COPIC INSIGHT: DATA BREACHES

Transcription

1 COPIC INSIGHT: DATA BREACHES SEPTEMBER 2015

2 COPIC INSIGHT is a new, exclusive resource for COPIC-insured individuals, practices, and facilities. It provides insight on a timely issue in health care, along with resources to help insureds address this in their own setting. CONTENTS Cyber Liability... 2 Cyber Risk Assessment... 4 Vulnerabilities... 4 Mitigating Cyber Risk... 5 What Now?... 8 Considerations When Looking for External Support... 9 Resources... 9 * Information provided is for general education purposes and not intended as legal guidance or practice standards. COPIC Insurance Company September 2015 CALLCOPIC.COM P1/10

3 CYBER LIABILITY Cyber liability is a rising concern among health care providers, who increasingly depend on a variety of technologies to care for patients, share health information, and collaborate with other providers. Increased reliance on these technologies has led to a large universe of cyber-related vulnerabilities, ranging from data loss or corruption to hacking and privacy breaches. Any of these can have serious civil, regulatory, financial and even criminal consequences. However, steps can be taken to reduce the risks and mitigate the impacts of cyber events. The Risk of a Data Breach Given the frequency and potential impact, the most critical exposure for medical practices is data breach. Intrusion into supposedly secure databases is a daily event. Thousands of attacks are intercepted per second. In 2013, there were more than 600 reported data breaches in the United States. Just one year later, that number hit a record high of 783. Nearly half of these occurred in health care organizations. 1 Both the number and scale of events are growing. WHAT IS A DATA BREACH? Data breach occurs when confidential information is exposed to an unauthorized party. Health care practices and facilities are accountable for three categories of data: 1. Patient data (PHI Protected Health Information) 2. Employee data (employment, background, banking, contact, insurance, etc.) 3. Business or business associate data (accounting, banking, trade secrets, strategies, patents, etc.) Myriad federal and state laws, and civil claims create liability exposure for data breaches. Cyber Claim Trends While every health care practice or facility has a unique risk profile, NAS Insurance Services (COPIC s partner for cyber liability coverage), reports the following trends in recent claims: 1. Lost device. The single greatest exposure to cyber liability arises from lost or stolen devices, particularly laptops that are not encrypted. Mitigating this risk: Encrypt all data storage devices that are taken out of the office such as removable drives, tablets, cell phones used for , and USB flash drives. Ensure that laptops are password-protected. 2. Ransomware: Typically targeting smaller organizations, cyber-extortionists introduce a virus (often in an official-looking message) that invades and encrypts data, cutting off access to all users. The extortionists demand a ransom to provide the password to unlock the practice s data. Mitigating this risk: It is important that everyone is trained to be wary of opening s from senders they do not recognize, and that organizations invest in anti-virus software for all computers. When in doubt, contact your IT department to determine whether an poses a risk. 1 P2/10

4 3. Third-party complaints: There is an increase in lawsuits and demand letters from third parties (mainly patients) when their data is affected by a data breach. Apart from lost privacy, breaches open the door to identity theft and medical fraud. Mitigating this risk: It is best to ensure that systems are in place to prevent a breach in the first place. However, once a breach occurs, transparency is paramount. Report the breach as quickly as possible to your carrier and appropriate management to determine when and how patients should be alerted. 4. Before and after pictures: A higher risk for dentists, plastic surgeons, and dermatologists, these claims stem from providers neglecting to gain permission before using or transmitting photos of procedures or patient care including advertising. Even photos that have been de-identified may be recognized by patients, family, or co-workers, giving rise to privacy violations. Mitigating this risk: Ensure that patients sign a photo release form prior to sharing any photos, whether or not the photos have been de-identified. 5. Employee access to restricted files: Employee snooping gives rise to HIPAA violations. Patients who are politically or socially prominent, co-workers, family members or those whose information is otherwise sensitive need extra privacy. Mitigating this risk: Protect patient privacy by establishing individual accounts and controlling who can access which files. Ensure that access logs are kept so that if snooping occurs, the culprit can quickly be identified. HOW SERIOUS ARE DATA BREACHES? NAS Insurance Services estimates that health care providers will pay between $10 and $30 per affected patient record for breach response services. These typically include legal and investigative services, patient notification, credit protection, regulatory response and fines, and cost of repairing provider systems and reputation. A breach that impacts 1,000 patient records could easily cost $10,000 to $30,000, excluding penalties. Best Practices Are Emerging The variety of health care settings makes it difficult to prescribe one-size-fits-all solutions. Nevertheless, there is general advice for data protection. DO Get advice, training, and support for everyone. Keep written records of policies, training, risk assessments, and actions taken. Know where your data is and who has access to it. Use a layered approach to data protection, with multiple safeguards operating in different ways. Make plans for likely risks and disasters. DON T Take privacy and security lightly. Assume things are OK as long as you have not detected obvious problems. Store PHI on unprotected devices. Stop reviewing vulnerabilities and safeguards after your initial assessment. Enter into electronic transactions or communications with unknown correspondents. CALLCOPIC.COM P3/10

