AHLA. N. HIPAA Security Breaches: What Should We Be Doing to Keep Us Out of the Headlines? Diane E. Felix Armstrong Teasdale LLP Saint Louis, MO
|
|
- Piers Montgomery
- 8 years ago
- Views:
Transcription
1 AHLA N. HIPAA Security Breaches: What Should We Be Doing to Keep Us Out of the Headlines? Diane E. Felix Armstrong Teasdale LLP Saint Louis, MO Anthony J. Munns Brown Smith Wallace LLC Saint Louis, MO Suzanne Sheldon-Krieger Corporate Responsibility Officer Ascension Health Senior Care St. Louis, MO Long Term Care and the Law February 23-25, 2015
2 Security Breaches What should we be doing to stay out of the headlines? American Health Lawyers Association Long Term Care and the Law Program 2015 Diane Felix, Anthony Munns, Suzanne Sheldon-Krieger Breaches & Settlements 2014 Still an Issue Stolen Laptops & Computers One of top ten reported breaches in 2014 involves stolen laptops Sutherland HC Services (#3) - billing, collections vendor for LA County 8 unencrypted desktop computers stolen 168,000 individuals class action lawsuit One of largest federal fines in 2014 $1.7M assessed against Springfield, Mo. based Concentra Health Services (Humana subsidiary) unencrypted laptop stolen from physical therapy center 870 patient records Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 2 1
3 Breaches & Settlements 2014 Still an issue Unauthorized Access or Theft of Paper Two of top ten reported breaches in 2014 involve paper Walgreen, IL (#6) 160,000 individuals St. Vincent Hosp. and Health Care Center, IN (#9) 63,325 individuals At least four of the smallest ten reported breaches in 2014 involved involve theft or unauthorized access to paper One of larger Federal fines in $800,000 involved Parkview Health System (Ft. Wayne, IN) Dropped off 71 cardboard boxes of patient medical records in the driveway of a physician s home Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 3 Breaches & Settlements 2014 Far larger issue than in previous years Hacking & Unauthorized Access to Electronic Data ( Cybersecurity ) Three of top ten reported breaches in 2014 involved cybersecurity issues Community Health Systems (TN) NRAD Medical Associates (NY) Onsite Health Diagnostics (TX) Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 4 2
4 Breaches & Settlements 2014 Smaller organizations not immune to cybersecurity threats 18-bed Clay County Hospital in Flora, IL received anonymous on 11/2/14 with patient information, threatening public release unless a ransom was paid 12,621 patients potentially affected Investigation found system not hacked insider? Information was name, address, SSN, DOB no medical information Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 5 Breaches & Settlements 2014 Anchorage Community Mental Health Services fined $150,000 and will adopt a corrective action plan under a 12/2/14 Resolution Agreement with HHS/OCR Malware compromised PHI for 2,743 ACMHA adopted sample security rule policies & procedures in 2005, but didn t follow or update until after the breach Sixth fine levied by HHS/OCR in 2014 Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 6 3
5 Looking beyond HIPAA and PHI Information Security = Protecting information from cyber criminals and those who do not have a need to view, access, modify or use. Cybersecurity = Measures taken to protect a computer or computer system connected to the Internet against unauthorized access or attack. Personally Identifiable Information (PII) = Any data that could potentially identify a specific individual. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger Cost of Cyber Crime Study: United States Cyber crimes continue to be very costly for organizations. Mean annualized cost for 59 benchmarked organizations $12.7 M, which was 9.3% increase over prior year. Cyber crime cost varies by organizational size. Most costly cyber crimes are those caused by denial of services, malicious insiders and malicious code. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 8 4
6 2014 Cost of Cyber Crime Study: United States Cyber attacks can get costly if not resolved quickly. Average time to resolve a cyber attack was 45 days, with an average cost to participating organizations of $1,593,627 during this 45-day period. Malicious insider attacks can take more than 65 days on average to contain. Information theft continues to represent the highest external cost, followed by the costs associated with business disruption. Recovery and detection are the most costly internal activities. Activities relating to IT security in the network layer receive the highest budget allocation. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger Cost of Cyber Crime Study: United States Deployment of security intelligence systems makes a difference. A strong security posture moderates the cost of cyber attacks. Companies deploying security intelligence systems experienced a substantially higher ROI at 30 percent than all other technology categories presented. Deployment of enterprise security governance practices moderates the cost of cyber crime. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 10 5
