Managing Cyber & Privacy Risks

Similar documents
Data Breach and Senior Living Communities May 29, 2015

Data Breach Cost. Risks, costs and mitigation strategies for data breaches

Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer?

Cyber Liability. Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group Ext. 7029

Cyber Liability. What School Districts Need to Know

Managing Your Cyber & Data Risk 2010 NTA Convention Montreal, Quebec

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS Data Breach : The Emerging Threat to Healthcare Industry

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked

Network Security & Privacy Landscape

Why Lawyers? Why Now?

Privacy / Network Security Liability Insurance Discussion. January 30, Kevin Violette RT ProExec

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Discussion on Network Security & Privacy Liability Exposures and Insurance

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

Cyber Liability. AlaHA Annual Meeting 2013

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

CyberSecurity for Law Firms

Privacy Rights Clearing House

Cyber Insurance: How to Investigate the Right Coverage for Your Company

4/30/2015 CYBER LIABILITY AND AVIATION AGENDA LEARNING OBJECTIVES. Presented by Hal Hunt May 3, 2015

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Internet Gaming: The New Face of Cyber Liability. Presented by John M. Link, CPCU Cottingham & Butler

Network Security & Privacy Landscape

Data breach, cyber and privacy risks. Brian Wright Lloyd Wright Consultants Ltd

How To Buy Cyber Insurance

2015 PIAA Corporate Counsel Workshop October 22 23, 2015 Considerations in Cyber Liability Coverage

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Cyber Liability Insurance: It May Surprise You

Network Security and Data Privacy Insurance for Physician Groups

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

9/13/2011. Miscellaneous Current Topics in Healthcare Professional Liability. Antitrust Notice. Table of Contents. Cyber Liability.

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Privacy and Data Breach Protection Modular application form

Cyber Liability & Data Breach Insurance Claims

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July Tex Med. 2012;108(7):33-37.

Cyber and CGL Insurance Coverage for Data Breach Claims

Privacy Liability & Data Breach Management Nikos Georgopoulos Cyber Risks Advisor cyrm October 2014

HIPAA and Health Information Privacy and Security

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

How-To Guide: Cyber Security. Content Provided by

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

Cyber Insurance Presentation

Beazley presentation master

Law Firm Cyber Security & Compliance Risks

Enterprise PrivaProtector 9.0

HIPPA Goes HITECH. Data Protection for Agents

Be Afraid, Be Very Afraid!!! Hacking Out the Pros and Cons of Captive Cyber Liability Insurance

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA 101. March 18, 2015 Webinar

CYBER & PRIVACY LIABILITY INSURANCE GUIDE

HIPAA and Mental Health Privacy:

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

HIPAA Violations Incur Multi-Million Dollar Penalties

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Cyber Risk in Healthcare AOHC, 3 June 2015

Cyber Exposure for Credit Unions

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident.

Cyber/Information Security Insurance. Pros / Cons and Facts to Consider

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA Security Alert

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

PHI- Protected Health Information

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

HIPAA and HITECH Compliance for Cloud Applications

HIPAA Security Rule Compliance

LIGC-ACC Presentation November 9, 2015

DATA BREACH BREAK DOWN LESSONS LEARNED FROM TARGET

plantemoran.com What School Personnel Administrators Need to know

Understanding Professional Liability Insurance

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re

Second Annual Benchmark Study on Patient Privacy & Data Security

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Joe A. Ramirez Catherine Crane

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

Privacy Legislation and Industry Security Standards

SMB Data Breach Risk Management Best Practices. By Mark Pribish February 19, 2015

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Managing Cyber Threats Risk Management & Insurance Solutions. Presented by: Douglas R. Jones, CPCU, ARM Senior Vice President & Principal

Anatomy of a Healthcare Data Breach

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Transcription:

Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts

SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past 11 years, specializing in working directly with Provider Organizations in the Addiction Treatment, Behavioral Healthcare, and Human Service Industries. o Sean combines 22 years of experience working at all levels of the Behavioral Healthcare Industry with his Property / Casualty expertise in developing Insurance & Risk Management programs tailored to meet the specific needs of client organizations. o Sean also holds a Master s Degree in both Social Work & Health Care Administration. Sean s Mantra : Choose your Broker as carefully as you would any other Executive position within your Organization!

