Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

Transcription

1 Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier

2 Data Breach Trends 2011 Average Loss to Organization = $5.5 million Down from $7.2 million in 2010 Not including organizations in excess of 100,000 Low of $566K, High of $20.9 million 2011 Average Loss per Victim = $194 Cost per Malicious Attack = $222 Cost per Negligent Employee = $ Malicious Attacks, up over 3x Up from 12% to 24% to 31% to 37% ( ) Source: Ponemon Institute/Symantec, 2011 U.S. Cost of a Data Breach Study (49 organizations across 14 sectors)

3 Data Breach Trends Source: Ponemon Institute/Symantec, 2011 U.S. Cost of a Data Breach Study

4 Data Breach Vectors External Internal

5 Response: Preserve the Data Unhook infected machines (leave power on). Do NOT poke around. Insert clean and patched machines. Call forensic experts to image infected machines. Save off log files (e.g. web, firewall, IDS). Pull needed backup(s) out of rotation. Save keycard data and surveillance tapes. Start real-time packet capture. Force password change.

6 Breach Response Challenges Timing Paradox More careful analysis takes time More careful analysis increases certainty Can locate lost/stolen data Can account for malware changes, attacking IP s Can run scans across entire network Can better account for PII and PHI sources More careful analysis reduces cost 2010 Ponemon Findings: Quick Responder* Cost = $268 per record Later Responder Cost = $174 per record *notification within 30 days

7 Rebuild Drives Preservation (2-5 days) Forensic Analysis (10-14 days) Malware Analysis (4-7 Days) DAYS Scanning (10-14 days) Report (5-10 days)

8 Breach Response Challenges Law Enforcement Contact Timing Report soon But after breach defined Interaction Expect request for interview, report, raw data Consider asking for friendly subpoena Don t expect updates or immediate results (Exception: new willingness to share IOCs)

9 Breach Response Challenges Breach Definitions Did an unauthorized party: Access Acquire Misuse Disclose PII/PHI Does investigation show: Material compromise Actual loss or injury to consumer Material risk of ID theft or fraud A low probability that PHI has been compromised

10 Breach Response Challenges Communications In advance Establish an effective governance structure that Speaks truth to power Enforces security across the organization Provide security training to your employees When a breach hits Assemble response team immediately Discourage blame, data hoarding, and avoidance Communicate often, but not constantly Coordinate with counsel over reporting

11 Top 10 Security Issues: Operations/Execution 1. Governance 2. Breach Preparedness 3. Training 4. Encryption 5. Logging 6. Inventory Management 7. Network Segmentation 8. Network Configuration 9. Access Controls 10. Physical Security

12 Prevention Governance Who s in Charge? Roles and Responsibilities Policies & Procedures CSO GC IT HR Ops

13 Prevention Breach Preparedness Develop a Plan Build Your Team

14 Prevention the Response Plan Management endorsement Contact Lists Legal Analysis and Timeline Categories of adverse events First steps checklist Facilities and equipment lists Outreach plan Develop a Plan Build Your Team

15 Prevention the Response Team Outside Counsel In-House Counsel Outside Incident Response Experts Client and Media Relations In-House IT Incident Response Human Resources Business Unit CPO, CSO Compliance Develop a Response Plan Build Your Team

16 Prevention Logging Centralized Synchronized Retained (3 to 6 months) Verbose Default ( On ) External AND Internal Monitored!

17 Shared Experience: Things People Wish They Learned by Being Told Rather Than Through Experience 1. Remain Calm. 2. Leverage Experts. 3. Privilege. 4. Alacrity. 5. Triage. 6. Momentum. 7. Perspective.