7 Cost of Data Breach What is the value of information that is in your custody, that you own, store, process or transmit? Value vs. cost of protection? What is your risk appetite? What is the cost if your data is compromised? Reputation, lost of revenue, legal fines and restitution? Healthcare businesses paid an average cost of $5.9 million per data breach For all industries the total annualized cost of cyber crime in 2014 ranges from a low of $1.6 million to a high of $60.5 million. The median annualized cost of cyber crime in the benchmark sample is $9.7 million an increase from last year s median value of $9.1. The mean value is $12.7 million. This is an increase of $1.1 million or a 9.3 percent from last year s mean of $11.6 million. Source: Ponemon 2014 Cost of Data Breach Study Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 11 Major Causes of Data Breach Malicious attacks most costly, more frequent Malicious or criminal attack System glitch Human Error Ponemon 2013 Cost of Data Breach Study Malicious attacks cause 41% of data breaches, with a per capita cost of $277 Human Error cause 33% with a cost of $174 Employee Negligence cause 26% cost $159 Malicious or criminal attacks include malware, criminal insiders (employees, contractors or other third parties), phishing/social engineering and web site attacks System glitch includes loss of system or component, IT and Business process failures Human error is negligent insiders that are individuals who cause a data breach because of their carelessness, as determined in a post data breach investigation. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 12 6
8 Steps to Reduce the Risk Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 13 7 Factors that Influence the Cost of a Data Breach The organization had an incident management plan. The organization had a relatively strong security posture at the time of the incident. CISO (or equivalent title) has overall responsibility for enterprise data protection. Data was lost due to third party error. The organization notified data breach victims quickly. The data breach involved lost or stolen devices. Consultants were engaged to help remediate the data breach. Source: Ponemon 2013 Cost of Data Breach Study Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 14 7
9 Security Risk Assessment Organizations should conduct annually a formal risk assessment for all systems to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of systems and data. There are several excellent resources: NIST Special Publication SP Guide for Conducting Risk Assessments, and NIST Special Publication SP Introductory Resource Guide for Implementing the HIPAA Security Rule. In this document Appendix E is the Risk Assessment Guidelines. OCR has published Guidance on Risk Analysis Requirements under the HIPAA Security Rule Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 15 HHS Encryption, Methods for Protecting Two approved methods for protecting: encrypt or destroy Two types of encryption: Data at rest: NIST SP , Guide to Storage Encryption Technologies for End User Devices Data in transit: compliance with the Federal Information Processing Standard (FIPS) requirements has been issued as draft Two methods of destruction: Non-electronic media: shredded or destroyed such that PHI cannot be recovered Should be cleared, purged, or destroyed consistent with NIST SP , Guidelines for Media Sanitization such that PHI cannot be recovered Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 16 8
10 Paper Breaches included? HIPAA Rule: yes FTC Rule: no BUT dumpster diving cases have been among their most often pursued as unfair and/or deceptive trade practices since joint prosecutions of RiteAid and CVS with HHS States: Generally no, only covers systems data Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 17 Vendor Management Formal procedures should be established for hardware, software, or services vendor qualification. Considerations for their selection should include the following: Applicability of the IT solutions to the intended environment consider the sensitivity of the data, is this PII or PHI? The organization's security policies, procedures, and standards and other requirements such as resources available for operation, maintenance, and training. What evidence can be reviewed: Security Audits, Pen Tests, SSAE 16 SOC 1 or SOC 2 Type 2 reports, PCI DSS ROC reports Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 18 9
11 Security Frameworks Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 19 Frameworks: Areas of Information Security & Privacy Management Information Security Governance Information Risk Management and Compliance Information Security Program Development and Management Information Security Incident Management Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 20 10
