Health Care Data Breach Discovery Strategies for Immediate Response March 27, 2014 Pillsbury Winthrop Shaw Pittman LLP
Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Sarah Flanagan Partner Pillsbury Winthrop Shaw Pittman LLP Lara Forde Response Team Manager AllClear ID Daren Hutchison Associate Director Navigant Consulting 2 Health Care Data Breach Discovery Strategies for Immediate Response
Overview How to prepare for the inevitable breach What to do immediately upon a suspected breach How to structure and conduct an investigation and forensic analysis Identify best practices for communications planning Identify best practices for notification, compliance and remediation Approaches to training and discipline Preparing for enforcement and litigation Managing privacy litigation 3 Health Care Data Breach Discovery Strategies for Immediate Response
Preparing for the Inevitable Breach Engage your risk management department and buy Cyber Insurance: know what your coverage will and won t do for you Employ a centrally managed system designed to detect and prevent the unauthorized use and transmission of data in motion, at rest and at endpoints Perform a rolling risk assessment with continuous security improvements Train and authenticate personnel Authorize and limit applications Continuously audit security and integrity internally and externally 4 Health Care Data Breach Discovery Strategies for Immediate Response
Adopt Policies and Procedures Processes for discovering breaches Procedures and forms for reporting Mechanisms for determining if unsecured PHI involved individuals affected applicable notification requirements 5 Health Care Data Breach Discovery Strategies for Immediate Response
Adopt Policies and Procedures (Continued) Processes for determining appropriate mitigation developing advice to affected individuals creating and distributing notices determining and creating other forms of communication accounting for notification reporting to Secretary of HHS 6 Health Care Data Breach Discovery Strategies for Immediate Response
What To Do Immediately after a Breach Is Suspected Discovery when does it occur? When discovered (or should have discovered) by someone other than the person who committed the breach This starts the clock for notification requirements 7 Health Care Data Breach Discovery Strategies for Immediate Response
What To Do Immediately after a Breach Is Suspected (Continued) Upon Discovery kick off the response Internal report prompt, upstream reporting is critical Involve legal counsel to enable attorney-client privilege Take immediate steps to close the breach Preserve all evidence Responsible official refers to policies and procedures previously adopted to develop initial plan for response Publish and implement plan for response Confirm and implement lines of authority Establish communications plan Notify senior management and breach team Begin planning for notification and mitigation Begin forensic investigation 8 Health Care Data Breach Discovery Strategies for Immediate Response
Investigation R.E.S.P.O.N.D. Acronym: R.equest Information Interviews E.valuate the Situation Ongoing Threat? Types of Data/Information Involved S.ecure the Crime Scene and/or S.top the Attack Password Changes Maintain Affected Device, Machine, System Integrity P.reserve Evidence Stop Purge of Backups Forensics 9 Health Care Data Breach Discovery Strategies for Immediate Response
Investigation (Continued) O.rganize the Examination Forensics Scope Internal Reports N.otify Individuals and/or N.ote Findings Data Mining and Enrichment Forensic Reports D.etermine Causes Follow-up Analyses 10 Health Care Data Breach Discovery Strategies for Immediate Response
Forensic Analysis Data Involved Devices/Machines/Networks Email Archives System Databases Backups & Logs (Need to Recreate?) Log Analysis Network Traffic Website Activity Email Message Tracking System Auditing Anti-Virus Reports PII/PHI Data Mining Standardization and Conversion of Data Patterns and Terms Searching 11 Health Care Data Breach Discovery Strategies for Immediate Response
Forensic Analysis (Continued) Notification Lists Enrichment Address Inclusion Remediation Malware or Virus Cleansing Process & Findings Written Report Verbal Debrief Follow-up Incident Response Gap Assessment System Changes, Access Rights, Identifiers (Account Numbers, Passwords) System Assessments, Security Audits, Pen Testing 12 Health Care Data Breach Discovery Strategies for Immediate Response