RICH WILLETTS, CPCU, ARM PROGRAM DIRECTOR ADDICTION TREATMENT PROVIDERS o Rich is a 27-year insurance industry veteran with extensive U.S. commercial underwriting and risk management experience. o For the past 12 years he has focused exclusively on insurance products and risk management programs for the Behavioral Healthcare industry. o Rich developed and leads the largest insurance program in the country insuring a broad range of behavioral healthcare providers.

Not IF but, WHEN Expanding cyber perimeter more access points Push to EHRs, social media and mobile devices Increased sophistication of cyber attacks 96% of all healthcare providers admit to suffering at least one data breach within the past 2 years -Ponemon Institute

The Perfect Storm o FIRST PARTY EXPENSES Business Interruption loss of income/extra expenses Data restoration costs Breach coach/consultant IT forensics Legal compliance regulations/indemnification rights Notification costs Call center Public relations/crisis management Credit monitoring EOB monitoring ID restoration/investigation Extortion costs *Damage to reputation and patient goodwill

The Perfect Storm continued o THIRD PARTY EXPENSES Lawsuits --- Regulatory violation allegations (HIPAA/HITECH) --- Patient claims (privacy, emotional distress) Regulatory Fines --- HIPAA --- HITECH --- PCI-DSS --- FTC --- AG inquiries/fines --- HHS/OCR audits and investigations

Personally Identifiable Information (PII) o Definition Information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. First or Last Name in combination with: o Social Security number o Driver s license number o Financial Account number o Credit, Debit, or payment card

Protected Health Information (PHI) As defined by HIPAA Any information, whether oral or recorded in any form or medium that o Is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse, and o Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual, or the past, present, or future payment for the provision of health care to an individual.

HIPAA Health Insurance Portability and Accountability Act of 1996 o Health care organizations must maintain reasonable and appropriate technical and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information. o Safeguards must apply to both transmission of information, as well as storage.

HIPAA Update 2009/HITECH Requires notification within 60 days of a privacy breach involving an individual s HIPAA-covered personal health information Requires business associates to meet most security requirements that previously applied only to covered entities Authorizes state attorney generals to bring suit for HIPAA violations Requires notification of the Department of Health & Human Services and the media in privacy breaches involving 500 or more individuals.

New and Stronger HIPPA Regulations Effective 3/26/13 o Patient requests for EHR - within 30 days o Patient approval to share info about treatment plan with health plan o Any loss or inappropriate disclosure of data is presumed to be a breach o Business associates required to comply with HIPAA o Penalties for non-compliance up from $25k to $50k with annual limit of $1.5M

What is a Data Breach?? o Unauthorized access to protected information (PII and PHI) Lost or stolen mobile devices, laptops, tablets, smart phones Employee error and rogue / former employees Outsourced / 3 rd party vendors & business associates

Incidents by Breach Type Third Party Vendor / Business Associates: 41% Employee Error and Rogue Employees: 19% Negligence with Laptop or other Mobile Devices: 40%

Loss Scenarios o While traveling on business a Treatment Center Finance Officer has their Laptop stolen. The device contained Information on 525 Patients including Name, D.O.B, Address, Phone # s, Clinical Diagnostic Codes, Bank Account & Credit Card Information. o An employee in Housekeeping who is apparently Star Struck upon meeting a celebrity in the course of the day posts her interaction with a high visibility patient on Facebook. Her post is later picked up /shared with the Media who(trying to appease their readerships interest) proceed to publicize this individual s presence in said Treatment Center. o A Treatment Center is notified by their Cloud Computing Vendor(storing: Patient Information, Clinical and Financial Data) their system was breached and an unknown # of records were downloaded.