5 CYBER RISK ASSESSMENT HIPAA requires providers to conduct a risk assessment of the privacy and security of their protected information (PI). You can download COPIC s Electronic Risk Assessment Checklist for Office Practices (available on COPIC s website at under the Practice Management Resources section). 2 This step-by-step guide provides an overview of this mandatory process. The principles are simple, but the details can get technical; most organizations will need tech support. STEP 1 STEP 2 STEP 3 STEP 4 STEP 5 STEP 6 STEP 7 Identify your information vulnerabilities and threats (risk audit). Take stock of your defenses and safeguards (your own and those of business associates, vendors, contractors, etc.). Consider your threats and vulnerabilities, and estimate their likelihood. Predict the harms of each threat occurring. Describe measures taken to block vulnerabilities and mitigate impacts; prioritize measures to adopt. Implement. Document it all. VULNERABILITIES Three key areas of risk are virtually universal. Typically, these are the first to address, regardless of the setting. Here are some examples of questions to ask yourself in each of the three key areas. I Data at Rest (Stored in Devices) Q Can you list everywhere your protected information resides? Q Do you carry PHI on portable devices (laptops, mobile phones, jump drives, etc.) outside of your office? Q What physical protections do you have (locks, cameras, building security) for your office equipment (servers, routers, backup drives, computers, tablets, laptops, etc.)? Q What is your disaster plan? Q Are your drives (including portable devices) encrypted? Q How do visitors get access to your office? NOT JUST ELECTRONIC - ADDRESS PAPER Paper as well as electronically stored information is subject to data breaches. Keep this in mind when transferring and disposing of paper files. 2 This is protected content and requires a username and password to access it. P4/10

6 II Data in Transit (Being Transmitted) Q Do you use , text messaging, or other data connections with external colleagues, facilities, and/or patients? Q Do you connect to external PHI remotely (through a portal, VPN or FTP site)? Q Do you have a Wi-Fi network at your office or home? Q Do you connect to Wi-Fi networks away from the office or home? Q How do you create and manage passwords? III Data During System Transitions and Migrations Q Is your EHR fully configured and implemented? Q How do you prevent data loss/corruption during system updates? Q When is the next time you plan significant changes to your information systems? Q What is your security and privacy training program for new staff? Q What is your EHR training program for new users? Q What is your process for removing system access from terminated users? MITIGATING CYBER RISK Risk assessment is not fragmented into separate stages, but ideally involves recognizing risks, weighing impacts, and installing defenses all at the same time. You can t do everything at once. You have to accept that your defenses will never protect against every conceivable attack or disaster. The wisest process deals with first things first, and prioritization is not based on a single factor. Basic steps are things you have identified as critical for protecting your organization from likely risks, are easiest to implement, and address vulnerabilities that are more or less inexcusable. Intermediate steps are the very next things you plan to address, after the basics. These either have lower priority, higher complexity, or demand greater effort. Advanced steps are the ones that ultimately let you sleep at night. These may address low-likelihood/ high-impact events; require upgrades to equipment, software, workflow, or policies; or entail more costs and technical resources. An audit can satisfy you that you have taken every reasonable step prospectively. However, no system is immune from attacks by a determined, professional foe. Your priority should be to make reasonable efforts to prevent foreseeable attacks and accidents. The following are suggestions that would apply to a typical range of risks for health care providers. These are not meant to be comprehensive, but rather to give a snapshot of a cyber risk management process. As increasing experience reveals, no system is immune from attacks by a determined, professional foe. What we can do in health care is demonstrate that we have made reasonable efforts to prevent foreseeable attacks and accidents. CALLCOPIC.COM P5/10

