Network Security & Privacy Discussion Colorado Community Health Network April 14, 2014 Presented by: Kevin Keilbach – Client Executive – Health Care Jeff.

Slides:



Advertisements
Similar presentations
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
Financial Institutions – Cyber Risk Managing Cyber Risks In An Interconnected World State Compensation Insurance Fund Audit Committee Meeting – February.
Presented by: Jamie Orye, JD, RPLU Beazley Group Pennsylvania Association of Mutual Insurance Companies Annual Spring Conference March 12, 2015.

Presented by: Paul J. Miola, CPCU, ARM Executive Director October, 2013.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Overview of Cybercrime
HIPAA PRIVACY AND SECURITY AWARENESS.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
AUGUST 25, 2015 Cyber Insurance:
Cyber Risk Insurance. Some Statistics Privacy Rights Clearinghouse o From 2005 – February 19, 2013 = 607,118,029 records reported breached. Ponemon Institute.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
CYBER INSURANCE Luxury or necessary protection?. What is a data breach? A breach is defined as an event in which an individual’s name plus personal information.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
HIPAA Health Insurance Portability and Accountability Act of 1996.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.
Cyber Insurance Overview July 30, 2016 Wesley Griffiths, FCAS International Association of Black Actuaries.
Cyber Liability Insurance for an unsecure world
Breaking Down Cyber Liability
Financial Institutions – Cyber Risk
E&O Risk Management: Meeting the Challenge of Change
Regulatory Compliance
Cyber Insurance Overview
Chapter 3: IRS and FTC Data Security Rules
Cyber Issues Facing Medical Practice Managers
Cyber Trends and Market Update
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
Cyber Exposures The Importance of Risk Identification and Transfer
Forensic and Investigative Accounting
Cyber Security: What the Head & Board Need to Know
Presentation transcript:

Network Security & Privacy Discussion Colorado Community Health Network April 14, 2014 Presented by: Kevin Keilbach – Client Executive – Health Care Jeff Van Gulick - Executive Risk Practice Leader

Cyber Risk Issues around the protection of personally identifiable data are a growing concern and not a day goes by that we do not see news of some organization having a breach of that data. Questions that you should ask yourself in the event that some of the data you hold is breached, lost or stolen: Who do I contact to assess the extent of the breach? Who do I need to notify?, what state or federal agencies need to be involved? What are my legal obligations? What are the timeframes for my actions? Do I have coverage for the costs involved? These and many other questions need to be addressed in a very tight timeframe should you become aware that some or all of your patient data has been compromised. Patient Data Privacy/Cyber Insurance

Cyber Risk For any organization that utilizes a computer network, maintains a website, accesses the internet or stores personally identifiable information (PII) or personal health information (PHI), Network Security/Privacy or “Cyber” risks are a growing concern. Health Care organizations are one of the highest risk industries for patient data privacy claims. Cyber (Network Security / Privacy) insurance policies can be customized to protect your business from the following: Claims made by 3rd parties arising from a breach in network security that results in damage to the 3rd party’s network or data, or dissemination of private / confidential information (electronic or hard copy) Cost to respond to a security breach (notification, credit monitoring, public relations, forensics, legal expenses) Replacement of lost income due to a security breach Cost to restore the business’ own damaged / destroyed data Cost to address a cyber extortion threat Patient Data Privacy/Cyber Insurance

Coverages available (in any combination) to respond to the various cyber risk exposures: Network Security Liability – Coverage due to unauthorized access, theft of or destruction of data, ID theft, denial of service attack and virus transmission. Privacy 3rd Party Liability – Coverage for theft, loss or unauthorized disclosure of personally identifiable information or other 3rd party confidential information. Coverage for regulatory proceedings is also available. 1st Party Protection – Coverage for costs to comply with notification requirements of data breach laws, credit monitoring for affected parties, computer forensics, and public relations / crisis management. Media / Electronic Media Liability – Coverage for claims of personal injury and intellectual property offenses including: copyright / trademark infringement, slander, defamation, invasion of privacy. (Existence of a website creates exposure) Cyber Extortion (1st Party Protection) – Coverage for threats from hackers making demands in exchange for not bringing down computer network, disseminating or destroying data. Provides reimbursement for extortion payment and investigation costs. Cyber Business Interruption (1st Party Protection) – Coverage for financial loss suffered due to an interruption or failure on an insured's computer network resulting from a security failure. Information Asset Coverage (1st Party Protection) – Covers the cost to restore or recreate electronic data, and other information assets that are damaged by a computer attack. Patient Data Privacy/Cyber Insurance

