Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?

© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com
Enterprise Risk Management
and Cybersecurity:
Is Your Health Plan Ready?
October 15, 2015

© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com
Agenda
2
1. Board and Fiduciary Responsibilities in Enterprise
Risk Management
--Example: Strategic Partnerships and Alliances
2. Establishing Enterprise Risk Management Priorities
3. Cyber Security : Privacy and Security Breaches
(High Likelihood—High Significance)
4. Preparing Your Health Plan to Stay Ahead

Board Involvement
 Not For Profit Boards
• AMCP Foundation
• Maryland/Israel Development Center
• National Hospice Foundation
 For Profit Boards
• Epstein Becker & Green, P.C.
• Trustmark Mutual Holding Company
• MammoPlan, Inc.
 Answering the Call: Understanding the Duties,
Risks, and Rewards of Corporate Governance
(4th ed., 2012)
3

Board and Fiduciary
Responsibilities in
Enterprise Risk
Management

Board Obligations Generally Regarding
Compliance
Duty of Care/Duty of Loyalty
 Board obligation to act in “good faith” and loyal to the Corporation’s interest
 In re Caremark International, 698 A.2d 959 (Del. Ch. 1996)
“[The Court is] of the view that a director’s obligation includes a duty to attempt in
good faith to assure that a corporate information and reporting system, which the
board concludes is adequate, exists, and that failure to do so under some
circumstances may, in theory at least, render a director [personally] liable for losses
caused by noncompliance with applicable legal standards. . . .
Obviously the level of detail that is appropriate for such an information system is a
question of business judgment.”
5

Board Obligations Generally Regarding
Compliance
Business Judgment Rule (“BJR”)
 Presumption that Board members fulfill their fiduciary duties when they act
on an informed basis and in good faith that a certain action is in the
corporation's best interest
 In re Walt Disney, 906 A.2d 27 (Del. 2006)
• Issue of potentially unreasonable executive compensation
• Directors had not breached their fiduciary duties of good faith and loyalty, even
though the court stated that the board’s actions may have been below best
corporate practices
6

 Increased government enforcement and new or more frequent cyber
security threats have triggered calls for improved risk oversight
• Board of Directors are calling for greater engagement in risk oversight
• Management is responding even though there are significant competing priorities
Calls for Improved Risk Oversight
7

Enterprise Risk Management Structure
 Management Committee?
• Identify risks
• Identify risk management opportunities
 Chief Risk Officer?
 The potential intersection of similarities between Compliance and Enterprise
Risk Management
 Board fiduciary oversight of both
8

Example: Management’s ERM Process
Regarding Strategic Partnerships and Alliances
9
 Definition of a strategic partner/alliance
• Company enters into a relationship with a third party to provide a unique service
or technology that is critical to the company’s strategy, operations, and success
• Generally a longer term relationship
• Longer, more strategic, and greater impact than a normal vendor contract
• Example: IT vendors
 All health plans have a strategic partner or alliance

Potential Risks Regarding
Strategic Partnerships and Alliances
10
 Partnering for critical services leaves the Company with less control
• Potential impact on sales, operators, client satisfaction, profitability, and
compliance
 Failure of partner to perform as expected would negatively impact
consultants/brokers/employers/employees/government relationships
 Company would likely be responsible for partner’s activities regarding privacy
and information security
 Potential changes can occur at the partner
• Change in ownership or senior management
• Shift in strategy, products, or customer base
• Reputational issues
• Financial issues

 Upfront Risk Mitigation Steps
• Conduct a thorough initial due diligence of the operational capabilities and
financial conditions of the partner
• Understand the strategy of the partner to make sure there is a good strategic and
cultural fit for both partners and that they share a common goal
• Draft a strong contract that provides protection regarding governance,
performance expectations and standards, changes of ownership, dispute
resolution, exclusivity, potential indemnification, and other key issues
 Ongoing Risk Mitigation Steps
• Conduct regular reviews to ensure compliance and financial stability of partner
• Consider frequent on-site visits
• Build and maintain strong, mutually beneficial relationships
How Can a Company Mitigate the Probability or Impact of the
Risks Associated with Strategic Partnerships and Alliances
11

Establishing
Enterprise Risk Management
Priorities

Establishing Enterprise Risk Priorities:
Heat Map
13
Low
High
High
Significance
(financial, strategic, reputational, etc.)
Likelihood
(considering controls and inherent risks)