18 HIPAA Breach Notification Covered Entity or Business Associate? Breach? Affected Individuals or the Covered Entity? HHS? Media? Potential Civil Penalties CE or BA? Breach?? HHS? Media? Penalties

19 Covered Entity or Business Associate? Healthcare Provider Health Plan Healthcare Clearinghouse Business Associate to Covered Entity, e.g., vendor or service provider CE or BA? Breach?? HHS? Media? Penalties

20 Breach? Breach means the unauthorized acquisition, access, use, or disclosure of protected health information ( PHI ) Exceptions: Good faith access or use by workforce or agent Inadvertent disclosure to person within organization who may access PHI, just not this PHI Good faith disclosure and recipient could not have retained PHI PHI means information that reasonably identifies an individual and relates to health, receipt of health services, or payment for health services CE or BA? Breach?? HHS? Media? Penalties

21 Breach? Any unauthorized acquisition, access, use, or disclosure of PHI is presumed a breach unless a risk assessment shows a low probability of PHI compromise. Risk Assessment Nature and extent of the PHI involved Nature of the unauthorized user or recipient Whether PHI was actually acquired or viewed Any risk mitigation measures taken CE or BA? Breach?? HHS? Media? Penalties

22 Change to Breach Analysis Former Rule. Not a breach until it was determined that the compromise posed a significant risk of financial, reputational, or other harm to the individual. New Rule. Unauthorized access, use, or disclosure is presumed a breach, unless a risk assessment shows a low probability of PHI compromise. CE or BA? Breach?? HHS? Media? Penalties

23 ? Covered Entity. A covered entity shall, following the discovery of a breach of unsecured PHI, notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. Business Associate. A business associate shall, following the discovery of a breach of unsecured PHI, notify the covered entity of such breach. Unsecured PHI. PHI not rendered unusable, unreadable, or indecipherable through technology or other means. CE or BA? Breach?? HHS? Media? Penalties

24 Covered Entity Notifies Individuals Timing. without unreasonable delay and within 60 days Timing based on date of discovery: when the breach is known or would have been known through reasonable diligence. May delay for law enforcement purposes. Content Requirements. Notice must be in plain language and contain certain elements. Notification Methods. Written notice must be made, if possible, otherwise substitute notice. CE or BA? Breach?? HHS? Media? Penalties

25 Business Associate Notifies Covered Entity Timing. without unreasonable delay and within 60 days Timing. without unreasonable delay and within 60 days Timing based on date of discovery: when the breach is known or would have been known through reasonable diligence. May delay for law enforcement purposes. Content Requirements. Notice include identification of affected individuals, to the extent possible. Provide Information. Business associate must provide information as it becomes available to covered entity, so the covered entity can make required notices. CE or BA? Breach?? HHS? Media? Penalties

26 Covered Entity Notifies HHS Breaches Involving 500 or More Individuals. HHS contemporaneous with notifying affected individuals Breaches Involving Less Than 500 Individuals. Document the breach in a log Provide the log to HHS annually CE or BA? Breach?? HHS? Media? Penalties

27 Covered Entity Notifies Media Breaches Involving 500 or More Individuals in a Single State. prominent media outlets serving the State or jurisdiction. Timing. without unreasonable delay and within 60 days Content Requirements. Notice must have same content as notice to affected individuals. Breaches Involving Less Than 500 Individuals in a Single State. No media notification. CE or BA? Breach?? HHS? Media? Penalties

28 Potential Penalties for Non-Compliance Maximum of $1.5 million penalty for identical violations during a calendar year Category Fine Range per Violation Did not know of violation $100 to $50,000 Reasonable cause, and no willful neglect $1,000 to $50,000 Willful neglect, corrected $10,000 to $50,000 Willful neglect, not corrected $50,000 CE or BA? Breach?? HHS? Media? Penalties

29 Resources NIST Computer Security Resource Ctr csrc.nist.gov HHS Health Information Privacy - ww.hhs.gov/ocr/privacy State Data Breach Laws FTC Privacy Actions Privacy Rights Open Security Foundation, Data Loss DB datalossdb.org

30 Gerard M. Stegmaier, Esq K Street, NW Fifth Floor Washington, DC Phone Fax gstegmaier@wsgr.com