Privacy / Security Laws The following laws create 1 st and 3 rd party exposures to loss as well as the possibility of regulatory proceedings / fines & penalties:  State notification laws (in all but four states: AL, KY, NM and SD)  Red Flag Rule (FTC)  MA data security  HIPAA – Health Insurance Portability & Accountability Act  HITECH – Health Information Technology For Economic & Clinical Health Act  Graham Leach Bliley  International Privacy Laws Exposure 5

 HIPAA  Privacy Rule  The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization  Security Rule  The Security Rule defines standards, procedures and methods for protecting electronic PHI with attention to how PHI is stored, accessed, transmitted, and audited (written procedures and protocols, along with business associate agreements)  Enforcement Rule  Governs the process by which the Office of Civil Rights (OCR) investigates and resolves alleged violations of the HIPAA Privacy & Security Rules.  Omnibus Final Rule September 23, 1013, implemented most of the privacy amendments mandated by HITECH. Privacy rule also now applies to Business Associates and their contracts by 9/22/14  HITECH Act  Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates  Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates – ie patient data records specify you must notify the media & HHS  Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements  Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods Vest limited enforcement power to the state AG  Mandates that the new security requirements must be incorporated into all Business Associate contracts  DIRECT Liability for Business Associates Exposure 6

Claims Discussion Highlights of Claims Findings Type of Data  PII was the most frequently exposed data 29% of breaches  PHI followed closely with 27% of breaches Cause of Loss Lost or stolen laptop/device was the most frequent cause of loss with 21% Hackers followed with 15% Business Sector Healthcare was the sector most frequently breached with 29% Financial Services followed with 15% Company Size Small-cap $300m - $2b -23% Nano-cap < $50m 22% Mega-cap >$100b companies lost the most records 46% © 2013 Net Diligence

Claims Discussion Highlights of Claims Findings Per Breach costs Average claim$1.3m Claim range$2.5k - $20m Median claim$242.5k Per Record costs Average per record cost$307 Median per record cost$97 Average records lost2.3m Median records lost1k Crisis services costs (forensics, notification, credit monitoring) Average cost$737k Median cost$220k Legal Costs (defense & settlement) Average cost of defense$575k Median cost of defense$7.5k Average Settlement$258k Median settlement$22.5k © 2013 Net Diligence

Claims Findings PII and PHI leading causes of loss Lost/stolen laptop /device Hacker & Rogue employees Leading causes of loss © 2013 Net Diligence

Claims Findings Healthcare overwhelming majority Nano & small cap companies lead in claims Nano & small cap companies lead in claims © 2013 Net Diligence

Cyber Claims Overview Privacy Claim Examples Emory Healthcare, Emory University Hospital – Emory Healthcare revealed that 10 backup discs that contained patient information are missing from a storage location at Emory University Hospital. The discs were determined to have been removed sometime between February 7, 2012, and February 20, The patient information was related to surgery and included names, Social Security numbers, diagnoses, dates of surgery, procedure codes or the name of the surgical procedures, surgeon names, anesthesiologist names, device implant information, and other protected health information. Patients treated between September of 1990 and April of 2007 were affected. Number of records breached: – 315,000 Financial impact – Undisclosed Peninsula Orthopaedic Associates – As many as 100,000 patients of Peninsula Orthopaedic Associates are being warned to protect themselves against identity theft after tapes containing patient information were stolen. Patients also were advised to keep an eye on benefits statements from their health insurance companies since they may also be at risk for medical identity theft. The records from Peninsula Orthopaedic were stolen March 25 while in transport to an off-site storage facility. Patients' personal information including their Social Security numbers, employers and health insurance plan numbers may have been among the information stolen. Number of records breached – 100,000 Financial impact – Undisclosed Pathology Group – Someone broke into a locked office building, several computers with flat screen monitors were stolen. One of those computers had patient information on about 75,000 people. This information included names, addresses, Social Security number, even medical information. Number of records breached – 75,000 Financial impact – Undisclosed 11

