificsbutstatelawsarenowmandaPngcertainmeasures
• Consider:u WhatinformaPoncanyouprovidetoaffectedparPes?
u Creditmonitoring–when?Requiredbylaw?
u Creditcounseling,idenPtythegrecoveryservices
u IdenPtytheginsurance
23
DamageControl
• Adatabreachmayinflictsignificantfinancial,operaPonalandreputaPonalcostsonacompany.Employeemoraleandconfidencemayalsosuffer.Developaplanfor:u RespondingtoquesPonsandconcernsfromcurrentandformeremployees,paPentsorcustomers
u Handlinginquiriesfromrelevantbusinesspartners
u Managingthecompany’sreputaPoninthebusinessandconsumercommuniPes
24
LegalRisks
• LawsuitsCanandWillComefromSixSources:u Consumers
u Insurers
u FinancialInsPtuPons
u Shareholders
u Employees
u Government
25
GovernmentEnforcement
• AHIPAAbreachmayresultinenforcementacPonsfromstateahorneygeneralsandtheHHSOfficeforCivilRights(OCR)
• Insomeinstances,otherenforcementagencies,includingconsumerprotecPon,health,educaPonorinsurancedepartments,mayhavejurisdicPonu Key–aHIPAAbreachogenviolatesotherstateandfederallaws,meaningmoreopportuniPesforenforcement
26
LegalRisksandGovernmentEnforcement
• Needtoprepareforthefollowingfrom“DayOne”:u OCRinvesPgaPonandenforcementacPonu AhorneyGeneralinvesPgaPonandenforcementacPon
u LawsuitsfrompaPents,customers,businesspartners
• Everythingyoudofrompreparingforthebreachtoyourresponsetoitisinprepara7onfortheseenforcementac7onsandlawsuits
27
PenalPes• Recentchangestothelawhavesignificantlyincreasedthe
penalPesforviolaPngHIPAA:
u FourPersofcivilmonetarypenalPesrangingfrom$100/perviolaPonto$1.5million/perviolaPon
u CriminalpenalPes:upto$250,000infinesandupto10yearsinprison
• BoththecoveredenPtyandindividualemployeescanbepenalizedforviolaPngHIPAA
• BreachesmayalsoresultincostlyconsentordersorcorrecPveacPonplans,lawsuitsandaddiPonalpenalPesstateenforcementacPons
28
LearnfromOthers
• In2014,NewYork-PresbyterianHospitalandColumbiaUniversityenteredintosehlementfor$4.8MforfailingtosecurepaPentinfo
• Gov’tconcludedcompanies:Ø Lackedtechnicalsafeguards
Ø Failedtoconductaccurateriskanalyses
Ø FailedtodevelopadequateriskmanagementplanstoaddresspotenPalsecuritythreats
29
Ques8ons+ContactInforma8on
WilliamJ.Roberts,ChairPrivacy+DataProtecPon
Tel:[email protected] Source:TheNewYorker,Sept.8,2015
“Bad news, captain. The ship’s computer has been sharing all our personal data with the Romulans.”
30
© 2007-2016 31
855-85-HIPAA www.compliancygroup.com
Need Help With HIPAA Compliance?
§ The Guard • Total Compliance Solution • Simple • Cost-effective • Compliance with Confidence
§ Support - We work with you • Compliance Coaching • HIPAA Hotline • Education • Culture of Compliance
§ Contact Us • 855 85 HIPAA (855-854-4722) • www.CompliancyGroup.com
Incident Management
Audits SRA (Security Risk
Assessment), Administrative, Privacy
Remediation Plans
Policies, Procedures & Training
Business Associate
Management
Document Version
Employee Attestation &
Tracking