what keeps you up at night? - squire patton boggs/media/files/... · 16 federal data breach...
Post on 23-Aug-2020
2 Views
Preview:
TRANSCRIPT
39 Offices in 19 Countries
What Keeps You Up atNight?
Issues of Fraud and Abuse ComplianceSeries
My Data’s Been Stolen: Now What?Part II
November 21, 2013
2
Today’s Hosts
Thomas E. ZenoOf Counsel, Squire SandersT +1 513 361 1202thomas.zeno@squiresanders.com
Emily E. RootSenior Associate, Squire SandersT +1 614 365 2803emily.root@squiresanders.com
3
Review of Part I – September 19
• How to know a breach has occurred• Insider and outsider threats• Should you notify law enforcement?• What does HIPAA require about Business
Associates?
PowerPoint link:http://www.squiresanders.com/files/Event/14e2e0c3-5769-48e6-b68d-f87ef7d1ccff/Presentation/EventAttachment/2d7a653a-eb4a-4f27-bffd-0147fcdbecc4/My-Data's-Been-Stolen-Now-What-Part-I.pdf
Recording link:https://cc.readytalk.com/cc/playback/Playback.do?id=9466ij
4
Today’s Speakers
Scott A. EdelsteinPartner, Squire SandersT +1 202 626 6602scott.edelstein@squiresanders.com
Thomas J. HibargerManaging Director, Stroz FriedbergT +1 202 464 5803thibarger@strozfriedberg.com
5
Today’s Agenda
• What more does HIPAA require?
• Data breach remediation
• Tips to prevent a breach
• Pre-planning for a breach
6
HIPAA has Teeth
• HHS Office for Civil Rights (OCR)
• U.S. Department of Justice (DOJ)
• State Attorneys General
• Expanded role of FTC
7
HIPAA Penalties and Enforcement
• Civil Penalties $100 per violation up to a maximum of $1.5 million per
year
• Criminal Penalties Up to $50,000; one year jail for wrongful disclosure
Up to $250,000; ten years jail if intent to sell, transfer oruse PHI for commercial advantage
• Applies to both Covered Entities and BusinessAssociates
8
State Patient Privacy Lawsuits
• No HIPAA private right of actionPatients still can sue under state common law principles
– e.g., invasion of privacy
• HIPAA as standard of reasonableness?
9
State Data Breach Notification Laws
10
Other HIPAA Obligations
• Duty to mitigate
• Accounting of disclosures
• Review administrative, technical and physicalsafeguards
11
Federal Data Breach Notification –General Rule
After discovering a breach of unsecured PHI, aCovered Entity must notify each individual whoseinformation was, or reasonably is believed tohave been, accessed, acquired, used, disclosed asa result
12
Federal Data Breach Notification -Definitions
• “Unsecured PHI” Not rendered unusable, unreadable or indecipherable
– Encryption or destruction encouraged but not required
• “Breach”Unauthorized acquisition, access, use or disclosure of PHI
– Compromises the security or privacy of PHI.– Elimination of subjective standard (“significant risk of financial,
reputational, or other harm”)– New objective standard creates presumption of breach
unless CE/BA demonstrate low probability that PHI has beencompromised.
Exceptions– Certain unintentional or inadvertent disclosures– Good faith belief recipient reasonably would not retain data
13
Federal Breach Notification – RiskAssessment to Determine Low Probability
• Nature and extent of PHI involved (e.g., types ofidentifiers and likelihood of re-identification)
• The unauthorized person who used PHI or towhom PHI was disclosed
• Whether PHI was actually acquired or viewed
• Extent to which the risk to PHI has beenmitigated
14
Federal Data Breach Notification –Notification Obligations
• Notification required within 60 days of discovery Enforcement rule requires correction in 30 days
BA failing to notify CE can be penalized directly
State law may have shorter notice periods (e.g., Calif.)
• Notification: Briefly describe what happened and when
Describe types of unsecured PHI involved
Describe how individuals can protect themselves
Briefly describe investigation, mitigation and protection
Provide contact information
15
Federal Data Breach Notification –Form of Notice
• Plain language
• Written Via mail (or electronic if individual agrees)
If deceased, next of kin or personal representative
Also telephone or other means if urgent
• Substitute notice if contact info insufficient < 10, alternative written, telephone or other means
> 10, either 90-day website posting or media notice
PLUS 90-day toll-free number
16
Federal Data Breach Notification –Additional Required Notice
• Media Notification > 500 residents of State, notify prominent media outlets
Within 60 days of breach discovery
Same content as notice to individuals
• HHS Notification > 500, notify HHS at same time as individuals
< 500, maintain a breach log and notify HHS with 60
days after the end of calendar year
– Hospice of North Idaho settlement Dec. 2012
17
Lessons Learned
• Encryption will prevent a lot of headaches
• OCR will have access to everything
• State AGs may become involved
• Media attention
• Enterprise embarrassment
• Consider cyber insurance
• May prompt litigation Between covered entities and business associates
– Who will pay costs associated with notification?
