Legal Grand Rounds Update on Privacy and Security Laws with Best Practices Carol Romej, J.D., LL.M. August 26, 2015
Passwords Alphanumeric Cap Sensitive
Data Sources: Where is the data stored? Office Computers/Home Computers Laptops PDAs CDs, DVDs Flash/thumb drives, memory cards Personal folders Deleted e-mails or documents Network and FTP Servers Mainframes Backup tapes Legacy systems Cell /Smart Phones Answering Machines Voicemail Other archive media or third-party storage media
Understanding Data Volume 2 kilobytes = 1 typewritten page 1 megabyte = 1 small novel 1 gigabyte = 1 pickup truck full of novels 100 gigabytes = 1 average library floor of academic journals 2 terabytes = An academic research library 10 terabytes = U.S. Library of Congress 2 exabytes = All information generated in 1999 [Roy Williams, Data Powers of Ten]
Critical Data Social Security Number Drivers License Birth Date Protected Health Information under HIPAA/HITECH (Insurance/Medical) Employment/Income Email address
ANTHEM Breach The second largest health insurance company operating plans across the country Breach: Estimated 80 Million current and past customers affected Method: Infiltrated Anthem s network with a malware program that provided the login credentials of an Anthem employee; Login used to make database queries
Compromised Anthem Customer Data Social Security Numbers Date of Birth Name and Address Email Address Employment and Income
Potential Illegal Uses of Data Phishing attacks Opening new accounts Takeover current accounts Sell Insurance Account on black market
Action Items for Victims Change all passwords to your accounts, and elect to have a secondary password assigned Ensure two factor authentication is enabled (PW and Device) Obtain copies of credit reports minimally once a year (Equifax, Experian, TransUnion) Activate a security freeze
General Recommendations Never carry your Social Security Card with you Be conservative in your disclosures on social media Shred outdated sensitive documents Lock up and secure important documents Monitor financial and account information
Compliance Security Survey says: 61%: implemented a security product to satisfy a compliance requirement which actually put the organization s data at greater risk 71%: fear for their organization s data security Lieberman Software's Annual Information Security Survey 2015
BEST PRACTICES Create & implement written document retention/destruction policy for data. Data Map where does PHI and other data requiring security live? (i.e., who, what, where, how, when.) Organize data storage efforts to reduce time, cost, and human capital related to locating critical data Identify the vendors who store, transmit and/or receive PHI Audit Business Associate Agreements and their core agreements
Introduction to Legal Issues Data Security
Identity Theft Protection Act A crime to obtain personally identifying information of another with intent to commit a crime, or sell such information to someone else who will
Communications under False Pretenses Electronic mail, web page, or other communications Purporting to be on behalf of a business without authority Induce or solicit disclosure of personally identifying information Intent to use information to commit identity theft or another crime
Data Breach Notification A requirement to notify residents of Michigan upon the discovery of a security breach of last name and driver license, social security number or account number(s).
Data Breach Notification Laws are directed to a person or agency that: Owns or licenses personal information data Maintains personal information data
Primary Obligation Determining if a breach is likely to cause a substantial loss or injury to, or result in Identity Theft with respect to, 1 or more residents of this state
Breach Evaluation Criteria Encrypted/Unencrypted Redacted/Unredacted Authorized/Unauthorized Access Identification of Device: Server(s), Laptop, USB (thumb) Drive
Exceptions for Unauthorized Access Data was accessed in good faith Access was related to activities of the company The employee or other individual accessing the data did not misuse or improperly disclose any personal information
Notice Requirement If unencrypted and unredacted personal information was accessed and acquired by an unauthorized person If personal information was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key
Notice Communications Clearly state the general information related to the security breach Describe the personal information that was the subject of the unauthorized access/use Describe what has been done to protect data from further security breaches Provide contact information where a recipient of notice may obtain assistance Communicate need to remain vigilant for instances of fraud and Identity Theft
SOCIAL SECURITY NUMBER PRIVACY ACT For all or more than 4 sequential digits of SSN: Do not display Do not use as a primary account no. Do not use on identification badge Do not use on a membership card Do not require a transmission over Internet (unless secure/encrypted) Do not mail a document where SSN is visible from the outside of envelope
Consumer Protection Act With only limited exceptions, cannot require a consumer to disclose SSN as a condition of selling or leasing goods or providing a service A receipt from an electronic device where a credit or debit card was used for payment may not display any part of the expiration date or more than last 4 digits of the consumer s account number
HIPAA PHI is individually identifiable information that is transmitted or maintained in any form or medium (electronic, paper, or oral), that relates to: past, present, future physical or mental health conditions the provision of health care to an individual past, present, future payments for the provision of health care