Data Breach Expenses Breach Scenario The average cost of a data breach in all sectors is $214 per record. The average cost of a data breach in the Healthcare industry is $301 per record. Of which, 34% are direct costs to respond to the breach and 66% are indirect costs, mostly comprised of the cost of lost business. 1 A breach occurs that results in the dissemination of the personally identifiable information of 25,000 patients; 100,000 patients. The following table approximates the direct expenses required to respond to the breach (data extrapolated form per record costs as published in 2010 Annual Study: U.S. Cost of a Data Breach Study, 3/2011, Ponemon Institute). Estimated Expenses – 25K Records Estimated Expenses – 100K Records Mitigation Expenses Computer Forensics / Legal Advice / Crisis Management – Public Relations $200K - $750K$1M - $2M Notification & Credit Monitoring$500K - $1.25M$3M - $5M Legal Defense Expenses to Defense Claims Brought by Breach Victims $300K - $1M$2M - $4M 12 Regulatory defense costs, fines and penalties are not contemplated in the estimates above, which may result in significant additional expenses Annual Study: U.S. Cost of a Data Breach Study, 3/2011, Ponemon Institute

Loss Control – Security Assessment HUB has partnered with “NetDiligence”, a full-service Cyber Risk Management and Information Security Services firm based in PA. Net Diligence offers three levels of Cyber Risk Assessments and Vulnerability Testing: Level 0: Self Assessment - The Level 0 assessment allows a company to use NetDiligence's QuietAudit® online tool to evaluate its own security controls and privacy measures—a thorough, efficient way to prepare for regulator reviews or to perform general risk management housekeeping. QuietAudit® produces an online summary scorecard based on the answers to about 100 simple questions. Clients typically take about two hours to complete the questions, which focus on the ISO cyber security best practices standards associated with fourteen categories. The Level 0 executive level summary report reveals a network's strengths and vulnerabilities in a format suitable for presenting to senior management or a board of directors. It's an efficient approach to validating best practices and establishing the baseline level of due-care network security and privacy measures. First step prior to Level 1 or Level 2 assessments.QuietAudit® Level 1: Remote eRisk Security Assessment - The Level 1 assessment provides a cost-effective cyber risk security assessment and server vulnerability testing ideal for financial institutions that outsource their core bank processing, Internet banking firms, and Web hosts. This service balances the due diligence needed to gauge a client's security and privacy practices posture and the factors that might mitigate or increase cyber risks. The Level 1 assessment's deliverable includes an ISO based executive-level report that details the network's strengths, weaknesses, and vulnerabilities, along with recommendations for corrective action. Level 1 can be re- purposed to assist in maintaining or pre-qualifying for certain forms of network liability insurance. $8,000 Level 2: Comprehensive Onsite eRisk Security Assessment - The Level 2 assessment provides organizations who conduct internally managed e-commerce or Internet banking operations with a comprehensive on-site assessment and network vulnerability test. The assessment gauges an organization’s level of vigilance and compliance with federal regulations that govern the safeguarding of corporate information assets. The Level 2 assessment's deliverable includes a comprehensive findings report that addresses the outcomes associated with ISO security standards and dissects the network's strengths, weaknesses, and vulnerabilities. It also makes recommendations for corrective action. Level 1 can be re-purposed to assist in maintaining or pre-qualifying for certain forms of network liability insurance. $23,000 13