Risk Score Tool Is your organization at risk of a breach? Here s a quick check list. Are laptops always stored in locked, secured areas when not in use? Are all portable electronic storage devices containing e-phi encrypted and password protected? Are all paper documents containing PHI disposed of in locked bins and then shredded? Do you have an Information Security Officer and do you employees receive HIPAA Privacy and Security and HITECH Act Rules? Do business associates have service organization control reports available or independent IT audits that evaluate HIPAA and HITECH Act compliance? Are controls in place to authenticate authorized users? Have you performed a risk analysis to identify risks and vulnerabilities to e-phi? Do you have an updated list of all user accounts with access to systems that store, transmit or access e-phi (for active and terminated employees and contractors)? Is there an available inventory of all information systems, including network diagrams and listing of hardware and business associates that are used to store, transmit or maintain e-phi?

Strongly Consider Purchasing Cyber Liability/Data Security Insurance o Liability defense and settlement costs for alleged failure to properly care for private data o Remediation investigation, pubic relations, customer notification, credit monitoring and costs to re-secure data

Strongly Consider Purchasing Cyber Liability/Data Security Insurance o Fines/Penalties cost to investigate, defend and settle fines and penalties o Extortion coverage o Business Interruption costs o *Cyber policy comes with resource center and data breach coach experts in legal and data breach response

Do I already have CYBER coverage? o ISO Commercial Property? Electronic Data Extension only addresses loss or damage to data which has been destroyed or corrupted by a covered cause of loss. o Commercial Crime Form? No coverage due to the Definition of Other Property and the Exclusion of Indirect Loss. o General Liability Policy? Addresses only physical injury to persons or tangible property, as well as the Insured s publication of material that violates a person s right to privacy. o Professional Liability Policy? May be limited by the description of Professional Services or by exclusions for Invasions of Privacy.

Only Cyber Insurance Addresses These Expenses o Notification Expenses When required by law or on a voluntary basis each state has own rules o Credit Monitoring Expenses For a stipulated period of time and/or under specified circumstances each state has own rules o Crisis Management Expenses (including legal analysis expense) Including expenses related to legal analysis, as well as public relations

Cyber coverage varies widely o Some policies exclude coverage for claims related to the Insured s failure to maintain or upgrade their security! o Some policies exclude coverage for claims alleging fraudulent or malicious acts by employees! o Some policies exclude certain operations of the Insured, or may not cover various types of computer or peripheral device! o Some policies exclude coverage for fines and penalties!

Current Trends in Cyber Coverage o Limits range from $50,000 for basic 1 st party coverage to $20M o Premiums range from $15,000 to $35,000 per million o Pricing has dropped 20-30% in past two years o Application process simplified

For a complete Copy of this presentation please email Sean Conaboy at NSM Insurance Group : sfconaboy@nsminc.com PONEMON RESEARCH INSTITUTE : WWW.PONEMON.ORG PRIVACY RIGHTS RESEARCH INSTITUTE: WWW.PRIVACYRIGHTS.ORG FEDERAL TRADE COMMISSION: WWW.FTC.GOV STATE SECURITY BREACH LAWS: WWW.NCSL.ORG/ISSUES-RESEARCH/TELECOM/SECURITY-BREACH- NOTIFICATION-LAWS.ASPX CREDIT REPORTS: WWW.ANNUALCREDITREPORT.COM ID THEFTS : WWW.IDTHEFTCENTER.ORG INFORMATION TECHNOLOGY RISK MANAGEMENT RESOURCES AND CONSULTANTS SYMANTEC : WWW.SYMANTEC.COM ID EXPERTS : WWW.IDexperts.com NETDILIGENCE: WWW.NETDILIGENCE.COM APGAR & ASSOCIATES: WWW.APGARANDASSOCIATES.COM KUAFMAN & ROSSIN: WWW.KAUFMANROSSIN.COM WEB, EMAIL, DATA SECURITY SYSTEMS WEBSENSE : WWW.WEBSENSE.COM CYBER PATROL: WWWCYBERPATROL.COM References

QUESTIONS? SEAN CONABOY SFCONABOY@NSMINC.COM 800-970-9778 EXT. 153 RICH WILLETTS RJWILLETTS@NSMINC.COM 800-970-9778 EXT. 225

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information