Network Security & Privacy Discussion Colorado Community Health Network April 14, 2014 Presented by: Kevin Keilbach – Client Executive – Health Care Jeff Van Gulick - Executive Risk Practice Leader
Cyber Risk Issues around the protection of personally identifiable data are a growing concern and not a day goes by that we do not see news of some organization having a breach of that data. Questions that you should ask yourself in the event that some of the data you hold is breached, lost or stolen: Who do I contact to assess the extent of the breach? Who do I need to notify?, what state or federal agencies need to be involved? What are my legal obligations? What are the timeframes for my actions? Do I have coverage for the costs involved? These and many other questions need to be addressed in a very tight timeframe should you become aware that some or all of your patient data has been compromised. Patient Data Privacy/Cyber Insurance
Cyber Risk For any organization that utilizes a computer network, maintains a website, accesses the internet or stores personally identifiable information (PII) or personal health information (PHI), Network Security/Privacy or “Cyber” risks are a growing concern. Health Care organizations are one of the highest risk industries for patient data privacy claims. Cyber (Network Security / Privacy) insurance policies can be customized to protect your business from the following: Claims made by 3rd parties arising from a breach in network security that results in damage to the 3rd party’s network or data, or dissemination of private / confidential information (electronic or hard copy) Cost to respond to a security breach (notification, credit monitoring, public relations, forensics, legal expenses) Replacement of lost income due to a security breach Cost to restore the business’ own damaged / destroyed data Cost to address a cyber extortion threat Patient Data Privacy/Cyber Insurance
Coverages available (in any combination) to respond to the various cyber risk exposures: Network Security Liability – Coverage due to unauthorized access, theft of or destruction of data, ID theft, denial of service attack and virus transmission. Privacy 3rd Party Liability – Coverage for theft, loss or unauthorized disclosure of personally identifiable information or other 3rd party confidential information. Coverage for regulatory proceedings is also available. 1st Party Protection – Coverage for costs to comply with notification requirements of data breach laws, credit monitoring for affected parties, computer forensics, and public relations / crisis management. Media / Electronic Media Liability – Coverage for claims of personal injury and intellectual property offenses including: copyright / trademark infringement, slander, defamation, invasion of privacy. (Existence of a website creates exposure) Cyber Extortion (1st Party Protection) – Coverage for threats from hackers making demands in exchange for not bringing down computer network, disseminating or destroying data. Provides reimbursement for extortion payment and investigation costs. Cyber Business Interruption (1st Party Protection) – Coverage for financial loss suffered due to an interruption or failure on an insured's computer network resulting from a security failure. Information Asset Coverage (1st Party Protection) – Covers the cost to restore or recreate electronic data, and other information assets that are damaged by a computer attack. Patient Data Privacy/Cyber Insurance
Privacy / Security Laws The following laws create 1 st and 3 rd party exposures to loss as well as the possibility of regulatory proceedings / fines & penalties: State notification laws (in all but four states: AL, KY, NM and SD) Red Flag Rule (FTC) MA data security HIPAA – Health Insurance Portability & Accountability Act HITECH – Health Information Technology For Economic & Clinical Health Act Graham Leach Bliley International Privacy Laws Exposure 5
HIPAA Privacy Rule The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization Security Rule The Security Rule defines standards, procedures and methods for protecting electronic PHI with attention to how PHI is stored, accessed, transmitted, and audited (written procedures and protocols, along with business associate agreements) Enforcement Rule Governs the process by which the Office of Civil Rights (OCR) investigates and resolves alleged violations of the HIPAA Privacy & Security Rules. Omnibus Final Rule September 23, 1013, implemented most of the privacy amendments mandated by HITECH. Privacy rule also now applies to Business Associates and their contracts by 9/22/14 HITECH Act Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates – ie patient data records specify you must notify the media & HHS Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods Vest limited enforcement power to the state AG Mandates that the new security requirements must be incorporated into all Business Associate contracts DIRECT Liability for Business Associates Exposure 6
Claims Discussion Highlights of Claims Findings Type of Data PII was the most frequently exposed data 29% of breaches PHI followed closely with 27% of breaches Cause of Loss Lost or stolen laptop/device was the most frequent cause of loss with 21% Hackers followed with 15% Business Sector Healthcare was the sector most frequently breached with 29% Financial Services followed with 15% Company Size Small-cap $300m - $2b -23% Nano-cap < $50m 22% Mega-cap >$100b companies lost the most records 46% © 2013 Net Diligence
Claims Discussion Highlights of Claims Findings Per Breach costs Average claim$1.3m Claim range$2.5k - $20m Median claim$242.5k Per Record costs Average per record cost$307 Median per record cost$97 Average records lost2.3m Median records lost1k Crisis services costs (forensics, notification, credit monitoring) Average cost$737k Median cost$220k Legal Costs (defense & settlement) Average cost of defense$575k Median cost of defense$7.5k Average Settlement$258k Median settlement$22.5k © 2013 Net Diligence