12 Information Security Governance Responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, and determining that risk is managed appropriately and verifying that the enterprise s resources are used responsibly. Source Information Security Governance Guidance for Boards of Directors and Executive Management IT Governance Institute (ITGI) Couple of Key Points: Establish and maintain an information security strategy in alignment with organizational goals; including a security framework to guide activities that support the strategy including: Information security policies that communicate management s directives and guide the development of standards, procedures and guidelines Develop business cases to support investments in information security. Holistic (internal and external) influences to the organization (e.g. technology, business environment, geographic location, etc.) Define and communicate roles and responsibilities throughout the organization Measure the effectiveness of the information security strategy. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 21 Information Risk Management and Compliance Systematic application of management policies, procedures and practices that identify, analyze, evaluate, report, treat and monitoring information risks Some Key Points: Asset classification to ensure that measures taken to protect assets are proportional to their business value don t forget data Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels (e.g. HIPAA, PCI, GLBA) Ensure risk assessments, vulnerability assessments and threat analysis are conducted periodically to identify risk to the organization s information Integrate information risk management into business and IT processes (e.g. development, procurement, project management) to promote a consistent and comprehensive information risk management process across the enterprise Monitor existing risk to ensure that changes are identified and managed appropriately Compliance does not mean your information is secure. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 22 11
13 Governance Frameworks Lot of good frameworks out there pick one: COBIT 5 - It's the leading framework for the governance and management of enterprise IT. ISO The ISO family of standards helps organizations keep information assets secure. ITIL - The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an information technology organization and a set of standard operational management procedures and practices to allow the organization to manage an IT operation and associated infrastructure. NIST Cybersecurity Framework recently announced, immature, still being developed. NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, See also the Cloud Security Alliance Cloud Controls Matrix Version that side-by-side compares diffèrent frameworks Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 23 Information Security Program Development and Management Development and documentation of activities, projects, and/or initiatives to implement the information security strategy and manage the program, Key Points: Program needs to align with information security strategy, and needs to integrate with other business functions such as HR, accounting, procurement and IT - Integrate information security requirements into organizational processes and based on Security Risk Assessment updates Establish and maintain information security architectures (people, process, technology) segmentation, minimum necessary Robust perimeter firewalls, DMZs, VPNs, File Sharing, secure Intrusion Prevention/Detection systems and consider Security information and event management (SIEM) Consider Data Leak Prevention technologies (DLP) Vendor management program Robust change management system Secure software development Data backups, Business Impact Analysis, Business Continuity & Disaster Recovery Planning Develop and conduct security awareness and training Continually measure the program Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 24 12
14 Information Security Incident Management Manage unexpected disruptive events minimizing impacts and maintaining or restoring normal operations within a defined time period. This is not an IT only plan. Key Points: Establish a hierarchy to accurately identify and response to incidents Develop and maintain an incident response plan to be able to respond appropriately (e.g. legal and regulatory requirements) Establish external relationships: e.g. PR firm, Forensic Investigators, Specialist Counsel, Insurance Company (understand cybersecurity policy- cover as well as resources) Develop processes, train teams and periodically conduct tests to effectively identify and respond of information security incidents Establish incident escalation and notification processes Establish and maintain internal and external communication plans. Perform root cause analysis post-incident and record as lessons learned. Integrate incident response plan, disaster recovery plan and business continuity plan. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 25 HIPAA Definition of Breach and Required Notification The final regulations modify the definition of breach. Under the interim final breach notification rule, a breach would have been considered to have occurred if the access, use or disclosure poses a significant risk of financial, reputational or other harm to an individual. The final regulations stipulate that an acquisition, access, use, or disclosure of protected health information in a manner not permitted is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. if the organization believes the risk of compromise is unknown or low, you must perform a documented risk assessment. The assessment of whether there is a low probability that the protected health information has been compromised must be based on an assessment of at least the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification. The identity of the unauthorized person who used the PHI or to whom the disclosure was made. Whether the PHI was actually acquired or viewed. The extent to which the risk to the PHI has been mitigated. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 26 13
