AHLA. N. HIPAA Security Breaches: What Should We Be Doing to Keep Us Out of the Headlines? Diane E. Felix Armstrong Teasdale LLP Saint Louis, MO

Transcription

1 AHLA N. HIPAA Security Breaches: What Should We Be Doing to Keep Us Out of the Headlines? Diane E. Felix Armstrong Teasdale LLP Saint Louis, MO Anthony J. Munns Brown Smith Wallace LLC Saint Louis, MO Suzanne Sheldon-Krieger Corporate Responsibility Officer Ascension Health Senior Care St. Louis, MO Long Term Care and the Law February 23-25, 2015

2 Security Breaches What should we be doing to stay out of the headlines? American Health Lawyers Association Long Term Care and the Law Program 2015 Diane Felix, Anthony Munns, Suzanne Sheldon-Krieger Breaches & Settlements 2014 Still an Issue Stolen Laptops & Computers One of top ten reported breaches in 2014 involves stolen laptops Sutherland HC Services (#3) - billing, collections vendor for LA County 8 unencrypted desktop computers stolen 168,000 individuals class action lawsuit One of largest federal fines in 2014 $1.7M assessed against Springfield, Mo. based Concentra Health Services (Humana subsidiary) unencrypted laptop stolen from physical therapy center 870 patient records Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 2 1

3 Breaches & Settlements 2014 Still an issue Unauthorized Access or Theft of Paper Two of top ten reported breaches in 2014 involve paper Walgreen, IL (#6) 160,000 individuals St. Vincent Hosp. and Health Care Center, IN (#9) 63,325 individuals At least four of the smallest ten reported breaches in 2014 involved involve theft or unauthorized access to paper One of larger Federal fines in $800,000 involved Parkview Health System (Ft. Wayne, IN) Dropped off 71 cardboard boxes of patient medical records in the driveway of a physician s home Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 3 Breaches & Settlements 2014 Far larger issue than in previous years Hacking & Unauthorized Access to Electronic Data ( Cybersecurity ) Three of top ten reported breaches in 2014 involved cybersecurity issues Community Health Systems (TN) NRAD Medical Associates (NY) Onsite Health Diagnostics (TX) Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 4 2

4 Breaches & Settlements 2014 Smaller organizations not immune to cybersecurity threats 18-bed Clay County Hospital in Flora, IL received anonymous on 11/2/14 with patient information, threatening public release unless a ransom was paid 12,621 patients potentially affected Investigation found system not hacked insider? Information was name, address, SSN, DOB no medical information Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 5 Breaches & Settlements 2014 Anchorage Community Mental Health Services fined $150,000 and will adopt a corrective action plan under a 12/2/14 Resolution Agreement with HHS/OCR Malware compromised PHI for 2,743 ACMHA adopted sample security rule policies & procedures in 2005, but didn t follow or update until after the breach Sixth fine levied by HHS/OCR in 2014 Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 6 3

5 Looking beyond HIPAA and PHI Information Security = Protecting information from cyber criminals and those who do not have a need to view, access, modify or use. Cybersecurity = Measures taken to protect a computer or computer system connected to the Internet against unauthorized access or attack. Personally Identifiable Information (PII) = Any data that could potentially identify a specific individual. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger Cost of Cyber Crime Study: United States Cyber crimes continue to be very costly for organizations. Mean annualized cost for 59 benchmarked organizations $12.7 M, which was 9.3% increase over prior year. Cyber crime cost varies by organizational size. Most costly cyber crimes are those caused by denial of services, malicious insiders and malicious code. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 8 4

6 2014 Cost of Cyber Crime Study: United States Cyber attacks can get costly if not resolved quickly. Average time to resolve a cyber attack was 45 days, with an average cost to participating organizations of $1,593,627 during this 45-day period. Malicious insider attacks can take more than 65 days on average to contain. Information theft continues to represent the highest external cost, followed by the costs associated with business disruption. Recovery and detection are the most costly internal activities. Activities relating to IT security in the network layer receive the highest budget allocation. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger Cost of Cyber Crime Study: United States Deployment of security intelligence systems makes a difference. A strong security posture moderates the cost of cyber attacks. Companies deploying security intelligence systems experienced a substantially higher ROI at 30 percent than all other technology categories presented. Deployment of enterprise security governance practices moderates the cost of cyber crime. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 10 5

