Healthcare Cyber Security PRESENTED BY HEALTH CARE MANAGEMENT &ARTHUR J. GALLAGHER RISK MANAGEMENT SERVICES JANUARY 23, 2013
AJG & HCMArthur J. Gallagher Health Care ManagementArthur J. Gallagher & Co., one of the Health Care Management is a cuttingworlds largest insurance brokerage edge medical and technologyand risk management services firms, consulting firm that specializes inprovides a full range of retail and improving your practices efficiencieswholesale property/casualty (P/C) and cutting costs through outsourcingbrokerage and alternative risk practice management, medical billingtransfer services globally, as well as and technology services with the useemployee benefit brokerage, of CCHIT Certified EMR software,consulting and actuarial services. network monitoring technologies andGallagher also offers claims and highly trained specialists.information management, riskcontrol consulting and appraisalservices to clients around the world.
SpeakersJoe Dylewski Jill Jordan Joe is a twenty-five year Information Technology veteran, with ten years Jill is a National Resource for Cyber Risk & Professional Liability spent exclusively in the Healthcare Industry. In addition to holding positions for Arthur J. Gallagher Risk Management Services, Inc. with focus as an Infrastructure Project Manager and Healthcare IT Infrastructure on the Midwest Region. Jill manages and produces a diverse book Specialist responsible for Local Area Network, Wide Area Network, and of Professional Liability accounts consisting of Technology Errors Telephony Services, Joseph has also served as a Healthcare IT Services & Omissions, Cyber Risk, and Media Liability. Practices Director and Account Manager. During that time, he led and his teams executed successful high-impact/large dollar projects for Electronic Jill has over 11 years experience as an insurance broker and has Medical Record and HIPAA Compliance implementations across multiple been with the Cyber Risk Group of Arthur J Gallagher for the last Healthcare Providers and Payers in Michigan. He leveraged that experience five and a half years. Jill began her career with Arthur J Gallagher to develop a cost-effective, time-efficient, and repeatable model to assist in in the Houston, TX office working on property and casualty middle the assessment and remediation of HIPAA compliance for Covered Entities market and risk management accounts with a focus on the Energy and Business Associates of all sizes. Industry. Joseph earned his Bachelor’s of Business Administration in Information Jill earned her BA in general studies from Louisiana State Technology and his Masters Degree in Mathematics from Eastern Michigan University. She is also a member of the Professional Liability University. He also holds the following certifications: Certified HIPPA Underwriters Society (PLUS) Professional, HIPAA Certified Security Specialist, and Information Technology Infrastructure Library Foundation. Joe is an Assistant Professor at Madonna University, is frequently invited as a subject matter expert in speaking engagements, and is viewed as a national thought leader in Physician Practice and Business Associate HIPAA compliance.
EnvironmentHIPAA 101 • HIPAA – Health Insurance Portability and Accountability Act of 1996 • Insurance Portability • Fraud Prevention • Administrative Simplification • Privacy of Protected Health Information (PHI) • Security of Protected Health Information
HIPAA – Title II HIPAA Title II Administrative Simplification Electronic Data Interchange Security Rule Privacy Rule (Transaction and Code Sets)Administrative Physical Technical Safeguards Safeguards Safeguards
Security Rule The HIPAA Security Rule focuses on the Confidentiality Integrity Availability ...of Protected Health information
The HITECH Act HITECH - The Health Information Technology for Economic Recovery and Reinvestment Act of 2009 Began in 2004 with Bush Administration vision for Electronic Health Records by 2014 Signed into law February 17, 2009 as a portion of ARRA Appropriated $44,000 to $63,000 to be provided as individual reimbursement to physicians who adopt and ―meaningfully use‖ Electronic Medical Records • The disbursement schedule for ARRA funds began in 2011 and is staggered across five years
HIPAA Enforcement HIPAA Now Has Teeth Fines and Enforcement • Maximum fines raised from $25K to $1.5M • Enforced by the Office of Civil Rights • Currently building HIPAA audit candidate target list • Fines collected fund and support the enforcement process • Funds appropriated within HITECH to develop enforcement efforts within the State’s Attorney General Office • Practitioners face maximum OCR fines of $50,000 for falsely attesting to M.U. Measure #15 • Ignorance no longer tolerated
Compliance Effort vs. Risk Increasing Degree of HIPAA Compliance Effort ―Due to ―Due to ―Due to ―By exercising Willful Willful Reasonable reasonableNeglect if the Neglect if the Cause and not diligence violation is violation is Willful would notnot corrected‖ corrected‖ Neglect‖ have known‖ Decreasing Degree of HIPAA Compliance Risk