7 Risks to Data and Devices at Rest Risk is inherent in any device or data storage system, from smartphones, laptops, and flash drives, to servers, cloud storage, and file sharing systems. Organizations must demonstrate robust efforts to protect stored information. The standard is, What are the necessary and reasonable measures? RISK EXAMPLES EXAMPLES OF MITIGATION STEPS BASIC INTERMEDIATE ADVANCED Lost/stolen devices: Laptops; tablets; phones; USB/flash drives; CDs/DVDs; external disk drives; backup media; other portable datacarrying devices. Don t forget that even desktop computers and servers are small enough to steal. Physical security. Off-site backup. Inventory of all devices. Review insurance coverage. Policies for employee use. Encryption on everything portable. Ensure mobile devices have remote location/ lockdown capability. Encrypt everything. Remote device location/lockdown software. Employee training program. Disaster plan with contingencies for loss/destruction of devices or loss of access. Unauthorized access/ intrusion: Data exposed accidentally or intentionally. Physical security; who has a key? Inventory all PHI; where it resides; how it can be accessed. Encrypt external data connections. Mandate complex passwords; password policy; individual user accounts. Screen locking during inactivity. Up-to-date antivirus and antispyware software on network router and every storage device. No remote network access; no guest access. Encrypt all channels used for PHI. Two-factor authentication. 3 System access logs. Physical access logs. Secure remote access. Written policy for credentialing all users, including consultants, tech support, guests, etc. Separate Wi-Fi network for guests. Regular review of data access logs. Hacker/penetration testing. 4 System failure: All mechanical systems fail; data can be lost or corrupted inadvertently or deliberately. Physical safeguards (power protection, fire protection, etc.). Off-site backup. Insurance. Test and confirm backup process actually works. Disaster plan. Business continuity plan. 3 Two-factor authentication adds a second level of authentication, beyond entry of a password, to an account log-in. A user is required to provide a second piece of information, which may include a second password, authentication via another device such as a phone, or a biometric identification, such as a fingerprint. 4 Hacker/penetration testing is a legal hack into a system to test for vulnerabilities. P6/10

8 Risks to Data in Transit Any transmission can potentially be intercepted. Organizations must demonstrate robust efforts to protect communications from intentional interception and accidental leakage. RISK EXAMPLES EXAMPLES OF MITIGATION STEPS BASIC INTERMEDIATE ADVANCED Data exposure intentional: Enforce password complexity. Password expiration rules. Secure data exchange network. Intentional interception of information through electronic intrusion (hacking) or eavesdropping. Firewall. Strong Wi-Fi encryption. Don t use for PHI. IP/MAP address restrictions. 5 Secure application. Encrypt all transmitted PHI. Secure patient portal Data exposure accidental: Inadvertent sharing of information with unauthorized persons (e.g. s accidentally forwarded, texts sent to wrong person). Basic HIPAA and security training for all staff. Secure destruction of documents and devices. Written security policy. Social media policy. policy and safeguards. Advanced security training. Limited contacts list. Monitor social media, , and website for inappropriate, negative or unwanted activity. Organizations must demonstrate robust efforts to protect communications from intentional interception and accidental leakage. 5 IP/MAP address restrictions limit access to a system to users accessing the system from specific IP or MAP addresses. CALLCOPIC.COM P7/10