5 Best Practices for an Effective
Enterprise Risk Management Process
1. Establish a comprehensive ERM policy
2. Understand and assess risk as it relates to the Company’s immediate and
longer term objectives, and consider risk management efforts
• Encourage open discussion of “what keeps people awake at night”
• Incorporate ERM into the strategic planning process
• Use risk indicators that are leading indicators
--Adopted from the American Institute of CPAs (AICPA), “Top 10 ‘Next’ Practices for Enterprise Risk Management,”
http://www.academia.edu/8716339/Top_Ten_Next_Practices_for_Enterprise_Risk_Management_2010_AICPA_Survey_Results_Table_of_
Contents_Top_Ten_Next_Practices_for_Enterprise_Risk_Management
14

5 Best Practices for an Effective
Enterprise Risk Management Process
3. Use ERM outcome to guide the behavior and thought process of decision-
makers
• Communicate regularly, thoroughly, top to bottom, bottom to top and across the
organization
4. Establish the right monitoring processes to make sure risk mitigation
activities operate as designed
• Regularly track and monitor the risks facing the organization both internally and
externally
5. Ensure that the Board of Directors and senior management support the
ERM policy
15

Cybersecurity :
Privacy and Security
Breaches
(High Likelihood—High
Significance)

Greater Connectivity, Higher Risk
 Greater interconnection and interdependency among health care entities
expand vulnerabilities, which affects any entity connected with the health
plan (vendors, suppliers, partners, customers)
 Lack of board room or senior management expertise often creates
challenges when overseeing cyber security risks and risk management
efforts
17

HIPAA Privacy Rule & Security Rule
 HIPAA Privacy Rule (45 C.F.R. Part 160 and 164)
• Protects privacy of individually identifiable health info through national standards
• Permits disclosure of health info needed for patient care
 HIPAA Security Rule (45 C.F.R. § 164.300 et seq.)
• Sets national standards for security of ePHI that is created, received, used, or
maintained by covered entity
• Operationalizes protections contained in Privacy Rule by addressing technical and
non-technical safeguards covered entity must put in place to secure ePHI
• Requires the covered entity to protect against “reasonably anticipated” threats
and disclosures
18

The Reality
“There are only two types of companies:
those that have been hacked and
those that will be.”
--Former FBI Director Robert Mueller
19

Who will be next?
20
• Over the last few months
• Over $450 million stolen
credit and debit card numbers
• Over the past year
• Over $575 million spent by
corporations after data
breaches
• Over $1 Trillion estimated in IP
theft
---http://www.naic.org/documents/committees_ex_financial_stability_tf_related_cybersecurity_insurance.pdf
• Hackers claiming allegiance to
ISIS took control of U.S. military’s
Central Command social media
account on January 12, 2015

Interconnection & Integration
21
Insurance
Patients
Physicians
Health
Plans
Integrated
Delivery
PhysiciansHome
Health
PatientsMedical
Devices
Labs Insurance

Heat Map: Cybersecurity Risks
22
Low
High
High
Significance
(financial, strategic, reputational, etc.)
Likelihood
(considering controls and inherent risks)

Recent Government Health Plan Security Breach
 OPM Data Breach (U.S. officials reveal breach to public on June 4, 2015)
• Office of Personnel Management (OPM)
o Sets policies on government-wide hiring (manages USAJOBS site)
o Conducts background investigations on potential government employees
o Administer health and insurance benefits for current Federal employees and families
o Manage pension benefits for retired Federal workers and families
o Manage training and development programs for Federal employees and retirees
• Data theft from OPM computer systems compromised sensitive personnel
information, including SSN and fingerprints, of 21.5 million people from inside and
outside the Federal government
o This number does not include database storing completed forms for security clearances
(SF86 questionnaires)
Approximately 50% of OPM enrollees are in Blue Cross Health plans
23

Key Facts
 Reported to HHS Office for Civil Rights on February 4, 2015
• Discovered breach on January 29, 2015 (attack occurred April 2014)
 Sophisticated hackers gained unauthorized access to Anthem’s IT system and
obtained personal information of 80 million current and former customers
and employees PHI
• Names, dates of birth, SSN, health care ID numbers, home address, e-mail
address, employment information, income data
 Anthem providing complimentary identity protection service to all impacted
individuals for 2 years
• Dedicated website: https://www.anthemfacts.com
Recent Health Plan Security Breaches
Anthem, Inc.
24

Key Facts
 Reported to HHS Office for Civil Rights on March 17, 2015
• Discovered breach on January 29, 2015 (attack occurred on May 5, 2014)
 Data breach of financial and medical records of as many as 11 million
customers
• Affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and
affiliate brands Vivacity and Connexion Insurance Solutions
• May have affected Blue Cross Blue Shield customers in Washington and Alaska
 Premera providing complimentary identity protection service to all impacted
individuals for 2 years
• Dedicated website: http://www.premeraupdate.com
Premera Blue Cross
25