Claims Findings PII and PHI leading causes of loss Lost/stolen laptop /device Hacker & Rogue employees Leading causes of loss © 2013 Net Diligence
Claims Findings Healthcare overwhelming majority Nano & small cap companies lead in claims Nano & small cap companies lead in claims © 2013 Net Diligence
Cyber Claims Overview Privacy Claim Examples Emory Healthcare, Emory University Hospital – Emory Healthcare revealed that 10 backup discs that contained patient information are missing from a storage location at Emory University Hospital. The discs were determined to have been removed sometime between February 7, 2012, and February 20, The patient information was related to surgery and included names, Social Security numbers, diagnoses, dates of surgery, procedure codes or the name of the surgical procedures, surgeon names, anesthesiologist names, device implant information, and other protected health information. Patients treated between September of 1990 and April of 2007 were affected. Number of records breached: – 315,000 Financial impact – Undisclosed Peninsula Orthopaedic Associates – As many as 100,000 patients of Peninsula Orthopaedic Associates are being warned to protect themselves against identity theft after tapes containing patient information were stolen. Patients also were advised to keep an eye on benefits statements from their health insurance companies since they may also be at risk for medical identity theft. The records from Peninsula Orthopaedic were stolen March 25 while in transport to an off-site storage facility. Patients' personal information including their Social Security numbers, employers and health insurance plan numbers may have been among the information stolen. Number of records breached – 100,000 Financial impact – Undisclosed Pathology Group – Someone broke into a locked office building, several computers with flat screen monitors were stolen. One of those computers had patient information on about 75,000 people. This information included names, addresses, Social Security number, even medical information. Number of records breached – 75,000 Financial impact – Undisclosed 11
Data Breach Expenses Breach Scenario The average cost of a data breach in all sectors is $214 per record. The average cost of a data breach in the Healthcare industry is $301 per record. Of which, 34% are direct costs to respond to the breach and 66% are indirect costs, mostly comprised of the cost of lost business. 1 A breach occurs that results in the dissemination of the personally identifiable information of 25,000 patients; 100,000 patients. The following table approximates the direct expenses required to respond to the breach (data extrapolated form per record costs as published in 2010 Annual Study: U.S. Cost of a Data Breach Study, 3/2011, Ponemon Institute). Estimated Expenses – 25K Records Estimated Expenses – 100K Records Mitigation Expenses Computer Forensics / Legal Advice / Crisis Management – Public Relations $200K - $750K$1M - $2M Notification & Credit Monitoring$500K - $1.25M$3M - $5M Legal Defense Expenses to Defense Claims Brought by Breach Victims $300K - $1M$2M - $4M 12 Regulatory defense costs, fines and penalties are not contemplated in the estimates above, which may result in significant additional expenses Annual Study: U.S. Cost of a Data Breach Study, 3/2011, Ponemon Institute
Loss Control – Security Assessment HUB has partnered with “NetDiligence”, a full-service Cyber Risk Management and Information Security Services firm based in PA. Net Diligence offers three levels of Cyber Risk Assessments and Vulnerability Testing: Level 0: Self Assessment - The Level 0 assessment allows a company to use NetDiligence's QuietAudit® online tool to evaluate its own security controls and privacy measures—a thorough, efficient way to prepare for regulator reviews or to perform general risk management housekeeping. QuietAudit® produces an online summary scorecard based on the answers to about 100 simple questions. Clients typically take about two hours to complete the questions, which focus on the ISO cyber security best practices standards associated with fourteen categories. The Level 0 executive level summary report reveals a network's strengths and vulnerabilities in a format suitable for presenting to senior management or a board of directors. It's an efficient approach to validating best practices and establishing the baseline level of due-care network security and privacy measures. First step prior to Level 1 or Level 2 assessments.QuietAudit® Level 1: Remote eRisk Security Assessment - The Level 1 assessment provides a cost-effective cyber risk security assessment and server vulnerability testing ideal for financial institutions that outsource their core bank processing, Internet banking firms, and Web hosts. This service balances the due diligence needed to gauge a client's security and privacy practices posture and the factors that might mitigate or increase cyber risks. The Level 1 assessment's deliverable includes an ISO based executive-level report that details the network's strengths, weaknesses, and vulnerabilities, along with recommendations for corrective action. Level 1 can be re- purposed to assist in maintaining or pre-qualifying for certain forms of network liability insurance. $8,000 Level 2: Comprehensive Onsite eRisk Security Assessment - The Level 2 assessment provides organizations who conduct internally managed e-commerce or Internet banking operations with a comprehensive on-site assessment and network vulnerability test. The assessment gauges an organization’s level of vigilance and compliance with federal regulations that govern the safeguarding of corporate information assets. The Level 2 assessment's deliverable includes a comprehensive findings report that addresses the outcomes associated with ISO security standards and dissects the network's strengths, weaknesses, and vulnerabilities. It also makes recommendations for corrective action. Level 1 can be re-purposed to assist in maintaining or pre-qualifying for certain forms of network liability insurance. $23,000 13