COPIC INSIGHT: DATA BREACHES



Similar documents
HIPAA Security Alert

HIPAA: Bigger and More Annoying

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

National Cyber Security Month 2015: Daily Security Awareness Tips

What s New with HIPAA? Policy and Enforcement Update

Cyber Self Assessment

Internet threats: steps to security for your small business

HIPAA and Mental Health Privacy:

A practical guide to IT security

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

FINAL May Guideline on Security Systems for Safeguarding Customer Information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

HIPAA Security COMPLIANCE Checklist For Employers

plantemoran.com What School Personnel Administrators Need to know

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Information Security It s Everyone s Responsibility

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Managing Cyber & Privacy Risks

Information Security It s Everyone s Responsibility

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Security Is Everyone s Concern:

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Nine Network Considerations in the New HIPAA Landscape

The Ministry of Information & Communication Technology MICT

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Security Compliance, Vendor Questions, a Word on Encryption

Overview of the HIPAA Security Rule

What Data? I m A Trucking Company!

HELPFUL TIPS: MOBILE DEVICE SECURITY

CHIS, Inc. Privacy General Guidelines

Information Security Plan effective March 1, 2010

HIPAA Compliance: Efficient Tools to Follow the Rules

ADMINISTRATORS SERIES PRIVACY AND SECURITY AT UF. Cheryl Granto Information Security Manager, UFIT Information Security

HIPAA Compliance Guide

Data Breaches and Cyber Risks

Protecting personally identifiable information: What data is at risk and what you can do about it

HIPAA and HITECH Compliance for Cloud Applications

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Data Security Considerations for Research

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Course: Information Security Management in e-governance

Supplier Information Security Addendum for GE Restricted Data

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Enterprise Data Protection

HIPAA COMPLIANCE AND

Information Technology Branch Access Control Technical Standard

AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

ISO? ISO? ISO? LTD ISO?

How To Protect Your Data From Being Hacked

Data Breach and Senior Living Communities May 29, 2015

How-To Guide: Cyber Security. Content Provided by

Have you ever accessed

I ve been breached! Now what?

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

How To Protect Yourself From Cyber Threats

10 Smart Ideas for. Keeping Data Safe. From Hackers

HIPAA Compliance and the Protection of Patient Health Information

Top Ten Technology Risks Facing Colleges and Universities

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

Transcription:

COPIC INSIGHT: DATA BREACHES SEPTEMBER 2015

COPIC INSIGHT is a new, exclusive resource for COPIC-insured individuals, practices, and facilities. It provides insight on a timely issue in health care, along with resources to help insureds address this in their own setting. CONTENTS Cyber Liability... 2 Cyber Risk Assessment... 4 Vulnerabilities... 4 Mitigating Cyber Risk... 5 What Now?... 8 Considerations When Looking for External Support... 9 Resources... 9 * Information provided is for general education purposes and not intended as legal guidance or practice standards. COPIC Insurance Company September 2015 CALLCOPIC.COM P1/10