7 Cost of Data Breach What is the value of information that is in your custody, that you own, store, process or transmit? Value vs. cost of protection? What is your risk appetite? What is the cost if your data is compromised? Reputation, lost of revenue, legal fines and restitution? Healthcare businesses paid an average cost of $5.9 million per data breach For all industries the total annualized cost of cyber crime in 2014 ranges from a low of $1.6 million to a high of $60.5 million. The median annualized cost of cyber crime in the benchmark sample is $9.7 million an increase from last year s median value of $9.1. The mean value is $12.7 million. This is an increase of $1.1 million or a 9.3 percent from last year s mean of $11.6 million. Source: Ponemon 2014 Cost of Data Breach Study Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 11 Major Causes of Data Breach Malicious attacks most costly, more frequent Malicious or criminal attack System glitch Human Error Ponemon 2013 Cost of Data Breach Study Malicious attacks cause 41% of data breaches, with a per capita cost of $277 Human Error cause 33% with a cost of $174 Employee Negligence cause 26% cost $159 Malicious or criminal attacks include malware, criminal insiders (employees, contractors or other third parties), phishing/social engineering and web site attacks System glitch includes loss of system or component, IT and Business process failures Human error is negligent insiders that are individuals who cause a data breach because of their carelessness, as determined in a post data breach investigation. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 12 6

8 Steps to Reduce the Risk Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 13 7 Factors that Influence the Cost of a Data Breach The organization had an incident management plan. The organization had a relatively strong security posture at the time of the incident. CISO (or equivalent title) has overall responsibility for enterprise data protection. Data was lost due to third party error. The organization notified data breach victims quickly. The data breach involved lost or stolen devices. Consultants were engaged to help remediate the data breach. Source: Ponemon 2013 Cost of Data Breach Study Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 14 7

9 Security Risk Assessment Organizations should conduct annually a formal risk assessment for all systems to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of systems and data. There are several excellent resources: NIST Special Publication SP Guide for Conducting Risk Assessments, and NIST Special Publication SP Introductory Resource Guide for Implementing the HIPAA Security Rule. In this document Appendix E is the Risk Assessment Guidelines. OCR has published Guidance on Risk Analysis Requirements under the HIPAA Security Rule Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 15 HHS Encryption, Methods for Protecting Two approved methods for protecting: encrypt or destroy Two types of encryption: Data at rest: NIST SP , Guide to Storage Encryption Technologies for End User Devices Data in transit: compliance with the Federal Information Processing Standard (FIPS) requirements has been issued as draft Two methods of destruction: Non-electronic media: shredded or destroyed such that PHI cannot be recovered Should be cleared, purged, or destroyed consistent with NIST SP , Guidelines for Media Sanitization such that PHI cannot be recovered Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 16 8

10 Paper Breaches included? HIPAA Rule: yes FTC Rule: no BUT dumpster diving cases have been among their most often pursued as unfair and/or deceptive trade practices since joint prosecutions of RiteAid and CVS with HHS States: Generally no, only covers systems data Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 17 Vendor Management Formal procedures should be established for hardware, software, or services vendor qualification. Considerations for their selection should include the following: Applicability of the IT solutions to the intended environment consider the sensitivity of the data, is this PII or PHI? The organization's security policies, procedures, and standards and other requirements such as resources available for operation, maintenance, and training. What evidence can be reviewed: Security Audits, Pen Tests, SSAE 16 SOC 1 or SOC 2 Type 2 reports, PCI DSS ROC reports Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 18 9

11 Security Frameworks Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 19 Frameworks: Areas of Information Security & Privacy Management Information Security Governance Information Risk Management and Compliance Information Security Program Development and Management Information Security Incident Management Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 20 10

12 Information Security Governance Responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, and determining that risk is managed appropriately and verifying that the enterprise s resources are used responsibly. Source Information Security Governance Guidance for Boards of Directors and Executive Management IT Governance Institute (ITGI) Couple of Key Points: Establish and maintain an information security strategy in alignment with organizational goals; including a security framework to guide activities that support the strategy including: Information security policies that communicate management s directives and guide the development of standards, procedures and guidelines Develop business cases to support investments in information security. Holistic (internal and external) influences to the organization (e.g. technology, business environment, geographic location, etc.) Define and communicate roles and responsibilities throughout the organization Measure the effectiveness of the information security strategy. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 21 Information Risk Management and Compliance Systematic application of management policies, procedures and practices that identify, analyze, evaluate, report, treat and monitoring information risks Some Key Points: Asset classification to ensure that measures taken to protect assets are proportional to their business value don t forget data Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels (e.g. HIPAA, PCI, GLBA) Ensure risk assessments, vulnerability assessments and threat analysis are conducted periodically to identify risk to the organization s information Integrate information risk management into business and IT processes (e.g. development, procurement, project management) to promote a consistent and comprehensive information risk management process across the enterprise Monitor existing risk to ensure that changes are identified and managed appropriately Compliance does not mean your information is secure. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 22 11

