Health care providers have become prime targets of cyber criminals, since they hold a treasure trove of irresistible data, including Social Security numbers and medical records (think access to prescription painkillers). As cyber criminals become more sophisticated, medical practices are more vulnerable than ever.
In this webinar "Data Breach: It Can Happen To You," hosted by the Cooperative of American Physicians, Inc. (CAP), viewers will learn:
+ What a data breach is
+ Its economic impact
+ Why the threat is growing
+ Steps to take to protect yourself
+ The must-dos in the event of a breach
Watch the webinar here —> https://youtu.be/mqdMA-UZNy0
About Our Presenters:
Melvin Osswald, Vice President Program Underwriting, NAS Insurance — Ms. Osswald joined NAS in 2002 and specializes in health care, cyber liability, employment practice, directors and officers coverage. Ms. Osswald currently supports NAS’ reinsurance programs and oversees the underwriting and product development of Billing Errors and Omissions, Cyber Liability, Employment Practices Liability, and Directors and Officers programs created to address the new exposures facing health care providers. She has been featured as a guest speaker at various industry conferences addressing the evolving professional liability risks in health care, and served on the Steering Committee of the Southern California Chapter of the Professional Liability Underwriting Society.
Chris Reese, Vice President, Director of Underwriting, NAS Insurance — As part of NAS’ key management team, Ms. Reese provides insurance solutions for clients in the health care industry. She has held leadership positions on both the underwriting and retail broker sides of the business, and has worked in the London market for a reinsurance intermediary. Ms. Reese has been involved with cyber risk insurance for the health care industry since 2004, providing coverage to physicians, medical groups, and integrated delivery systems.
MORE SLIDESHARE PRESENTATIONS
http://www.slideshare.net/capphysicians/presentations
VISIT OUR WEBSITE
http://www.cappphysicians.com
LET'S CONNECT
Twitter: http://www.twitter.com/CAPphysicians
LinkedIn: https://www.linkedin.com/company/cooperative-of-american-physicians-inc-
Facebook: http://www.facebook.com/CooperativeofAmericanPhysiciansInc
Youtube: http://youtube.com/CAPphysicians
Google+: http://www.google.com/+Capphysicians
3. The information in this presentation should not be
considered legal advice applicable to a specific situation.
Legal guidance for individual matters should be obtained
from a retained attorney.
3
4. A Data Breach Is Not A Disaster. Mishandling It Is.
4
5. Introduction:
Complexity of Cyber Threats has Grown Dramatically
US businesses face increasingly sophisticated threats that outstrip
traditional defenses
Economics of cybersecurity favor the attackers
Reputational harm is significant
Competing pressures within organizations
Deploy IT resources to mitigate risk as well as to advance the
required business technologies to service customers and compete
5
6. Economic Motivation
Estimate 95% of attacks are economically motivated
Attempting to steal data
Corporate trade secrets
Personal information (Name/address/SS#/banking info)
Health insurance information
Medical history information
Employee records
6
7. Advanced Persistent Threats – “High End Attacks”
7
Ultra sophisticated teams of cyber criminals
Deploy increasingly targeted malware in multi staged stealth attacks
Goal – penetrate all of the perimeter defense systems
Intruders look at multiple avenues to exploit all layers of security
vulnerabilities until they reach their goal
Cyber security field consensus – criminals are ahead of the corporations
that need to defend themselves
8. 8
Vulnerability is not limited to External Threats -
“Low End Attacks”
Employees – poorly trained, not following required protocols,
disgruntled
Subcontractors and independent contractors
“BYOD” – bring your own device
Any party that the company connects to electronically creates a
vulnerability – vendor and partner management
10. 10
In the News
In 2013 and 2014, the Identity Theft Resource Center (ITRC) documented nearly
1,400 data breaches in the US, including:
Target – 110,000,000 Records Compromised
Anthem Breach – 78,800,000 Records Compromised (source: USA Today April 14, 2015)
Home Depot– 56,000,000 Records Compromised
IRS – 1,400,000 Records Compromised
J.P Morgan Chase – 1,000,000 Records Compromised
Saint Joseph Health System – 405,000 Records Compromised
University of Maryland – 309,079 Records Compromised
11. 11
In the News cont.
