5-2 educating c-suite - cshrmwhy should the c-suite be concerned net diligence 2015 cyber claims...
TRANSCRIPT
4/15/2016
1
Educating the C-Suite About Cyber Risk
and Why They Should be Concerned
Presented by:
Allison Funicelli, MPA, CCLA, ARM, ACHELitigation Manager, Hamlin & Burton
Carol Doty, Esq.Kaufman, Borgeest & ryan
Thomas Langer, EnCE, CEHKivu Consulting, Inc.
I SEE CYBER LIABILITY IN YOUR FTURE…..
STAR DATE 69800.9
BUT WE ARE HERE TO HELP…..A CYBER CRIMINAL LOOMS AMONG US….
4/15/2016
2
CYBER LIABILITY
What is it and why is it important to everyone, especially the healthcare industry?
WHAT IS A CYBER ATTACK?
A cyber attack is the deliberate exploitation of computer systems, technology-dependent enterprises and networks.
Cyberattacks use malicious code to alter computer code, logic or data resulting in disruptive consequences that can compromise data and lead to cybercrimes such as information and identity theft.
WHAT IS A CYBER ATTACK?
A cyber attack is the deliberate exploitation of computer systems, technology-dependent enterprises and networks.
Cyberattacks use malicious code to alter computer code, logic or data resulting in disruptive consequences that can compromise data and lead to cybercrimes such as information and identity theft.
4/15/2016
3
THE POTENTIAL COST
SO WHAT ABOUT HEALTHCARE?
No industry faces greater data security risks
Than the $2.9 trillion healthcare sector.
According to the Ponemon Institute, criminal attacks are now the leading cause of data breaches in healthcare.
4/15/2016
4
EXAMPLES OF HEALTHCARE COMPANIES THAT FELL VICTIM TO CYBERSECURITY ISSUES
=
Anthem data breach cost likely to smash $100 million barrier. The company's cyber insurance policy is likely to be exhausted following the theft of up to 80 million records. The financial consequences of Anthem's massive data breach could reach beyond the $100 million mark, according to reports. Feb 12, 2015
The Community Health Systems breach exposing 4.5 million patients' data in 29 states is expected to be costly--the total bill could be somewhere between $75 million and $150 million, according to a calculation at Forbes. The first class-action lawsuit was filed within hours after the breach was announced. Aug 25, 2014
FINES & PENALTIES – 15 LARGEST DATA BREACH SETTLEMENTS AND HIPAA FINES1
1. New-York Presbyterian Hospital and Columbia University (NY) – May 2014 – Deactivation of a network server resulted in PHI of more than 6,800 individuals being accessible online - $4.8M HIPAA fine
2. Cignet Health (MD) – May 2011 – Violation of patients’ rights by denying them access to their medical records following requests to obtain them -$4.3M HIPAA fine
3. Stanford Hospital & Clinics (CA) – March 2014 – Data from 20,000 patient records was found online - $4M settlement4. AvMed (FL) – March 2014 – More than 1M patient records including SSN were compromised following the theft of two unencrypted laptops - $3M
settlement5. CVS Pharmacy (RI) – January 2009 – CVS pharmacy chain disposed of protected health information in dumpsters - $2.25M HIPAA fine6. Alaska HHS (AK) – June 2012 – A portable storage device containing electronic patient data was stolen from an HHS employee - $1.7M HIPAA fine7. Concentra Health Services (TX) – April 2014 – An unencrypted laptop containing patient data was stolen - $1.7M HIPAA fine8. WellPoint (IN) – July 2013 – No technical safeguards in place to verify entities accessing its database of PHI - $1.7M HIPAA fine9. Massachusetts Eye and Ear Infirmary (MA) – September 2012 – An unencrypted laptop containing patient data was stolen - $1.5M HIPAA fine10. Blue Cross Blue Shield Tennessee (TN) – March 2012 – 57 unencrypted computer hard drives containing PHI of more than 1M individuals were stolen
- $1.5M HIPAA fine11. Affinity Health Plan (NY) – August 2013 – Company returned photocopy machines to a leasing agent without wiping the data of more than
344,500 individuals stored in the machine - $1.2M HIPAA fine12. Rite Aid (PA) – July 2010 – Pharmacy chain improperly disposed of identifying information in trash containers accessible to unauthorized individuals
- $1M HIPAA fine13. General Hospital Corp/Massachusetts General Physicians Organization (MA) – February 2011 – Lost PHI of 192 patients - $1M HIPAA fine14. UCLA Health (CA) – July 2011 – Complaints were filed against UCLA Health that from 2005-2008 unauthorized employees repeatedly accessed the
PHI of patients - $865,00015. Parkview Health System (IL) – June 2014 – Medical records pertaining to up to 8,000 patients were left unattended and accessible in a physician’s
driveway - $800,000 HIPAA fine
1 – Becker’s Health IT & CIO Review 10/14/2015
4/15/2016
5
Data Breach Statistics
� Data for more than 120M people have been compromised in more than 1,100 separate breaches at organizations handling PHI since 2009.
