Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts
SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past 11 years, specializing in working directly with Provider Organizations in the Addiction Treatment, Behavioral Healthcare, and Human Service Industries. o Sean combines 22 years of experience working at all levels of the Behavioral Healthcare Industry with his Property / Casualty expertise in developing Insurance & Risk Management programs tailored to meet the specific needs of client organizations. o Sean also holds a Master s Degree in both Social Work & Health Care Administration. Sean s Mantra : Choose your Broker as carefully as you would any other Executive position within your Organization!
RICH WILLETTS, CPCU, ARM PROGRAM DIRECTOR ADDICTION TREATMENT PROVIDERS o Rich is a 27-year insurance industry veteran with extensive U.S. commercial underwriting and risk management experience. o For the past 12 years he has focused exclusively on insurance products and risk management programs for the Behavioral Healthcare industry. o Rich developed and leads the largest insurance program in the country insuring a broad range of behavioral healthcare providers.
Not IF but, WHEN Expanding cyber perimeter more access points Push to EHRs, social media and mobile devices Increased sophistication of cyber attacks 96% of all healthcare providers admit to suffering at least one data breach within the past 2 years -Ponemon Institute
The Perfect Storm o FIRST PARTY EXPENSES Business Interruption loss of income/extra expenses Data restoration costs Breach coach/consultant IT forensics Legal compliance regulations/indemnification rights Notification costs Call center Public relations/crisis management Credit monitoring EOB monitoring ID restoration/investigation Extortion costs *Damage to reputation and patient goodwill
The Perfect Storm continued o THIRD PARTY EXPENSES Lawsuits --- Regulatory violation allegations (HIPAA/HITECH) --- Patient claims (privacy, emotional distress) Regulatory Fines --- HIPAA --- HITECH --- PCI-DSS --- FTC --- AG inquiries/fines --- HHS/OCR audits and investigations
Personally Identifiable Information (PII) o Definition Information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. First or Last Name in combination with: o Social Security number o Driver s license number o Financial Account number o Credit, Debit, or payment card
Protected Health Information (PHI) As defined by HIPAA Any information, whether oral or recorded in any form or medium that o Is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse, and o Relates to the past, present, or future physical or mental health or condition of an individual; the provision of healthcare to an individual, or the past, present, or future payment for the provision of health care to an individual.
HIPAA Health Insurance Portability and Accountability Act of 1996 o Health care organizations must maintain reasonable and appropriate technical and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information. o Safeguards must apply to both transmission of information, as well as storage.
HIPAA Update 2009/HITECH Requires notification within 60 days of a privacy breach involving an individual s HIPAA-covered personal health information Requires business associates to meet most security requirements that previously applied only to covered entities Authorizes state attorney generals to bring suit for HIPAA violations Requires notification of the Department of Health & Human Services and the media in privacy breaches involving 500 or more individuals.
New and Stronger HIPPA Regulations Effective 3/26/13 o Patient requests for EHR - within 30 days o Patient approval to share info about treatment plan with health plan o Any loss or inappropriate disclosure of data is presumed to be a breach o Business associates required to comply with HIPAA o Penalties for non-compliance up from $25k to $50k with annual limit of $1.5M
What is a Data Breach?? o Unauthorized access to protected information (PII and PHI) Lost or stolen mobile devices, laptops, tablets, smart phones Employee error and rogue / former employees Outsourced / 3 rd party vendors & business associates
Incidents by Breach Type Third Party Vendor / Business Associates: 41% Employee Error and Rogue Employees: 19% Negligence with Laptop or other Mobile Devices: 40%
Loss Scenarios o While traveling on business a Treatment Center Finance Officer has their Laptop stolen. The device contained Information on 525 Patients including Name, D.O.B, Address, Phone # s, Clinical Diagnostic Codes, Bank Account & Credit Card Information. o An employee in Housekeeping who is apparently Star Struck upon meeting a celebrity in the course of the day posts her interaction with a high visibility patient on Facebook. Her post is later picked up /shared with the Media who(trying to appease their readerships interest) proceed to publicize this individual s presence in said Treatment Center. o A Treatment Center is notified by their Cloud Computing Vendor(storing: Patient Information, Clinical and Financial Data) their system was breached and an unknown # of records were downloaded.