In 2013 and 2014, the Identity Theft Resource Center (ITRC) documented nearly
1,400 data breaches in the US, including:
Touchstone Medical Imaging (TN) – 307,528 Records Compromised
Sutherland Healthcare Solutions – 168,500 Records Compromised
Indiana University – 146,000 Records Compromised
Orthopaedic Specialty Institute (AL) – Iron Mountain 49,714 Records
Compromised
Office of Nisar Quraishi (NY) – 20,000 Records Compromised
Office of Dennis Flynn, M.D. (IL) – 13,646 Records Compromised
12. What is a Breach?
A breach is defined as an event in which an individual name plus Social
Security number (SSN), driver’s license number, medical record or a
financial record/credit/debit card is potentially put at risk.
Paper or Electronic records
Potential Security Threats
Compromise the integrity, security or confidentiality of information
Circumstances where a data breach may have happened or could
happen in the future. (e.g. lost flash drive with PII)
12
13. 13
Identity Theft Resource Center (ITRC) documented
783 U.S. data breaches in 2014, representing a 27.5%
increase over the number of breaches reported in
2013 *
42.5% of the breaches were in the
medical/healthcare industries.
Hacking incidents represented the leading cause
of data breach incidents, accounting for 29% of
the breaches tracked by the ITRC.
This was followed for the second year in a row by
breaches involving Subcontractor/Third Party at
15.1 %.
Number of Breaches is on the Rise
* http://www.idtheftcenter.org/ITRC-Surveys-
Studies/2014databreaches.html
14. Question
Are data breaches more likely to be caused by a hacker or
malware/virus penetrating the cyber defense?
Hacker
Malware/virus
14
15. Claims – Source of Exposed Data
(source NetDiligence report 2014)
Percentage of Records Exposed by Cause of Loss
Hacker 74% Malware/Virus 23% Theft of Hardware All other
15
17. Regulatory Climate
17
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Health Information Technology for Economic and Clinical Health
Act (HITECH)
Variety of State laws
18. Why are Healthcare Providers a Target?
18
Privacy exposures:
Personally Identifiable Information (PII)
Protected Health Information (PHI)
Medical records (electronic and paper)
Billing information (credit cards, addresses, bank information, etc.)
Insurance information
Social Security numbers
Employee information
Corporate/Financial information
19. 19
Sources of Exposure
Negligence & carelessness
Lost or stolen laptops & other portable devices
Improper disposal of records
Lack of system protections
Increased use of electronic databases
Outsourcing of services
Rogue employees
20. Costs of a Data Breach
20
Our results show that the cost to respond
to a data breach is usually between $10-
$30 per record for breach response
services that include some legal expenses,
patient notification letters, call center
support, and credit monitoring services.
(Keep in mind this number is an average.
Costs can exceed $30 a record in some
cases. IT costs, Legal fees, and government
fines are additional.)
21. A Simplified View of a Data Breach
Handling the
Long-Term
ConsequencesManaging the
Short-Term
Crisis
Evaluation of
the Data Breach
Discovery of a
Data Breach
Forensic
Investigation and
Legal Review
Notification and
Credit Monitoring
Class-Action
Lawsuits
Regulatory Fines,
Penalties, and
Consumer Redress
Public Relations
Reputational
Damage
Income Loss
21
22. 22
Clinic hit with $150,000 HIPAA Penalty
Breach Investigation Triggers Resolution Agreement
A federal investigation of a relatively small breach has resulted in a financial penalty for a physician
group practice in Massachusetts. The HHS Office for Civil Rights (OCR) opened an investigation of
APDerm upon receiving a report that an unencrypted thumb drive containing the electronic
protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of
one its staff members. The thumb drive was never recovered.