15 HIPAA Clarification of Breach Breaches do not include: unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA, if such acquisition, access, or use was made in good faith & within the scope of authority & doesn t result in further use or disclosure in a manner not permitted by the Privacy Rule inadvertent disclosures of PHI from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate, or organized health care arrangement in which the covered entity participates. disclosures of PHI where a CE or a BA has a good faith belief that an unauthorized person to whom the disclosure was made wouldn t reasonably have been able to retain such information. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 27 Responsibilities Be very careful with terminology if you term it a breach, the rules kick in. Let legal make the call. And, the great majority of breaches are not notice-triggering Service Provider should: Be aware of applicable Business Associate Agreement terms. Contact covered entity when it first suspects a data breach, NOT after it has been investigated Follow the instructions of the covered entity Assume financial responsibility (negotiate credit monitoring costs for number of enrollees accessing, not records breached)(and, don t assume insurance will cover the costs) Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 28 14
16 Questions Attorneys Should Ask of Executive and IT Management to Reduce the Risk Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 29 Questions to Reduce the Risk Do we Perform an Annual Security Risk Assessment? And do we have a program to mitigate risks identified as they change? Do we have a Security Awareness Program? Do we educate employees on how to handle confidential information? Do we Harden, Update and Patch Systems? Does this include all systems, programs, utilities, everything? Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 30 15
17 Questions to Reduce the Risk Do we Use Intrusion Detection & Data Leak Prevention? Do we monitor sensitive data and control it leaving the organization? Do we Utilize Encryption? Data at rest and in motion, websites, peripherals, , etc.? Do we have a Vendor Management Program? Do we determine if are they fit for purpose? Do we have an Incident Response Plan? Does it include all key partners: IT, forensics, legal, PR and Management? Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 31 Conclusion Information Security impacts all our lives on a daily basis. Due diligence and caution should be taken when divulging personal information via public networks and social media outlets. Controls need to be defined, documented and implemented to reduce the risk of information being viewed, accessed or compromised. Proper mixture of people, processes and technology needs to exist. And education The need for information security will continue to increase, possibly exponentially, as technology continues to evolve and becomes integrated into the mainstream of business processes. Network perimeters once defined and controlled by business and educational institutions continue to erode (e.g. BYOD). Security and privacy is a continuous process, not just a product. Having good compliance does not mean you are secure. Vulnerability assessment and penetrating testing are one of the tools that can help an organization gain a better understanding of their security strengths and weaknesses. Security Breaches What should we be doing to stay out of the headlines? Felix/Munns/Sheldon Krieger 32 16
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationHIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations
HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations Health Care Litigation Webinar Series March 22, 2012 Spence Pryor Paula Stannard Jason Popp 1 HIPAA/HITECH
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationIowa Health Information Network (IHIN) Security Incident Response Plan
Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security
More informationData Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked
Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.5)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationOCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement
OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure
More informationManaging Cyber & Privacy Risks
Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More information4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda
One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification Adam H. Greene, JD, MPH Partner Davis Wright Tremaine HCCA Compliance Institute April 22, 2015 Doug Pollack Chief Strategy
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationBOARD OF GOVERNORS MEETING JUNE 25, 2014
CYBER RISK UPDATE BOARD OF GOVERNORS MEETING JUNE 25, 2014 EXECUTIVE SUMMARY Cyber risk has become a major threat to organizations around the world, as highlighted in several well-publicized data breaches
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationPrivacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.