CYBER LIABILITY Cyber liability is a rising concern among health care providers, who increasingly depend on a variety of technologies to care for patients, share health information, and collaborate with other providers. Increased reliance on these technologies has led to a large universe of cyber-related vulnerabilities, ranging from data loss or corruption to hacking and privacy breaches. Any of these can have serious civil, regulatory, financial and even criminal consequences. However, steps can be taken to reduce the risks and mitigate the impacts of cyber events. The Risk of a Data Breach Given the frequency and potential impact, the most critical exposure for medical practices is data breach. Intrusion into supposedly secure databases is a daily event. Thousands of attacks are intercepted per second. In 2013, there were more than 600 reported data breaches in the United States. Just one year later, that number hit a record high of 783. Nearly half of these occurred in health care organizations. 1 Both the number and scale of events are growing. WHAT IS A DATA BREACH? Data breach occurs when confidential information is exposed to an unauthorized party. Health care practices and facilities are accountable for three categories of data: 1. Patient data (PHI Protected Health Information) 2. Employee data (employment, background, banking, contact, insurance, etc.) 3. Business or business associate data (accounting, banking, trade secrets, strategies, patents, etc.) Myriad federal and state laws, and civil claims create liability exposure for data breaches. Cyber Claim Trends While every health care practice or facility has a unique risk profile, NAS Insurance Services (COPIC s partner for cyber liability coverage), reports the following trends in recent claims: 1. Lost device. The single greatest exposure to cyber liability arises from lost or stolen devices, particularly laptops that are not encrypted. Mitigating this risk: Encrypt all data storage devices that are taken out of the office such as removable drives, tablets, cell phones used for email, and USB flash drives. Ensure that laptops are password-protected. 2. Ransomware: Typically targeting smaller organizations, cyber-extortionists introduce a virus (often in an official-looking email message) that invades and encrypts data, cutting off access to all users. The extortionists demand a ransom to provide the password to unlock the practice s data. Mitigating this risk: It is important that everyone is trained to be wary of opening emails from senders they do not recognize, and that organizations invest in anti-virus software for all computers. When in doubt, contact your IT department to determine whether an email poses a risk. 1 http://www.idtheftcenter.org P2/10

3. Third-party complaints: There is an increase in lawsuits and demand letters from third parties (mainly patients) when their data is affected by a data breach. Apart from lost privacy, breaches open the door to identity theft and medical fraud. Mitigating this risk: It is best to ensure that systems are in place to prevent a breach in the first place. However, once a breach occurs, transparency is paramount. Report the breach as quickly as possible to your carrier and appropriate management to determine when and how patients should be alerted. 4. Before and after pictures: A higher risk for dentists, plastic surgeons, and dermatologists, these claims stem from providers neglecting to gain permission before using or transmitting photos of procedures or patient care including advertising. Even photos that have been de-identified may be recognized by patients, family, or co-workers, giving rise to privacy violations. Mitigating this risk: Ensure that patients sign a photo release form prior to sharing any photos, whether or not the photos have been de-identified. 5. Employee access to restricted files: Employee snooping gives rise to HIPAA violations. Patients who are politically or socially prominent, co-workers, family members or those whose information is otherwise sensitive need extra privacy. Mitigating this risk: Protect patient privacy by establishing individual accounts and controlling who can access which files. Ensure that access logs are kept so that if snooping occurs, the culprit can quickly be identified. HOW SERIOUS ARE DATA BREACHES? NAS Insurance Services estimates that health care providers will pay between $10 and $30 per affected patient record for breach response services. These typically include legal and investigative services, patient notification, credit protection, regulatory response and fines, and cost of repairing provider systems and reputation. A breach that impacts 1,000 patient records could easily cost $10,000 to $30,000, excluding penalties. Best Practices Are Emerging The variety of health care settings makes it difficult to prescribe one-size-fits-all solutions. Nevertheless, there is general advice for data protection. DO Get advice, training, and support for everyone. Keep written records of policies, training, risk assessments, and actions taken. Know where your data is and who has access to it. Use a layered approach to data protection, with multiple safeguards operating in different ways. Make plans for likely risks and disasters. DON T Take privacy and security lightly. Assume things are OK as long as you have not detected obvious problems. Store PHI on unprotected devices. Stop reviewing vulnerabilities and safeguards after your initial assessment. Enter into electronic transactions or communications with unknown correspondents. CALLCOPIC.COM P3/10