The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the
potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management
process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to
have in place written policies and procedures and train workforce members.
In addition to the $150,000 HIPAA Penalty, the settlement includes a corrective action plan requiring
APDerm to develop a risk analysis/ risk management plan to address and mitigate any security risks
and vulnerabilities, as well as to provide an implementation report to OCR.
The Department of Health and Human Services' Office for Civil Rights on Dec. 26, 2013 announced a
resolution agreement with Adult & Pediatric Dermatology, PC of Concord, Mass.
Cyber Liability Coverage Claims Example
(SOURCE: HHS.Gov, December, 2013)
23. 23
Hospital Notifies Six Years’ Worth of Patients After Breach
A stolen, unencrypted laptop computer has caused Gibson General Hospital in
Princeton, Ind., to notify all 29,000 patients treated during the past six years of a
breach of their protected health information.
The password-protected laptop was among the items stolen during a burglary of an
employee's home on Nov. 27, 2012, according to the hospital. Some employees are
permitted to bring home laptops; the employee required 24-hour access to the
electronic health records system, according to the hospital.
The laptop has not been found and the hospital cannot determine which patients had
information on it, so it is notifying all patients since January 2007 when the EHR was
implemented. But the clinical records contain names, addresses, Social Security
numbers and treatment details, among other information. There is no indication the
data has been accessed, according to a notice to patients.
Gibson General Hospital is offering affected patients one year of free credit monitoring
and identity theft protection services.
Cyber Liability Coverage Claims Example
(SOURCE: NAS Claims Department)
24. Breaches in the News
$50 Million Class Action Lawsuit Against Long Island Health System
Twelve people have filed a $50 Million class-action lawsuit against Long
Island Health System and North Shore University Hospital, where thieves
stole physical paper records called “face sheets” plus encrypted digital
files that contained patient information such as insurance numbers, Social
Security numbers, dates of birth, address and medical histories.
(Source: Modern Healthcare, Feb. 2013)
24
25. 25
$400,000 Penalty in HIPAA Case
An Idaho State University has agreed to pay $400,000 as part of a
resolution agreement stemming from an incident it reported in August
2011 that potentially could have exposed information on 17,500 patients at
the university’s Pocatello Family Medicine Clinic. Patient information was
vulnerable for at least 10 months because a firewall protecting a server was
disabled, according to the Department of Health and Human Services’
Office for Civil Rights.
(SOURCE: Government Information Security, May 2013)
Breaches in the News
26. 26
Three laptops stolen from New York podiatry office, 6,475 at risk
Nearly 6,500 patients of Sims and Associates Podiatry may have had
personal information compromised after three laptops containing the
patient data were stolen from the New York office. The types of personal
information at risk included names, addresses, Social Security numbers,
phone numbers, genders, ages, and personal health and insurance
information. (Also visit dates, vascular testing information, weights and
prescribes orthotics, x-ray dates and imaging…) A notification was posted
on the Sims and Associates Podiatry website
(SOURCE: Sims and Associates Podiatry, Important Security and Protection Notification, April, 2014)
Breaches in the News
27. 27
When evaluating your business’ exposure to a potential data breach, you
need to consider:
Type of information stored
System protections, including encryption
Employee access and education
Business associate agreements
In-house resources for the breach response plan/team
Cyber Liability Insurance coverage
All of the above
Question
28. Type of information stored
System protections, including encryption
Employee access & education
Business associate agreements
Breach response plan/team
Cyber Liability Insurance
28
Risk Assessment
29. Four Basic Security Controls
Restricting user installation of applications (“whitelisting”)
Ensuring that the operations system is patched with current updates
Ensuring software applications have current updates
Restricting Administrative privileges
29
30. 30
CyberRisk Insurance - comprehensive data security and privacy insurance
Crisis Management Expenses and Breach Response: Retain legal, forensic and
public relations experts
Customer Notification Expenses and Customer Support Expenses: Mandated by
Federal and State laws
Security & Privacy Liability: Defense and settlement for lawsuits from third
parties
Privacy Regulatory Defense and Penalties: Regulatory protection
Cyber Terrorism: Loss of income due to attack on network from terrorists
Cyber Extortion: Extortion expenses and monies
Multimedia Liability: Defense and settlement for lawsuits from third parties for
copyright or trademark infringement, libel or slander, or plagiarism for online and
offline media
Network Asset Protection: Loss of income and reimbursement for costs to
replace data
Coverage Summary
31. Consider the Costs
31
Cost to consult with an experienced attorney – Cost can range from $5,000 to
$50,000 depending on the scope and complexity of the breach.