� Worldwide, the average cost of a healthcare breach is $363per exposed personally identifiable record. The average cost in the U.S. is $398.
� In contrast, the global average cost of a data breach across all industries is $154.
� 47% of all breaches came from hackers and “criminal insiders”. � The black market price for medical records can run 10x that of
personally identifiable information hacks from other industries. � Healthcare typically trails behind other industries in the adoption of
information technology despite housing sensitive information.
Who is behind these cyber threats?
�Serious cyber terrorists such as individuals on the FBI’s most wanted cyber criminals list. These hackers are typically from: Romania, Russia/Ukraine, Chinese People’s Liberation Army, Pakistan, North Korea
�Mischievous hackers
�Persons in significant financial debt
�Persons with personal agendas
Motives for Cybercrime
� Money / Financial Profit
� Emotional drivers
� Political / Religious Motivation
� Just for Fun
4/15/2016
6
COMMON CAUSES FOR CYBER LOSSES
�Malicious Attacks
�Inadequate Security
�System Glitches
�Employee Carelessness
�Employee Mobility/Disgruntled Employees
�Inadequate BYOD policies and procedures
HOW DATA BREACHES OCCUR
�Social Engineering
�Human IT Security Error
�Solicitation/Bribes
� Improper Data Disposal
�Hoax/Scam
� Financial Fraud
�Phishing
�Abuse of Access
�Social Media
� Laptop Theft
�Password Sniffing
�Denial of Services
�Exploit Wireless Network
�Unapproved Devices
�Malware Infection
�Web Use Violation
�Bots on Network
�Lost Mobile Devices
�Data Misuse
So What Can We Do?
� Hire sophisticated risk management consultants who specialize in cyber-risk/cyberattack prevention, especially with a niche in healthcare
� Obtain cyber liability insurance***� Buyer Beware – Not all cyber insurance policies are the same – understand the exclusions on
the policy
� Don’t rely on General Liability policies and drop down coverages as your sole insurance coverage – there are many exclusions and typically low limits
� Determine if the policy covers fines and penalties
� Determine if there is coverage for data ransom
� Does the policy coverage property damage and bodily injury related to a cyberattack? If so, is it first or third party property coverage?
� Does it cover privacy breaches including HIPAA/PHI/PII exposure?
4/15/2016
7
So What Can We Do?
� Risk Prevention – Hire a cyber risk management consultant to review current systems, especially a consultant with a niche for health care organizations
� Risk Prevention – Have a detailed plan in the event of an actual or suspected breach – Practice drills are key
� Risk Mitigation – If you have or suspect a breach, immediately assemble the internal breach team
� Risk Mitigation – Consult a breach coach - someone who has the knowledge and expertise to assemble an external team to work with your internal team immediately including the coordination of:� Claims Professionals
� Defense Counsel
� Coverage Counsel, if necessary
� Notification Organization
� Risk Consultants
� Forensic Consultants
� Credit Monitoring Organization
ANYONE CAN BE A VICTIM WHEN YOU LEAST EXPECT IT!
Why Should the C-Suite be Concerned
NET DILIGENCE 2015 CYBER CLAIMS STUDY
• Healthcare sector was most frequently breached (21%)
• Healthcare sector ranked 2nd for largest breaches (behind retail sector)
• Most frequent cause of loss across all industries:
o Hackers – 31%
o Malware/Virus – 14%
o Staff Mistakes – 11%
o Rogue Employees – 11%
• Disproportionate number of insider incidents occurred in healthcare
o In Healthcare sector, 35% of claims were due to malicious insider incidents
� This does not take into account staff mistakes
• Third-parties accounted for 25% of all claims submitted
o Hackers accounted for 50% of all third-party incidents
• The average claim in the Healthcare sector was $1.3 million
o Costs ranged from $2,598 to $15 million
4/15/2016
8
Why Should the C-Suite be Concerned
65% of C-suite executives are very confident their cybersecurity plans are well established, yet only 17 percent demonstrate the highest levels of preparedness and capability.
60%The CFO, CHRO and CMO feel the least engaged in cybersecurity threat management activities, yet are the stewards of data most coveted by cybercriminals.