CYBER RISK ASSESSMENT HIPAA requires providers to conduct a risk assessment of the privacy and security of their protected information (PI). You can download COPIC s Electronic Risk Assessment Checklist for Office Practices (available on COPIC s website at www.callcopic.com/resources/pages/medical-guidelines-andtools.aspx under the Practice Management Resources section). 2 This step-by-step guide provides an overview of this mandatory process. The principles are simple, but the details can get technical; most organizations will need tech support. STEP 1 STEP 2 STEP 3 STEP 4 STEP 5 STEP 6 STEP 7 Identify your information vulnerabilities and threats (risk audit). Take stock of your defenses and safeguards (your own and those of business associates, vendors, contractors, etc.). Consider your threats and vulnerabilities, and estimate their likelihood. Predict the harms of each threat occurring. Describe measures taken to block vulnerabilities and mitigate impacts; prioritize measures to adopt. Implement. Document it all. VULNERABILITIES Three key areas of risk are virtually universal. Typically, these are the first to address, regardless of the setting. Here are some examples of questions to ask yourself in each of the three key areas. I Data at Rest (Stored in Devices) Q Can you list everywhere your protected information resides? Q Do you carry PHI on portable devices (laptops, mobile phones, jump drives, etc.) outside of your office? Q What physical protections do you have (locks, cameras, building security) for your office equipment (servers, routers, backup drives, computers, tablets, laptops, etc.)? Q What is your disaster plan? Q Are your drives (including portable devices) encrypted? Q How do visitors get access to your office? NOT JUST ELECTRONIC - ADDRESS PAPER Paper as well as electronically stored information is subject to data breaches. Keep this in mind when transferring and disposing of paper files. 2 This is protected content and requires a username and password to access it. P4/10

II Data in Transit (Being Transmitted) Q Do you use email, text messaging, or other data connections with external colleagues, facilities, and/or patients? Q Do you connect to external PHI remotely (through a portal, VPN or FTP site)? Q Do you have a Wi-Fi network at your office or home? Q Do you connect to Wi-Fi networks away from the office or home? Q How do you create and manage passwords? III Data During System Transitions and Migrations Q Is your EHR fully configured and implemented? Q How do you prevent data loss/corruption during system updates? Q When is the next time you plan significant changes to your information systems? Q What is your security and privacy training program for new staff? Q What is your EHR training program for new users? Q What is your process for removing system access from terminated users? MITIGATING CYBER RISK Risk assessment is not fragmented into separate stages, but ideally involves recognizing risks, weighing impacts, and installing defenses all at the same time. You can t do everything at once. You have to accept that your defenses will never protect against every conceivable attack or disaster. The wisest process deals with first things first, and prioritization is not based on a single factor. Basic steps are things you have identified as critical for protecting your organization from likely risks, are easiest to implement, and address vulnerabilities that are more or less inexcusable. Intermediate steps are the very next things you plan to address, after the basics. These either have lower priority, higher complexity, or demand greater effort. Advanced steps are the ones that ultimately let you sleep at night. These may address low-likelihood/ high-impact events; require upgrades to equipment, software, workflow, or policies; or entail more costs and technical resources. An audit can satisfy you that you have taken every reasonable step prospectively. However, no system is immune from attacks by a determined, professional foe. Your priority should be to make reasonable efforts to prevent foreseeable attacks and accidents. The following are suggestions that would apply to a typical range of risks for health care providers. These are not meant to be comprehensive, but rather to give a snapshot of a cyber risk management process. As increasing experience reveals, no system is immune from attacks by a determined, professional foe. What we can do in health care is demonstrate that we have made reasonable efforts to prevent foreseeable attacks and accidents. CALLCOPIC.COM P5/10