IT Forensics – IT Forensic investigation costs can range from $5,000 to $100,000
+ depending on the circumstances.
Patient Notification – Plan on $1-3 per record depending on quantity.
Patient Call Center Support – The cost is usually between $5,000-$20,000,
depending on the circumstances.
Credit Monitoring – This costs between $10-$30 per individual that signs up for
the service.
Public Relations Expenses – Costs vary widely depending on the service provided
and on the size and scope of the breach.
32. Question
32
Which of the following are important risk management steps?
Assign one person to be ultimately responsible for privacy and data security
Have a plan to address data security incidents
Determine where PHI or PII is stored
Conduct a risk assessment
Control vendors and business partners
Continuous workforce training
Annual update on company policy regarding privacy and compliance
All of the above
33. Cyber Liability Risk Management Website
33
33
• Compliance materials by state
• Templates are provided to help
insured's implement policies and
procedures
34. Cyber Liability Risk Management Website
34
34
• Summary of state specific law
for security breach notification
• Template of Business
Associates Agreement, Vendor
Agreement, etc.
35. Compliance Basics – 8 Point Compliance Checklist
And Procedures
35
Assign ultimate privacy and data security responsibility to 1
person
Accountability
Focus
Prepare for data security incidents
Back up plan if network goes down
Restoration plan
Notification to CAP
36. Compliance Basics – 8 Point Compliance Checklist
And Procedures
36
Determine where Personal Information is stored
Network
Back up tapes
Cloud
Downloaded onto portable devices / laptops
Paper files (what is at your house?)
Who has remote access? Downloaded files..
37. Compliance Basics – 8 Point Compliance Checklist
And Procedures
37
Conduct a risk assessment
Identify areas of greatest vulnerability and address
these first
Encryption for portable devices
HIPAA compliance training
Patch management
38. Compliance Basics – 8 Point Compliance Checklist
And Procedures
38
Mitigate against identified risks
Control your vendors and business partners
Look at contracts for indemnification
Control access; password management
Implement a continuous workforce training and awareness program
Training – at least annually; including all staff
Review and Update Company policy – at least annually
39. 39
Reduce Risk –
Utilize the Risk Management Website
Risk Assessment tools
Risk Management tips and Best Practices
Reduce Risk Easily – simple steps to do now
Be prepared – steps to take now
Policies – download
40. 40
Manage Breach- Responding to an Incident
Immediate Response – mitigate the potential damage to
patients by acting quickly
Breach Notification Requirements – must comply with
both Federal and State Law
Report Data Breach – insurance policy includes coverage
to retain counsel to advise on the proper response
41. 41
Summary
Proactive steps – critical to minimize and prevent
breaches
Encryption
Utilize the resources that CAP includes for all insured members
Training – both proactive and defense measure
Report Data Breach – insurance coverage includes
immediate breach response management
42. Thank You
42
Chris Reese
Vice President, Director of Underwriting
Melvin Osswald
Vice President, Program Underwriting
www.nasinsurance.com