9 Risk During Transition/Migration of IT systems Practices merge and split; facilities retire old systems and implement new ones; organizations hire and terminate employees; software and hardware are upgraded, updated, and replaced. Each of these events entails risk of data loss, corruption, or exposure. RISK EXAMPLES EXAMPLES OF MITIGATION STEPS BASIC INTERMEDIATE ADVANCED System updates: Data is lost, compromised, or corrupted during a software update or reconfiguration. Backup. Backup again. Test functionality after updating. Testing with actual data before committing to changes. Run concurrent systems until stability of the new system is assured. System migration: Data is lost, compromised or corrupted during transition to a new system (e.g., merging practices). Same as system updates. Data exchange: Confidential information is lost, corrupted or exposed by business associates, correspondents, or contractors. HIPAA business associate agreements. HIPAA business associate agreements. Consult your technical and legal advisors WHAT NOW? This document gives health care organizations a place to start in assessing and addressing cyber risk, but it only scratches the surface. It is important that health care professionals dedicate ample time to take inventory of their specific organization s risks, and develop a tailored plan to address them. These five steps will help any organization better understand risks, develop plans to mitigate risks, and be prepared if a breach occurs. 1. Talk to your insurance advisors about cyber liability. The legal liabilities for cyber events (data loss, privacy breach, defamation, unauthorized disclosure, or infringement, etc.) are not covered by typical liability insurance policies. 2. Have cyber liability coverage and understand it. Every COPIC insured receives basic cyber liability insurance as part of their COPIC policy. However, based on the unique needs of each organization, supplemental coverage may be necessary. 3. Document your cyber risk assessment. 4. Document your privacy safety and security policy. This should include guidelines regarding employee handling of data and devices, access to systems, and policies for use and disclosure of protected information. 5. Document your mitigation plan. Note the steps you ve already taken to address threats and vulnerabilities. Make a timeline for addressing steps that have not yet been completed. P8/10

10 CONSIDERATIONS WHEN LOOKING FOR EXTERNAL SUPPORT Some organizations seek an outside partner to help manage the audit process. For practices or facilities considering this route, asking these questions of a considered firm may be helpful. 1. Does the firm have a thorough understanding of HIPAA and HITECH requirements? 2. Has the firm worked with similar health care organizations to conduct similar types of audits? 3. How thorough will the firm s work be? Will consultants interview employees, in addition to completing checklists? Will the firm also audit your policies and procedures, in addition to your systems? 4. What is the outcome of the firm s work? Will you receive a report of risks? A full mitigation plan? Will the firm assist in mitigation efforts? RESOURCES Resources are available to help practices and facilities understand and respond to cyber liability risk. Coverage and Resources for COPIC Insureds Questions about COPIC cyber liability coverage or additional coverage options? If you work with an agent, we encourage you to contact him or her directly first. COPIC can also serve as a resource. Mitch Laycock, Account Executive, COPIC Financial Service Group [email protected] (720) (800) , ext Resources available on COPIC s website at: Cyber-Liability.aspx: Fast Facts: COPIC s Cyber Liability Coverage In-person seminars and online education courses (which also qualify for COPIC points) such as: Liability and Safety of Electronic Health Records Communicating Electronically with Colleagues & Patients Defending Electronic Documentation Cyber Liability Insurance Social Media Liability Disaster Preparation and Response Security & Privacy Risk Assessment Health Care Transitions and Task-Oriented Medicine Visit for more information on seminars and courses. Supplemental Cyber Liability Coverage Details Access to NAS Insurance Services cyber liability resources, including: -- Risk assessment tools -- HIPAA/HITECH compliance information -- Industry best practices -- Webinars and online training programs -- Sample policies CALLCOPIC.COM P9/10

11 Third-Party Tools and Resources ECRI Institute Guidance and tools to help health care facilities improve health IT safety Federal Bureau of Investigation Cyber Crime Unit Information on threats, scams and protections Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Alerts, advisories, training opportunities, best practices and assessments ics-cert.us-cert.gov Research and Trends Ponemon Institute Research on privacy, data protection and information security policy Symantec Internet Security Threat Report Overview and analysis of the year in global threat activity publications Verizon Wireless Data Breach Investigations Report Annual investigation into common threat patterns Office of the National Coordinator or Health Information Technology (ONC) Security Risk Assessment Tool HIPAA compliance assessment tool security-risk-assessment-tool U.S. Department of Health and Human Services (HHS) Office for Civil Rights HIPAA guidelines and resources HIMSS Professional development and resources on a wide variety of health information topics Specialty Societies Contact your specialty medical society to gain an understanding of the specific risks that may be inherent in your specialty. P10/10

12 7351 E. LOWRY BLVD., STE. 400, DENVER, CO CALLCOPIC.COM