Risk Score Tool Is your organization at risk of a breach? Here s a quick check list. Are laptops always stored in locked, secured areas when not in use? Are all portable electronic storage devices containing e-phi encrypted and password protected? Are all paper documents containing PHI disposed of in locked bins and then shredded? Do you have an Information Security Officer and do you employees receive HIPAA Privacy and Security and HITECH Act Rules? Do business associates have service organization control reports available or independent IT audits that evaluate HIPAA and HITECH Act compliance? Are controls in place to authenticate authorized users? Have you performed a risk analysis to identify risks and vulnerabilities to e-phi? Do you have an updated list of all user accounts with access to systems that store, transmit or access e-phi (for active and terminated employees and contractors)? Is there an available inventory of all information systems, including network diagrams and listing of hardware and business associates that are used to store, transmit or maintain e-phi?
Strongly Consider Purchasing Cyber Liability/Data Security Insurance o Liability defense and settlement costs for alleged failure to properly care for private data o Remediation investigation, pubic relations, customer notification, credit monitoring and costs to re-secure data
Strongly Consider Purchasing Cyber Liability/Data Security Insurance o Fines/Penalties cost to investigate, defend and settle fines and penalties o Extortion coverage o Business Interruption costs o *Cyber policy comes with resource center and data breach coach experts in legal and data breach response
Do I already have CYBER coverage? o ISO Commercial Property? Electronic Data Extension only addresses loss or damage to data which has been destroyed or corrupted by a covered cause of loss. o Commercial Crime Form? No coverage due to the Definition of Other Property and the Exclusion of Indirect Loss. o General Liability Policy? Addresses only physical injury to persons or tangible property, as well as the Insured s publication of material that violates a person s right to privacy. o Professional Liability Policy? May be limited by the description of Professional Services or by exclusions for Invasions of Privacy.
Only Cyber Insurance Addresses These Expenses o Notification Expenses When required by law or on a voluntary basis each state has own rules o Credit Monitoring Expenses For a stipulated period of time and/or under specified circumstances each state has own rules o Crisis Management Expenses (including legal analysis expense) Including expenses related to legal analysis, as well as public relations
Cyber coverage varies widely o Some policies exclude coverage for claims related to the Insured s failure to maintain or upgrade their security! o Some policies exclude coverage for claims alleging fraudulent or malicious acts by employees! o Some policies exclude certain operations of the Insured, or may not cover various types of computer or peripheral device! o Some policies exclude coverage for fines and penalties!
Current Trends in Cyber Coverage o Limits range from $50,000 for basic 1 st party coverage to $20M o Premiums range from $15,000 to $35,000 per million o Pricing has dropped 20-30% in past two years o Application process simplified
For a complete Copy of this presentation please email Sean Conaboy at NSM Insurance Group : sfconaboy@nsminc.com PONEMON RESEARCH INSTITUTE : WWW.PONEMON.ORG PRIVACY RIGHTS RESEARCH INSTITUTE: WWW.PRIVACYRIGHTS.ORG FEDERAL TRADE COMMISSION: WWW.FTC.GOV STATE SECURITY BREACH LAWS: WWW.NCSL.ORG/ISSUES-RESEARCH/TELECOM/SECURITY-BREACH- NOTIFICATION-LAWS.ASPX CREDIT REPORTS: WWW.ANNUALCREDITREPORT.COM ID THEFTS : WWW.IDTHEFTCENTER.ORG INFORMATION TECHNOLOGY RISK MANAGEMENT RESOURCES AND CONSULTANTS SYMANTEC : WWW.SYMANTEC.COM ID EXPERTS : WWW.IDexperts.com NETDILIGENCE: WWW.NETDILIGENCE.COM APGAR & ASSOCIATES: WWW.APGARANDASSOCIATES.COM KUAFMAN & ROSSIN: WWW.KAUFMANROSSIN.COM WEB, EMAIL, DATA SECURITY SYSTEMS WEBSENSE : WWW.WEBSENSE.COM CYBER PATROL: WWWCYBERPATROL.COM References
QUESTIONS? SEAN CONABOY SFCONABOY@NSMINC.COM 800-970-9778 EXT. 153 RICH WILLETTS RJWILLETTS@NSMINC.COM 800-970-9778 EXT. 225