Healthcare in the Crosshairs for
Data Breaches
April 22, 2015 1Presenters
Deborah Hiser (512) 703-5718 deborah.hiser@huschblackwell.com Ana Cowan (512) 703-5791 ana.cowan@huschblackwell.comDebbie Juhnke, IGP, CRM
3
http://www.informationisbeautiful.net/visualizations/worlds‐biggest‐ data‐breaches‐hacks/
The Kill Chain Analysis
7 Senate Committee on Commerce, Science, & Transportation, Staff Report, March 26, 2014 Reconnaissance Phishing Control Exfiltration 8The Target Aftermath:
• Over 100 civil suits
• Derivative actions
• CIO & CEO gone
9
Healthcare, HIPAA
and Breaches
Protected Health Information:
HIPAA
In any form or medium, electronic, on paper, or oral
Including demographic information that relates to:
̶ Individual’s past, present, or future physical or mental health or condition, ̶ Provision of health care to individual,
or
̶ Past, present, or future payment for health care to individual,
That identifies individual or for which there is a reasonable basis to believe can be used to identify the individual.
How do we identify a breach?
11 HIPAA/HITECH
Requirements
• An impermissible use or disclosure
under the Privacy Rule that
compromises the security or privacy of
the protected health information
• See 45 C.F.R. 164.402
HIPAA Risk Assessment Requirements
Proactive
• Security RA Requirement • 45 C.F.R. 164.308(a)(1) • www.hhs.gov/ocr/privacy/hipaa/
administrative/securityrule/rafinalguidancepdf.pdf
Reactive • Breach RA Requirement• 45 C.F.R. 164.402
• Determine probability of compromised PHI based on risk assessment
13 Miscellaneous Errors (32%) Privilege Misuse (26%) Lost/Stolen Assets (16%) Point of Sale (12%) Web Applications (9%)
Verizon 2015 Data Breach Investigations Report
Top Breach Patterns for Healthcare, 2012-2014
Sample OCR Enforcement Cases
NY
Presbyterian /
Columbia U.
• $4.8 Million
• Must have process to evaluate
environmental or operational change
WellPoint
• $1.7 Million
• Must use caution when making changes to
information systems
Phoenix
Cardiac
• $100,000
• Must ensure staff & vendors are in
compliance
15
16
OCR has stated that they will investigate
every reported breach
Responsibilities in
the Event of a Breach
17
Polling Question #1
Who in your organization manages data breach response? Legal
IT Department
Privacy/Security Officer
A cross‐functional team
10 Activity Channels
for Breach Response
Security Security Legal Legal Forensic Forensic Law Enforcement Law Enforcement Regulators Regulators Insurance Coverage Insurance Coverage Public Relations Public Relations Stakeholders Stakeholders Notifications Notifications Personnel Management Personnel Management
Polling Question #2
20Does your breach response
plan address these multiple
channels of breach
response activity?
Yes
No
Unsure
Inadvertent Disclosure of PII/PHI Below Thresholds
Security Security Legal Legal Forensic Forensic Law Enforcement Law Enforcement Regulators Regulators Insurance Coverage Insurance Coverage Public Relations Public Relations Stakeholders Stakeholders Notifications Notifications Personnel Management Personnel ManagementInadvertent Disclosure of PII/PHI Above Thresholds
Security Security Legal Legal Forensic Forensic Law Enforcement Law Enforcement Regulators Regulators Insurance Coverage Insurance Coverage Public Relations Public Relations Stakeholders Stakeholders Notifications Notifications
Stolen Device with PII/PHI Above Thresholds
Security Security Legal Legal Forensic Forensic Law Enforcement Law Enforcement Regulators Regulators Insurance Coverage Insurance Coverage Public Relations Public Relations Stakeholders Stakeholders Notifications Notifications Personnel Management Personnel ManagementHack of System with PII/PHI Above Thresholds
Security Security Legal Legal Forensic Forensic Law Enforcement Law Enforcement Regulators Regulators Insurance Coverage Insurance Coverage Public Relations Public Relations Stakeholders Stakeholders Notifications Notifications Personnel Management Personnel Management
Breach Response Readiness
Breach Response
Readiness
Coordinate through Legal Counsel Information Gathering Incident Response Governance Team Service Provider Relationships Breach Response Readiness Plan TrainingPreparation and Prevention
27
Preparation is Key
Conduct security risk assessment
Identify “high impact” vulnerabilities
Develop comprehensive security plan
Inventory and update all relevant policies
Identify key personnel
TRAIN, TRAIN, TRAIN
Review and update coverages
Security Risk Assessment Process
29 Identify • Sources of Data • Policies • Workflows • Threats • Vulnerabilities Assess • Metrics • Controls • Security • Probabilities • Impacts Act • Prioritize Risks • Remediate • Document • Assign ResponsibilityPolling Question #3
How often do you do a Security Rule risk assessment? Every year
Every 2 years
More than every 2
years or “as needed”
Good Practices
31 Knowing where all of your information is
Validating and properly implementing security access controls
Adhering to technology standards and keeping systems patched
Encrypting PHI
Investing in appropriate tools
Ensuring every covered entity, business associate, and
subcontractor has a computer security incident response capability for their organization.
You can help prevent breaches by:
Poor Practices
32 You do not know where your information is
You are unaware of the attack vectors for your information systems, mobile devices, applications, etc.
Security bugs exist in applications, medical devices, mobile devices
Information is stored in plain text
Employees are careless or unaware of security protection requirements
Getting Vendors Under Control
33 Comply with the Security Rule
Comply with Privacy Rule disclosure limitations
Comply with contractual obligations
Require authentication
Verify levels of access
Monitor access
Eliminate single log-on’s
Require security training
Training & Awareness
Secure the Human!
Policies & procedures
Passwords
Phishing awareness
The Cost of Failing to Prepare
35
The cost of a breach far
exceeds the cost of
implementing policies,
procedures, training, and a plan.
The cost of a healthcare breach
can disrupt patient lives,
potentially leading to patient
harm.
$$ Penalties for Non-Compliance
37
Parting Thoughts
http://splashdata.blogspot.com/2014/01/worst‐passwords‐of‐2013‐our‐annual‐list.html
39
40
Review BA agreements
Update your HIPAA risk assessment Develop a breach response readiness plan
Contact Us
41 Deborah Hiser (512) 703-5718 deborah.hiser@huschblackwell.com Ana Cowan (512) 703-5791 ana.cowan@huschblackwell.comDebbie Juhnke, IGP, CRM