Risks to Data and Devices at Rest Risk is inherent in any device or data storage system, from smartphones, laptops, and flash drives, to servers, cloud storage, and file sharing systems. Organizations must demonstrate robust efforts to protect stored information. The standard is, What are the necessary and reasonable measures? RISK EXAMPLES EXAMPLES OF MITIGATION STEPS BASIC INTERMEDIATE ADVANCED Lost/stolen devices: Laptops; tablets; phones; USB/flash drives; CDs/DVDs; external disk drives; backup media; other portable datacarrying devices. Don t forget that even desktop computers and servers are small enough to steal. Physical security. Off-site backup. Inventory of all devices. Review insurance coverage. Policies for employee use. Encryption on everything portable. Ensure mobile devices have remote location/ lockdown capability. Encrypt everything. Remote device location/lockdown software. Employee training program. Disaster plan with contingencies for loss/destruction of devices or loss of access. Unauthorized access/ intrusion: Data exposed accidentally or intentionally. Physical security; who has a key? Inventory all PHI; where it resides; how it can be accessed. Encrypt external data connections. Mandate complex passwords; password policy; individual user accounts. Screen locking during inactivity. Up-to-date antivirus and antispyware software on network router and every storage device. No remote network access; no guest access. Encrypt all channels used for PHI. Two-factor authentication. 3 System access logs. Physical access logs. Secure remote access. Written policy for credentialing all users, including consultants, tech support, guests, etc. Separate Wi-Fi network for guests. Regular review of data access logs. Hacker/penetration testing. 4 System failure: All mechanical systems fail; data can be lost or corrupted inadvertently or deliberately. Physical safeguards (power protection, fire protection, etc.). Off-site backup. Insurance. Test and confirm backup process actually works. Disaster plan. Business continuity plan. 3 Two-factor authentication adds a second level of authentication, beyond entry of a password, to an account log-in. A user is required to provide a second piece of information, which may include a second password, authentication via another device such as a phone, or a biometric identification, such as a fingerprint. 4 Hacker/penetration testing is a legal hack into a system to test for vulnerabilities. P6/10

Risks to Data in Transit Any transmission can potentially be intercepted. Organizations must demonstrate robust efforts to protect communications from intentional interception and accidental leakage. RISK EXAMPLES EXAMPLES OF MITIGATION STEPS BASIC INTERMEDIATE ADVANCED Data exposure intentional: Enforce password complexity. Password expiration rules. Secure data exchange network. Intentional interception of information through electronic intrusion (hacking) or eavesdropping. Firewall. Strong Wi-Fi encryption. Don t use email for PHI. IP/MAP address restrictions. 5 Secure email application. Encrypt all transmitted PHI. Secure patient portal Data exposure accidental: Inadvertent sharing of information with unauthorized persons (e.g. emails accidentally forwarded, texts sent to wrong person). Basic HIPAA and security training for all staff. Secure destruction of documents and devices. Written security policy. Social media policy. Email policy and safeguards. Advanced security training. Limited contacts list. Monitor social media, email, and website for inappropriate, negative or unwanted activity. Organizations must demonstrate robust efforts to protect communications from intentional interception and accidental leakage. 5 IP/MAP address restrictions limit access to a system to users accessing the system from specific IP or MAP addresses. CALLCOPIC.COM P7/10

Risk During Transition/Migration of IT systems Practices merge and split; facilities retire old systems and implement new ones; organizations hire and terminate employees; software and hardware are upgraded, updated, and replaced. Each of these events entails risk of data loss, corruption, or exposure. RISK EXAMPLES EXAMPLES OF MITIGATION STEPS BASIC INTERMEDIATE ADVANCED System updates: Data is lost, compromised, or corrupted during a software update or reconfiguration. Backup. Backup again. Test functionality after updating. Testing with actual data before committing to changes. Run concurrent systems until stability of the new system is assured. System migration: Data is lost, compromised or corrupted during transition to a new system (e.g., merging practices). Same as system updates. Data exchange: Confidential information is lost, corrupted or exposed by business associates, correspondents, or contractors. HIPAA business associate agreements. HIPAA business associate agreements. Consult your technical and legal advisors WHAT NOW? This document gives health care organizations a place to start in assessing and addressing cyber risk, but it only scratches the surface. It is important that health care professionals dedicate ample time to take inventory of their specific organization s risks, and develop a tailored plan to address them. These five steps will help any organization better understand risks, develop plans to mitigate risks, and be prepared if a breach occurs. 1. Talk to your insurance advisors about cyber liability. The legal liabilities for cyber events (data loss, privacy breach, defamation, unauthorized disclosure, or infringement, etc.) are not covered by typical liability insurance policies. 2. Have cyber liability coverage and understand it. Every COPIC insured receives basic cyber liability insurance as part of their COPIC policy. However, based on the unique needs of each organization, supplemental coverage may be necessary. 3. Document your cyber risk assessment. 4. Document your privacy safety and security policy. This should include guidelines regarding employee handling of data and devices, access to systems, and policies for use and disclosure of protected information. 5. Document your mitigation plan. Note the steps you ve already taken to address threats and vulnerabilities. Make a timeline for addressing steps that have not yet been completed. P8/10