Ohio Hospital Association Centennial Annual Meeting Privacy & Security Risk Management Strategies for Healthcare Data Chris Allman, JD Director of Risk Management, Compliance & Insurance Garden City Hospital
More informationBest practices and insight to protect your firm today against tomorrow s cybersecurity breach
Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently
More informationSINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry
SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :
More informationWHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR
KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST Protecting Identities. Enhancing Reputations. IDT911 1 DATA BREACHES AND SUBSEQUENT IDENTITY THEFT AND FRAUD THREATEN YOUR ORGANIZATION
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationArchitecting Security to Address Compliance for Healthcare Providers
Architecting Security to Address Compliance for Healthcare Providers What You Need to Know to Help Comply with HIPAA Omnibus, PCI DSS 3.0 and Meaningful Use November, 2014 Table of Contents Background...
More informationHIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals
HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationAdopting a Cybersecurity Framework for Governance and Risk Management
The American Hospital Association s Center for Healthcare Governance 2015 Fall Symposium Adopting a Cybersecurity Framework for Governance and Risk Management Jim Giordano Vice Chairman & Chair of Finance
More informationThe Age of Data Breaches:
The Age of Data Breaches: HOW TO AVOID BEING THE NEXT HEADLINE MARCH 24, 2015 2015 Epstein Becker & Green, P.C. All Rights Reserved. ebglaw.com This presentation has been provided for informational purposes
More information10 Smart Ideas for. Keeping Data Safe. From Hackers
0100101001001010010001010010101001010101001000000100101001010101010010101010010100 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000 0100101001001010010001010010101001010101001000000100101001010101010010101010010100000
More informationAftermath of a Data Breach Study
Aftermath of a Data Breach Study Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: January 2012 Ponemon Institute Research Report Aftermath
More informationAuditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP
Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements
More informationMedical Information Breaches: Are Your Records Safe?
Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential
More informationNerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.
Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier gstegmaier@wsgr.com @1sand0slawyer Data Breach Trends 2011 Average Loss to Organization = $5.5 million
More informationArt Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
More informationCompliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations
Enabling a HITECH & HIPAA Compliant Organization: Addressing Meaningful Use Mandates & Ensuring Audit Readiness Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard Compliance Mandates Increased
More informationBreach Notification Policy
1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationInformation Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514
More informationData breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd
Data breach, cyber and privacy risks Brian Wright Lloyd Wright Consultants Ltd Contents Data definitions and facts Understanding how a breach occurs How insurance can help to manage potential exposures
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationSecond Annual Benchmark Study on Patient Privacy & Data Security
Second Annual Benchmark Study on Patient Privacy & Data Security Sponsored by ID Experts Independently conducted by Ponemon Institute LLC Publication Date: December 2011 Ponemon Institute Research Report
More informationHIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014
1 HIPAA BREACH NOTIFICATION REQUIREMENTS Heman A. Marshall, III July 25, 2014 2 SCENARIO FOR VBA SUMMER MEETING The Medical Marijuana Growers Association (MMGA) Health Plan, which is a self-fund plan,
More informationHEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES
HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES OCTOBER 2014 3300 North Fairfax Drive, Suite 308 Arlington, Virginia 22201 USA +1.571.481.9300 www.lunarline.com OUR CLIENTS INCLUDE Contents Healthcare
More informationCyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology
Cyber Security Incident Handling Policy Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology Date: Oct 9, 2015 i Document Control Document Owner Classification
More informationHIPAA Update Focus on Breach Prevention
HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationmicros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.
micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) Revision 8.0 August, 2013 1 Table of Contents Overview /Standards: I. Information Security Policy/Standards Preface...5 I.1 Purpose....5
More informationAnatomy of a Privacy and Data Breach
Anatomy of a Privacy and Data Breach Understanding the Risk and Managing a Crisis Adam Kardash: Partner, Heenan Blaikie LLP Robert Parisi: Senior Vice President, Marsh Leadership, Knowledge, Solutions
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationCyber and Privacy Risk What Are the Trends? Is Insurance the Answer?
Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: March 2013 Ponemon Institute Research Report
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationThe silver lining: Getting value and mitigating risk in cloud computing
The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations
More informationGALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
More informationHIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014
HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationIs Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution
Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution Independently conducted by Ponemon Institute LLC Publication Date: April 2013 Ponemon Institute Research Report
More informationYour New Responsibilities For Medical Data. History Locked File Drawer. Tort Contract Some Regulation
South Carolina Medical Association s 8 th Annual Health Law Symposium Friday, February 21, 2014 Your New Responsibilities For Medical Data Ted Claypoole Womble Carlyle Sandridge & Rice, PLLC Charlotte,
More informationCyber Security. John Leek Chief Strategist
Cyber Security John Leek Chief Strategist AGENDA The Changing Business Landscape Acknowledge cybersecurity as an enterprise-wide risk management issue not just an IT issue How to develop a cybersecurity
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More information2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage
2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage Chris Reese Vice President, Director of Underwriting Connie Rivas Asst. Vice President, Contracts and
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationOutline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?
Outline MOR-OF Education and Medical Expo August 23, 2014 Tatiana Melnik Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL I. HIPAA Compliance II. Why Should You Care? A. Market Pressure
More informationCyberSecurity for Law Firms
CyberSecurity for Law Firms Cracking the Cyber Code: Recent Headlines, Reinforcing the Need and Response Planning July 16, 2013 Making the Case Matthew Magner Senior Underwriting Officer Chubb & Son, a
More informationDiscussion on Network Security & Privacy Liability Exposures and Insurance
Discussion on Network Security & Privacy Liability Exposures and Insurance Presented By: Kevin Violette Errors & Omissions Senior Broker, R.T. Specialty, LLC February, 25 2014 HFMA Washington-Alaska Chapter
More informationPlan of Attack 5 Step Plan
Plan of Attack 5 Step Plan Naming those Digital Assets Practicing Digital Doomsday Training + Policies and Procedures Technology Tuning Security in the Supply Chain Next Steps Sample Plan 0 to 30 Days
More information2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security
2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009
More informationBest Practices in Incident Response. SF ISACA April 1 st 2009. Kieran Norton, Senior Manager Deloitte & Touch LLP
Best Practices in Incident Response SF ISACA April 1 st 2009 Kieran Norton, Senior Manager Deloitte & Touch LLP Current Landscape What Large scale breaches and losses involving credit card data and PII
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationHIPAA Compliance Evaluation Report
Jun29,2016 HIPAA Compliance Evaluation Report Custom HIPAA Risk Evaluation provided for: OF Date of Report 10/13/2014 Findings Each section of the pie chart represents the HIPAA compliance risk determinations
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationIs your Organization SAFE?
Is your Organization SAFE? About Enterprise Risk Management (ERM) About The Presenter Mike Sanchez, Senior Vice President at ERM Captain, USMC (Ret.) COBIT 5 Certified Possesses over 20 years of experience
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationPOLICY AND PROCEDURE MANUAL
Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL
More informationCybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response
Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary
More informationTHE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS
THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern
More informationData breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC
Data breach! cyber and privacy risks Brian Wright Michael Guidry Lloyd Guidry LLC Collaborative approach Objective: To develop your understanding of a data breach, and risk transfer options to help you
More informationSTANDARD ADMINISTRATIVE PROCEDURE
STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationCyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029
Cyber Liability Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Today s Agenda What is Cyber Liability? What are the exposures? Reality of a
More informationInformation Security Program CHARTER
State of Louisiana Information Security Program CHARTER Date Published: 12, 09, 2015 Contents Executive Sponsors... 3 Program Owner... 3 Introduction... 4 Statewide Information Security Strategy... 4 Information
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationHealthcare to Go: Securing Mobile Healthcare Data
Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1 Why Information Security is Essential for Healthcare Safeguard
More information