Best Practices: Breach Communications Planning Involve the right stakeholders from the beginning Internal: Executives, Board, General Counsel, IT, Customer Service, Marketing External: Attorney, Response Vendors, Law Enforcement, Regulators, Crisis Management firm, Insurer Healthcare-specific contacts/regulators: HHS, OCR, etc. Identify a decision maker for the incident, keep all stakeholders informed Provide employee guidelines: answering customer questions, posting on social media, speaking with the media 13 Health Care Data Breach Discovery Strategies for Immediate Response
Best Practices: Notification and Compliance Experienced breach attorney will help ensure compliance FEDERAL LAW: HIPAA/HITECH notice requirements STATE LAW: Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands Example: California 5 day notification window for breaches containing certain health records Consider reaching out to regulators proactively and keeping them informed A courtesy phone call goes a long way Focus on what you are doing to help their citizens 14 Health Care Data Breach Discovery Strategies for Immediate Response
Best Practices: Notification and Remediation Don t require individuals to enroll in order to receive help Excellent customer service and remediation rebuilds trust Offer the appropriate identity protections for the data lost 15 Health Care Data Breach Discovery Strategies for Immediate Response
Don t Require Enrollment to Get Help Enrollment requirements increase resentment, calls, complaints and usage of expensive protection features Consumers resent being asked to give out their information after you exposed it Drives higher usage of expensive protections like credit monitoring Regulators know that enrollment blocks 90% of consumers from receiving help 16 Health Care Data Breach Discovery Strategies for Immediate Response
Excellent Service and Remediation Rebuilds Trust Excellent customer service is the key to rebuilding trust Offer to resolve any harm that results from the breach Provide a call center staffed by identity theft experts Know if your data will be sold: Regulators are investigating data brokers 17 Health Care Data Breach Discovery Strategies for Immediate Response
Offer Appropriate Protections Choose protections based on the risk linked to the data Avoid credit monitoring unless you lose SSNs Not effective for PHI breaches unless SSNs involved Most expensive service 18 Health Care Data Breach Discovery Strategies for Immediate Response
Training and Discipline Training lessons learned Directly address problems identified Emphasize pertinent policies and procedures Identify resources to consult Consider discipline if violation of policy or procedure Underscores institution takes it seriously Tension between discipline and need for witness testimony 19 Health Care Data Breach Discovery Strategies for Immediate Response
Preparation for Enforcement Actions and Litigation Privilege and investigation Time period for notices challenging in organizing investigation Counsel should be involved Preservation of arguably relevant material and communications Points of contact with agencies and media Investigation materials Relationship with other parties involved in breach (e.g., vendors) 20 Health Care Data Breach Discovery Strategies for Immediate Response
Privacy-Related Enforcement Actions and Lawsuits on the Rise Increase in healthcare privacy breach actions More medical data maintained electronically Data on mobile or home devices Mandatory notice to consumers Increase in agency attention and enforcement AG unit Statutory and nominal damages and strict liability attract class actions 21 Health Care Data Breach Discovery Strategies for Immediate Response
Challenges in Managing Privacy Litigation Protected medical information protective orders Ongoing relationships with patient plaintiffs and staff/caregivers involved in breach Class actions Unsettled law Nominal damages huge exposure Impact of settlements on agencies Media reporting 22 Health Care Data Breach Discovery Strategies for Immediate Response
Questions and Answers 23 Health Care Data Breach Discovery Strategies for Immediate Response
Thank You for Participating! Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Phone: 415.983.1135 gerry.hinkley@pillsburylaw.com Sarah Flanagan Partner Pillsbury Winthrop Shaw Pittman LLP Phone: 415.983.1190 sarah.flanagan@pillsburylaw.com Lara Forde Response Team Manager AllClear ID Phone: 512.814.9702 lara.forde@allclearid.com Daren Hutchison Associate Director Navigant Consulting Phone: 303.383.7322 dhutchison@navigant.com 25 Health Care Data Breach Discovery Strategies for Immediate Response