HITECH Required Breach Notification Breach notification is required when there is: acquisition, access, use, or disclosure not permitted by the HIPAA Privacy Rule unsecured PHI, And, when exception does not apply, that incident compromises security or privacy of data. 26
PCI DSS Payment Card Industry Data Security Standard
EMV Cards Standard set: Europay, MC & Visa Embedded microchip which generates a unique one time code required for transaction approval Protects in store payments Liability shift falls on retailers who have not upgraded their systems Deadline for face to face transactions : October 1, 2015
Data Breach Investigations Report Over 50 Global Organizations are Contributors Aggregate and analyze common incident patterns Publish findings and make recommendations to industry
Classifications of Security Incidents Web App Attacks Cyber espionage POS Intrusions Insider Misuse Card Skimmers Error Physical Theft/Loss 2015 DBIR Verizon
2010 DBIR Verizon Data Most breaches are discovered by external parties Most breaches could have been avoided without difficult or expensive controls
2014 DBIR Data Cyber Espionage a consistent growth of reported incidents Payment Card Skimmers the ATM skimmers are getting more realistic and sophisticated Stolen Devices from Corporate Offices on the rise
How Risk is Created Poor access controls Improper or weak authentication Insufficiently protected credentials Untimely security patch management No network monitoring Improper device configuration Lack of audit logging
Risk Scenarios for Mobile Devices Employee fails to use remote wipe on a lost mobile device with hospital information Employee uses unapproved cloud based note takin and clipping service and stores unencrypted patient information Employee copies patient information to USB drive Employee transfers patient information to a commercial file sharing application
The Detection Deficit Discovery Resolution Root Cause
Insurance Coverage Policy exclusions pre/post 2001 Policies New Insurance Products: Network Security, Privacy, Data Loss, Business Interruption Loss from Viruses
Selection of Data Breach Insurance Assess Hospital's Risk Situation Have 3 rd Party Perform a Risk Assessment Discuss Insurance Options with Variety of Internal Departments
Recent Case Law Jane Doe v Henry Ford Health System Columbia Casualty Co. v Cottage Health System 2010 DBIR Verizon
Internal Procedures Govern the development, acquisition, implementation, and maintenance of information systems and related technology used to collect, use, retain, and disclose personal information. Ensure that the entity's backup and disaster recovery planning processes are consistent with its privacy policies and procedures. Classify the sensitivity of classes of data and determine the classes of users who should have access to each class of data. Users are assigned user access profiles based on their need for access and their functional responsibilities as they relate to personal information. Assess planned changes to systems and procedures for their potential effect on privacy. Test changes to system components to minimize the risk of an adverse effect on systems that process personal information. All test data is analyzed. Sign off by the privacy/security officer and/or business unit manager before implementing changes to systems and procedures that handle personal information, including those that may affect security.
Top 10 Data Breach Questions 1. Was any data compromised? 2. What data was compromised? 3. Is the data breach still occurring? 4. Have you set a defensible path? 5. Was the data breach accidental or malicious? 6. Was the data encrypted? 7. Have you implemented a crisis communications plan? 8. Have you alerted counsel/ law enforcement? 9. Have you researched your legal obligation for breach notification? 10. Have you tested your data breach response plan? See www.krollfraudsolutions.com
BREACH RESPONSE ACTIVITES Convene the Security Incident team Identify affected individuals Retain IT experts, Forensic imaging services Create call center Identify Identity Theft Protection Service Provider Retain mail notice vendor Retain public relations firm Preserve attorney client privilege (contract with third party IT/Forensics and notice production vendors) Stage internal communications
Practice Tips Perform system risk assessment Implement Company wide security training Enable network security monitoring Review access and security log files Require physical access controls for facilities and computers Review hardware and software contracts for security obligations and liabilities
Phishing Employee Security Training Avoid e mail that asks for user name, password Awareness that connecting your infected personal device to the organization network can infect other devices on the network No legitimate business/service/website would ever ask employees to transmit sensitive data Employees should be directed to utilize devices that have been vetted by the organization Entrust, Inc.
References www.healthit.gov/sites/default/files/pdf/priva cy/privacy and security guide.pdf Jane Doe and All Others Similarly Situated, v Henry Ford Health System, 2014 WL 7202864 Columbia Casualty Co. v Cottage Health System, Complaint for Declaratory Judgment and Reimbursement of Defense and Settlement Payments, May 7, 2015
References www.veriscommunity.com www.vcdb.org www.sans.org www.cert.org www.counciloncybersecurity.org www.idtheftcenter.org www.consumer.ftc.gov
References The 2015 Data Breach Investigations Report (DBIR). Edited by Verizon Enterprise Solutions. The Poneman Institute LLC. 2014: A Year of Mega Breaches, The Security Impact of Mobile Device Use by Employees, Pub. Date: Dec. 2014. www.us cert.gov www.cert.org
Questions? Carol Romej J.D., LL.M. Cromej@hallrender.com (248) 457 7814 Hall, Render, Killian, Health & Lyman