13 Governance Frameworks Lot of good frameworks out there pick one: COBIT 5 - It's the leading framework for the governance and management of enterprise IT. ISO The ISO family of standards helps organizations keep information assets secure. ITIL - The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an information technology organization and a set of standard operational management procedures and practices to allow the organization to manage an IT operation and associated infrastructure. NIST Cybersecurity Framework recently announced, immature, still being developed. NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, See also the Cloud Security Alliance Cloud Controls Matrix Version that side-by-side compares diffèrent frameworks Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 23 Information Security Program Development and Management Development and documentation of activities, projects, and/or initiatives to implement the information security strategy and manage the program, Key Points: Program needs to align with information security strategy, and needs to integrate with other business functions such as HR, accounting, procurement and IT - Integrate information security requirements into organizational processes and based on Security Risk Assessment updates Establish and maintain information security architectures (people, process, technology) segmentation, minimum necessary Robust perimeter firewalls, DMZs, VPNs, File Sharing, secure Intrusion Prevention/Detection systems and consider Security information and event management (SIEM) Consider Data Leak Prevention technologies (DLP) Vendor management program Robust change management system Secure software development Data backups, Business Impact Analysis, Business Continuity & Disaster Recovery Planning Develop and conduct security awareness and training Continually measure the program Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 24 12

14 Information Security Incident Management Manage unexpected disruptive events minimizing impacts and maintaining or restoring normal operations within a defined time period. This is not an IT only plan. Key Points: Establish a hierarchy to accurately identify and response to incidents Develop and maintain an incident response plan to be able to respond appropriately (e.g. legal and regulatory requirements) Establish external relationships: e.g. PR firm, Forensic Investigators, Specialist Counsel, Insurance Company (understand cybersecurity policy- cover as well as resources) Develop processes, train teams and periodically conduct tests to effectively identify and respond of information security incidents Establish incident escalation and notification processes Establish and maintain internal and external communication plans. Perform root cause analysis post-incident and record as lessons learned. Integrate incident response plan, disaster recovery plan and business continuity plan. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 25 HIPAA Definition of Breach and Required Notification The final regulations modify the definition of breach. Under the interim final breach notification rule, a breach would have been considered to have occurred if the access, use or disclosure poses a significant risk of financial, reputational or other harm to an individual. The final regulations stipulate that an acquisition, access, use, or disclosure of protected health information in a manner not permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. if the organization believes the risk of compromise is unknown or low, you must perform a documented risk assessment. The assessment of whether there is a low probability that the protected health information has been compromised must be based on an assessment of at least the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification. The identity of the unauthorized person who used the PHI or to whom the disclosure was made. Whether the PHI was actually acquired or viewed. The extent to which the risk to the PHI has been mitigated. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 26 13

15 HIPAA Clarification of Breach Breaches do not include: unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA, if such acquisition, access, or use was made in good faith & within the scope of authority & doesn t result in further use or disclosure in a manner not permitted by the Privacy Rule inadvertent disclosures of PHI from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate, or organized health care arrangement in which the covered entity participates. disclosures of PHI where a CE or a BA has a good faith belief that an unauthorized person to whom the disclosure was made wouldn t reasonably have been able to retain such information. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 27 Responsibilities Be very careful with terminology if you term it a breach, the rules kick in. Let legal make the call. And, the great majority of breaches are not notice-triggering Service Provider should: Be aware of applicable Business Associate Agreement terms. Contact covered entity when it first suspects a data breach, NOT after it has been investigated Follow the instructions of the covered entity Assume financial responsibility (negotiate credit monitoring costs for number of enrollees accessing, not records breached)(and, don t assume insurance will cover the costs) Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 28 14

16 Questions Attorneys Should Ask of Executive and IT Management to Reduce the Risk Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 29 Questions to Reduce the Risk Do we Perform an Annual Security Risk Assessment? And do we have a program to mitigate risks identified as they change? Do we have a Security Awareness Program? Do we educate employees on how to handle confidential information? Do we Harden, Update and Patch Systems? Does this include all systems, programs, utilities, everything? Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 30 15

17 Questions to Reduce the Risk Do we Use Intrusion Detection & Data Leak Prevention? Do we monitor sensitive data and control it leaving the organization? Do we Utilize Encryption? Data at rest and in motion, websites, peripherals, , etc.? Do we have a Vendor Management Program? Do we determine if are they fit for purpose? Do we have an Incident Response Plan? Does it include all key partners: IT, forensics, legal, PR and Management? Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 31 Conclusion Information Security impacts all our lives on a daily basis. Due diligence and caution should be taken when divulging personal information via public networks and social media outlets. Controls need to be defined, documented and implemented to reduce the risk of information being viewed, accessed or compromised. Proper mixture of people, processes and technology needs to exist. And education The need for information security will continue to increase, possibly exponentially, as technology continues to evolve and becomes integrated into the mainstream of business processes. Network perimeters once defined and controlled by business and educational institutions continue to erode (e.g. BYOD). Security and privacy is a continuous process, not just a product. Having good compliance does not mean you are secure. Vulnerability assessment and penetrating testing are one of the tools that can help an organization gain a better understanding of their security strengths and weaknesses. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 32 16