– Security incident versus breach
– Enforcement of agreements with offshore BAs
By affected individuals
18
Key Steps
• Organize your network data
• Update Policies and Procedures
• Develop a Response Plan
• Perform a Risk Assessment
19
Organize Your Network Data
• Map your critical assets
• Record backup schedules and inventories
• Update user lists
• Centralize logging functions
20
Update Policies and Procedures
• Conform them to HIPAA Security and PrivacyAudit Protocols
• Account for New Technology Text Messaging
Social Media
BYOD
Cloud Computing
21
BYOD – Bring Your Own Device
http://blogs.wsj.com/riskandcompliance/2013/09/26/hospitals-allowing-byod-face-complications-with-new-hipaa-rule/
• Consider the risk implications of BYOD vs. convenience• Where is the perimeter of your network and who controls
it?• ePHI transmitted via emails, texts, attached documents• ePHI must be secured in transit and at rest - container• iOS vs. Android
22
Develop a Response Plan
• Management endorsement
• Contact lists
• Legal analysis and timeline
• Categories of adverse events
• Facilities and equipment list
• Outreach plan
• An effective team
23
The Cloud
• OCR Guidance that Cloud providers areBusiness Associates
24
Develop a Response Plan – Effective Team
25
Communication
• Other Key Constituents
Team Members
− Outside & in-house counsel
− Compliance, HR, IT
− Business managers, public affairs
− Experts
Board/CEO, Executives
Employees
Shareholders
Unaffected Patients, Providers, or Customers
26
Perform a Risk Assessment
• The HIPAA Security Rule requires it
• HHS auditors report it as one of the mostcommon compliance failures
27
Preservation
• Unhook infected machines
Do NOT poke around
Insert clean and patched machines
• Call experts to image infected machines
• Save off log files
• Pull needed backup(s) out of rotation
• Save keycard data and surveillance tapes
• Start real-time packet capture
• Force password changes
28
Breach Timeline
29
Mitigating Your Risks
Simple steps to reduce risk ofcompromising your data and systems
• Encrypt data – in motion and at rest
• Install software security patches
• Train employees to avoid security threats
• Robust passwords; changed; no default passwords
• Use multi-factor authentication for remote access Employees from outside the office
Sensitive on-line accounts such as financial and cloudstorage of patient data
• Terminate dormant user accounts
• Use up-to-date virus scanning software
• Periodically audit compliance with data security
rules
30
Mitigating Your Risks
• Don’t store data you don’t need
• Know where your data is
• Use internal network walls toprotect sensitive data
• Train employees to spot andreport anomalies
• Monitor logs in your system todetect anomalies
Simple steps to reduce the damage if/whena compromise occurs
31
Mitigating Your Risks
Steps for reducing insider cybercrimeand data breach risk
• Create written employee conduct policies
Include social media use policies
• Restrict internet sites able to exfiltrate sensitive data
• Create tiered access to sensitive information
Not everyone needs access to everything
• Check background of employees with access tosensitive information
• Restrict use of external storage devices
32
Mitigating Your Risks
Steps for reducing insider cybercrime anddata breach risk (con’t)
• Implement employee exit procedures
Acknowledgement of post-employment obligations
Termination of account access
• Dual controls for access to certain sensitive data
33
Mitigating Your Risks
Reducing the risk of employee negligence
• Good risk management of malicious conduct
• Encryption
• Don’t store data unnecessarily
• Encryption
• Data security policies and audits
• Encryption
• Employee training
• Audit compliance with data security rules
34
Tips for Avoiding Data Breaches
• Conduct random security audits
• Perform random reviews of access logs
• Have strong physical safeguards for areas wherepaper records are stored and used
• Don't store PHI on laptop hard drive or desktop
• Address administrative and physical safeguardsclearly for storage devices and removable media
35
Hypothetical
A Business Associate contracted to send invoicesto patients experiences a computer error whichmismatches the patient’s name and addressresulting in 200 bills sent to the wrong address.Eighty bills were returned unopened.
36
Stay Alert
37
Thank You for Joining Our Webinar
Questions?
38
Thank You for Joining Our Webinar
Contact us with other topics, questions or issues:
• Scott Edelstein: scott.edelstein@squiresanders.com
• Tom Hibarger: thibarger@strozfriedberg.com
• Tom Zeno: thomas.zeno@squiresanders.com
• Emily Root: emily.root@squiresanders.com
39 Offices in 19 Countries
What Keeps You Up atNight?
Issues of Fraud and Abuse ComplianceSeries
top related