OCR Audits and Current ActivityHIPAA Audits Audit Protocol Audit Identification and Rollout Audit Triggers Self-reported Breach Patient Complaint Random Audit
Cyber Security Trends 2012 2011 2010 2009 2008 2007 310 Publicized 414 Publicized 662 Publicized 498 Publicized 656 Publicized 448 PublicizedBreaches Reported Breaches Reported Breaches Reported Breaches Reported Breaches Reported Breaches Reported Annually Annually Annually Annually Annually Annually9,235,228 Records 22,945,773 Records 16,167,542 Records 222,477,043 Records 35,691,255 Records 127,000,000 Records Exposed Exposed Exposed Exposed Exposed Exposed (as of 9/25/12) (94 Million from TJX incident)2012 Breaches by 2011 Breaches by 2010 Breaches by 2009 Breaches by 2008 Breaches by 2007 Breaches by Industry: Industry: Industry: Industry: Industry: Industry:Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking: 3.2% of Breaches 7.0% of Breaches 8.2% of Breaches 11.4% of Breaches 11.9% of Breaches 7% of Records 2.3% of Records 2.7% of Records 30% of Records 0% of Records 52.5% of Records 6.9% of Records Educational: Educational: Educational: Educational: Educational: Educational:14.8% of Breaches 14.3% of Breaches 9.8% of Breaches 15.7% of Breaches 20% of Breaches 24.9% of Breaches 19.1% of Records 3.6% of Records 9.9% of Records 0.4% of Records 2.3% of Records 1% of Records Govt./Military: Govt./Military: Govt./Military: Govt./Military: Govt./Military: Govt./Military: 11% of Breaches 11.4% of Breaches 15.7% of Breaches 18.1% of Breaches 16.8% of Breaches 24.7% of Breaches 20.4% of Records 43.7% of Records 7.5% of Records 35.7% of Records 8.3% of Records 6.4% of RecordsMedical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare:34.2% of Breaches 16.3% of Breaches 24.2% of Breaches 13.7% of Breaches 14.8% of Breaches 14.5% of Breaches 20.5% of Records 20.5% of Records 11.6% of Records 5.1% of Records 20.5% of Records 3.1% of RecordsAll Other Business: All Other Business: All Other Business: All Other Business: All Other Business: All Other Business:36.8% of Breaches 46.9% of Breaches 42% of Breaches 41.2% of Breaches 36.6% of Breaches 28.9% of Breaches 37.7% of Records 33.7% of Records 41% of Records 58.9% of Records 16.5% of Records 82.6% of Records
Causes of a Breach 24% System Failure 39% Negligence 37%Malicious orCriminal Acts
Major Risk Concerns Human Error Hackers Rogue Employees Independent Contractors Social Media Mobile Devices A Changing Regulatory Environment Cloud Computing
Response Cost Per Record $15 for Notification $13 for Discovery / Forensics / Legal Expenses $35 for Credit Monitoring and ID Theft Services
Estimated Total Cost of a Breach $194 per record - estimated average cost of a security/privacy breach (includes response costs, defense and damages) $5.5M total cost per breach 15% of total cost - average cost to defend a claim12011 Annual Study: U.S. Cost of a Data Breach—by The Penomon Institute, LLC; Sponsored by Symantec
Cyber Liability – Coverage Descriptions Security & Privacy Liability Covers the defenses costs and damages arising from the failure to prevent: Unauthorized access to the Insured’s computer system and use of data by outsider (hacker). Unauthorized access and/or use of confidential information by an employee. Theft or loss of data (electronic or paper). Transmission of a malicious code. Privacy Regulatory Action Covers: Investigative costs for civil demand or proceeding, arising from a security breach, brought by or on behalf of a governmental agency, including requests for information related thereto. Fines & penalties where insurable by law. Breach Response Covers the expenses incurred within one year of a security breach for: Investigation, including computer forensics, to determine cause of security breach. Hiring a crisis management and/or public relations firm. Notifying potential victims of the breach as required by state law. Credit monitoring for potential victims. Identity Theft services, including identity restoration.
Coverage Descriptions Cont. Media Liability Covers the defense costs and damages arising from an error or omission in the creation or distribution of content for: Personal Injury – including defamation, slander, invasion of privacy and emotional distress. Intellectual Property Infringement - including copyright, domain name, title, slogan, trademark and trade name (excludes patent infringement). Cyber Extortion Covers the investigation expenses and payments made to a party threatening to attack the Insured’s computer system or to release, use or destroy confidential information. Network Interruption Covers the expenses for lost income from an interruption to the Insured’s computer system as a result of a security breach. Data Recovery/Restoration Covers the expenses incurred to: Restore, recreate or recollect electronic data damaged or lost by a security breach.
So What Can You Do? Prevention Having a proper risk assessment done Following through with assessment recommendations Being adamant about precautionary measures Preparation Having a Cyber policy put into effect Having the right limits and coverage in place Having a plan of action ready to go