CONSIDERATIONS WHEN LOOKING FOR EXTERNAL SUPPORT Some organizations seek an outside partner to help manage the audit process. For practices or facilities considering this route, asking these questions of a considered firm may be helpful. 1. Does the firm have a thorough understanding of HIPAA and HITECH requirements? 2. Has the firm worked with similar health care organizations to conduct similar types of audits? 3. How thorough will the firm s work be? Will consultants interview employees, in addition to completing checklists? Will the firm also audit your policies and procedures, in addition to your systems? 4. What is the outcome of the firm s work? Will you receive a report of risks? A full mitigation plan? Will the firm assist in mitigation efforts? RESOURCES Resources are available to help practices and facilities understand and respond to cyber liability risk. Coverage and Resources for COPIC Insureds Questions about COPIC cyber liability coverage or additional coverage options? If you work with an agent, we encourage you to contact him or her directly first. COPIC can also serve as a resource. Mitch Laycock, Account Executive, COPIC Financial Service Group mitchl@copic.com (720) 858-6297 (800) 421-1834, ext. 6297 Resources available on COPIC s website at: www.callcopic.com/copic-services/pages/ Cyber-Liability.aspx: Fast Facts: COPIC s Cyber Liability Coverage In-person seminars and online education courses (which also qualify for COPIC points) such as: Liability and Safety of Electronic Health Records Communicating Electronically with Colleagues & Patients Defending Electronic Documentation Cyber Liability Insurance Social Media Liability Disaster Preparation and Response Security & Privacy Risk Assessment Health Care Transitions and Task-Oriented Medicine Visit www.callcopic.com/education for more information on seminars and courses. Supplemental Cyber Liability Coverage Details Access to NAS Insurance Services cyber liability resources, including: -- Risk assessment tools -- HIPAA/HITECH compliance information -- Industry best practices -- Webinars and online training programs -- Sample policies CALLCOPIC.COM P9/10

Third-Party Tools and Resources ECRI Institute Guidance and tools to help health care facilities improve health IT safety www.ecri.org Federal Bureau of Investigation Cyber Crime Unit Information on threats, scams and protections www.fbi.gov/about-us/investigate/cyber Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Alerts, advisories, training opportunities, best practices and assessments ics-cert.us-cert.gov Research and Trends Ponemon Institute Research on privacy, data protection and information security policy www.ponemon.org Symantec Internet Security Threat Report Overview and analysis of the year in global threat activity www.symantec.com/security_response/ publications Verizon Wireless Data Breach Investigations Report Annual investigation into common threat patterns www.verizonenterprise.com/dbir Office of the National Coordinator or Health Information Technology (ONC) Security Risk Assessment Tool HIPAA compliance assessment tool www.healthit.gov/providers-professionals/ security-risk-assessment-tool U.S. Department of Health and Human Services (HHS) Office for Civil Rights HIPAA guidelines and resources www.hhs.gov/ocr/privacy HIMSS Professional development and resources on a wide variety of health information topics www.himss.org Specialty Societies Contact your specialty medical society to gain an understanding of the specific risks that may be inherent in your specialty. P10/10

7351 E. LOWRY BLVD., STE. 400, DENVER, CO 80230 720.858.6000 800.421.1834 CALLCOPIC.COM

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information