*Securing the C-Suite: IBM Institute for Business Value
Why Should the C-Suite be Concerned
FBI Warning
The FBI issued a “Private Industry Notification”
that Health Care Systems and Medical Devices are at
Risk for Increased Cyber Intrusions for Financial Gain
April 8, 2014 PIN#: 140408-009
Why Should the C-Suite be Concerned
4/15/2016
9
Why Should the C-Suite be Concerned
SANS Institute Study says it all:
“Health Care Cyberthreat Report:
Widespread Compromises Detected, Compliance Nightmare on the Horizon”
A SANS Analyst Whitepaper, by Barbara Fuilkins, Feb. 2014
Why Should the C-Suite be Concerned
Summary of SANS Institute Study:
Data shows that NO health care organization is immune
and
COMPLIANCE DOES NOT EQUAL SECURITY
Why Should the C-Suite be Concerned
C-Level Executives are no longer immune to the effects of a security breach.
Target Directors and Officers Hit with Derivative Suits based on Data Breach
California AG Law Suit for Late Data Breach Notification
Potential for Executive to Suffer Job Loss
4/15/2016
10
Why Should the C-Suite be Concerned
Fallout of Data Breach on Health care Entities:
Possible Adverse Health Event
Loss of Protected Health Information
Loss of Digital Information/Network Loss
Loss of Business/Reputation
Financial Loss of RevenueFinesCosts of Breach/Remediation
Why Should the C-Suite be Concerned
The Health Insurance Portability and Accountability Act of 1996
(HIPAA)
– Security Rule: sets national standards for the security of electronic
protected health information
– Breach Notification Rule: requires covered entities and business
associates to provide notification following a breach of unsecured
protected health information
– Privacy Rule: confidentiality provisions
Why Should the C-Suite be Concerned
• Health Information Technology For Economic and Clinical Health
– Promotes the adoption and meaningful use of health information technology
– Subtitle D: addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules
• (HITECH ACT)
4/15/2016
11
Why Should the C-Suite be Concerned
• U.S. Department of Commerce’s
• National Institute of Standards and Technology
• Identifies cybersecurity challenges and develops example solutions for real-world challenges faced by industries, including health care
• (NIST)
Why Should the C-Suite be Concerned
CYBERSECURITY PRACTICE GUIDES
Securing Electronic Health Records on Mobile Devices Released draft 91 page “How-To Guide” for Security Engineers
https://nccoe.nist.gov/sites/default/files/nccoe/NIST_SP1800-1c_Draft_HIT_Mobile-HowTo_0.pdf
Why Should the C-Suite be Concerned
SPECIAL PUBLICATIONS RELATED TO IT SECURITYProvided as an informational resource and are not legally binding
guidance for covered entities
An Introductory Resource Guide for Implementing the HIPAA Security Rule http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist80066.pdf
Guide to Storage Encryption Technologies for End User Devices http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/nist800111.pdf
HIPAA Security Rule Toolkit http://scap.nist.gov/hipaa/NIST_HSR_Toolkit_User_Guide.pdf
4/15/2016
12
Why Should the C-Suite be Concerned
ENFORCEMENT OF NATIONAL STANDARDS
U.S. Department of Health & Human Services (HHS)
Audit Investigations
– HITECH requires HHS to perform periodic audits of covered entities and business
associates to determine compliance with the HIPAA Privacy, Security and Breach
Notification Rules
– HIPAA Rules are enforced by HHS’ Office for Civil Rights (OCR)
– OCR’s comprehensive audit protocol
• http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
Why Should the C-Suite be Concerned
Investigation of Complaints Filed with the OCR
– Anyone can file a complaint alleging a violation of the HIPAA Privacy, Security or Breach Notification Rules
– Three requirements to file a Complaint:
1) In writing
2) Name entity involved and describe acts/omissions
3) File within 180 days, unless “good cause” for extension
Why Should the C-Suite be Concerned
July 10, 2015 Bulletin: HIPAA Settlement Highlights Importance of Safeguards When Using Internet Applications
Employees at St. Elizabeth’s Medical Center (SEMC) filed OCR Complaint in Nov. 2012Allegation: employees used an internet-based document sharing application to store documents containing ePHI of nearly 500 individuals without having analyzed the risks associated with such a practice
4/15/2016
13
Why Should the C-Suite be Concerned
OCR Investigation: SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects, and document the security incident and its outcome
Separately, on 8/25/14, SEMC notified OCR of a breach of unsecured ePHI stored on a former employee’s personal laptop and USB flash drive affecting nearly 600 individuals.
Why Should the C-Suite be Concerned
Resolution: $218,400 settlement amount
SEMC will adopt a robust corrective action plan to correct deficiencies in its HIPAA compliance program
OCR Guidance: “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications. In order to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”
OCR link provided for how organizations can meet privacy and security responsibilities:
http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
Why Should the C-Suite be Concerned
Civil Actions by State Attorneys General
HITECH gives State Attorneys General the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules
~Authority to obtain damages on behalf of state residents
~Authority to enjoin further violations of the HIPAA Privacy and Security Rules
4/15/2016
14
Why Should the C-Suite be Concerned
Neither HIPAA nor HITECH and its regulations create a private right of action
However, Courts are allowing claims for negligence
Abdale v. North Shore Long Island Jewish Health System, Inc., 2015 WL 4879587 (NY Supreme Court, Queens County, Aug. 14, 2015)
Byrne v. Avery , (SC 18904) Connecticut case
Why Should the C-Suite be Concerned
Goal of the C-Suite:
To build a culture of Prevention in the Healthcare Setting
The C-Suite must work together to create a well-rounded and secure environment where employees at all levels understand what they must do to protect sensitive information.
Why Should the C-Suite be Concerned
C-Suite Battle Plan:
Mitigate Threats
Discover Threats
Respond to Any Threats
4/15/2016
15
Introduction
• Thomas Langer• Associate Director, Cyber Investigations• Kivu Consulting• Washington DC
Cyber Security News
Cyber Security in Healthcare• Hollywood Hospital, & 2 other Southern California Hospitals attacked
with Ransomware• Shutdown Hospital
• Washington DC Area Hospital, attacked, crippled IT Infrastructure• Forced to revert back to paperwork, and even turn away some patient
• Healthcare System, fined $1.5 mil by OCR• Additional $0.5 mil costs in corrective actions
• CE fined due to no BAA
• No Risk Assessment was completed
What matters most in Healthcare Security?
Covered Entities• Recent trends identified more hackers are targeting healthcare information.
• Once hackers get access, healthcare organizations have to prove that attackers did not access/exfiltrate PHI data.
• If they can’t prove the negative, CEs forced to declare a breach when very unlikely PHI compromised.
Business Associates - the weakest link
• Hospitals are getting better protected, hackers are looking to attack the less protected Business Associates.
• Frequently BA’s promise their customers security standards that they don’t actually employ.
4/15/2016
16
What Cyber Risk preparation makes a real difference?
• Auditing/ Logging – being able to prove that PHI data did not leave the network can prevent a multi-million dollar notification
• Segregating Data – making sure that PHI is separated from financial or HR data; and that this separation is monitored and audited
• Data Mapping – Know where your data is located
• Cloud Storage - If data is stored in the Cloud, have you implemented additional safeguards to prevent misuse of stolen user credentials? –e.g. multi-factor authentication, blocking access from certain countries?
• DLP “Data Loss Prevention” - tools that scan for outgoing email with unencrypted file attachments with possible PHI/PII
What Cyber Risk preparation makes a real difference? (cont.)
• Verify your Business Associates (BA) – Transparency, onsite visit, create vetting process, complies to your policy and regulations, BA agreement, due diligent on a consistent basis
• Risk Assessments – Create a security policy, complete a risk assessment, scan enterprise for vulnerabilities, resolve vulnerabilities within reasonable timeframe, scan network again and verify results
• Account Audit – annual user account review, frequent PW changes
• Encrypt, Encrypt, Encrypt – Both portable devices and desktops (Desktops are stolen too), Networks, Databases
• Training – Security Awareness Training, at least annually
Pre-Breach Preparation, What to do?
• Create an Incident Response (IR) Plan• Update IR plan annually
• Contains detailed information, different scenarios
• Contact Information of Key team members
• Perform annually tabletop exercise with identified teams (act out an incident)
• Identify Incident / Breach Definitions• Event – Incident – Compromise - Breach
• Determine Escalation Procedure
4/15/2016
17
When your Business has a Breach, now What?
• Identify the nature of the breach and source of security lapse• Lost Laptop
• Hacking Incident
• Phishing Email
• Identify what type of information is implicated• PII, PHI, PCI
• Financial Records
• Engage outside counsel experienced in data security issues• Convene Incident Response Team – Compliance
• In-House Counsel
• HR, IT
• Public Relations
When your Business has a Breach, now What? (cont.)
• Review statutory notification requirements in applicable jurisdiction(s)• Determine if law enforcement should be notified
• Question for Legal Team and Outside Counsel
• Depends on the nature of the breach
• Type of information and number of individuals affected
• Notify insurance carriers• Prepare notification document• If necessary set up phone hotline and script to respond to victims’
inquiries • Case on West Coast, BA tried to please CE and regulators, agreed to tell victims what PHI
was compromised (call center)
Cost Drivers in Healthcare Data Breach!
1. Was organization’s security set up to reflect HIPAA Security Rule?• HIPAA Final Rule: presumption = any impermissible use or disclosure is a breach that
compromises the security or privacy of the information. CE or BA bears the burden of proving a low probability that PHI has been "compromised" (and thus no need for notification)
• Organization will be judged on what it did in preceding 2 - 24 months
2. Was organization’s security set up to assist in the breach analysis?• Access Controls/system logging/monitoring traffic/exfiltration to prove negative (intrusion,
not compromise)
• Preserving the “correct”, most helpful evidence
• Encryption installed – can you prove it was used?
• Who is thinking 3/6/12 months out? Who will testify