Key Facts
 Reported to HHS Office for Civil Rights on August 5, 2015
• Discovered breach in August 2015 (attacks occurred on December 23, 2013)
 Cyber hackers already disclosed information affecting 722 individuals
occurred via e-mail; could affect 7 million members, patients, and other
individuals who have done business with Excellus BCBS plans
 Excellus BCBS providing complimentary identity theft services and credit
monitoring to all impacted individuals for 2 years
• http://www.excellusfacts.com/index.html
Excellus Blue Cross Blue Shield
26

 HHS-OCR press release: September 2, 2015
• Cancer Care reported breach to HHS-OCR on August 29, 2012
 Backup media in stolen laptop bag contained unencrypted ePHI of 55,000
individuals
 Enforcement requirements
• $750,000 HIPAA settlement
• 3 year Corrective Action Plan
oComprehensive and thorough risk assessment and risk management plan for
HHS review
oAnnual report of “Reportable events” (e.g. workforce member fails to comply
with privacy and security policy)
oPotential additional civil monetary penalties
Recent Health Plan Privacy & Security Enforcement Examples
Cancer Care Group, P.C.
27

 HHS-OCR Press Release: April 22, 2014
• QCA reported to HHS-OCR on February 2012
 Unencrypted laptop computer stolen from workforce member’s car
HHS review
oSecurity awareness and training
oAnnual report of “Reportable events” (e.g. workforce member fails to comply
with privacy and security policy)
QCA Health Plan, Inc. (QCA)
28

 HHS-OCR Press Release: June 23, 2014
 Employees, with notice that retiring physician was not home, left 71
cardboard boxes of medical records belonging to 5,000-8,000 patients on
retiring physician’s home driveway (within 20 feet of public road and heavily
trafficked public shopping area)
• Physician self-reported to HHS-OCR in June 2009
HHS review
oAnnual report of “Reportable events”
oStaff training
Parkview Health System, Inc.
29

Who will be next?
The average U.S. company is the
victim of
two SUCCESSFUL cyber attacks
every week
30
---InformationWeek, Cybercrime Costs Skyrocket (Oct. 8, 2013),
http://www.informationweek.com/traffic-management/cybercrime-costs-skyrocket/d/d-id/1111861?

Preparing Your
Health Plan to
Stay Ahead

Health Plans and
Other Health Care Organizations
 Adopt a comprehensive ERM policy at the management and board level
 Educate board management and employees frequently
 Consider adopting the 5 Best Practices for ERM
 Consider Cyber Security as one high risk that deserves resources for risk
management mitigation efforts
 Consider reviewing Strategic Partnerships and Alliances as one high risk that
deserves resources for risk management mitigation efforts
32

 Provide time to build the Board’s Cybersecurity and IT Literacy, as well as
ERM
• Consider having a committee or subcommittee for large IT projects in particular
 Provide regular reports to Board on Cyber Risk
• Determine risk and risk thresholds to be reported
• Evaluate risk management efforts
Battling Cybersecurity in the Board Room
Ensuring Cyber Awareness on the Board Agenda
33

 Formulate cyber threat detection and response plans
 Consider the role of Strategic Partners and Alliances in cyber security risk
management
 Create strategies that would confront the company’s worst possible
scenarios and protect its highest value targets
• From the perspective of the organization and external actors
 SEC Disclosure Considerations; if any or Bond Debt Considerations
• Standard of materiality
 HHS OIG Compliance Considerations
Battling Cybersecurity in the Board Room
Management Responsibilities
34

Prepare before a Security Breach Occurs
 Proper Policies and Procedures
• Discover and manage a potential or actual breach
• Training program in place to ensure cybersecurity protocols known and
understood by work force
 Regular Fire Drills
 Strong firewalls and other software to identify and contain viruses, worms,
etc.
35

 Understanding the 3 Different Roles
• Chief Security Officer
• Chief Privacy Officer
• Chief Compliance Officer
 Do Not Overly Rely on Internal Experts
36

 Appropriate Self-Monitoring
• Regular internal audits
• Compliance Auditing and Monitoring
 Establish Procedure for Reporting Intrusions to Government Authorities
• Mandatory disclosure may be triggered to Company stakeholders and the public
 Public Relations Firm and Dedicated Breach Website on Standby
• Ready to activate for addressing press, customer, and end-user concerns
37

Insurance Policies—Are They Worth it?
 Recent court decisions in Wisconsin and New York hold that compromise of personal
information stemming from cybersecurity breaches are not covered under traditional
liability insurance policies
 Cyber security liability is one way to provide coverage in the event of a data or
privacy breach
• Does not remove obligation to develop breach preparation strategies and protocols
• No insurance for criminal misconduct or other actions against public policy
 Insurance policy packages can include (1) liability; (2) breach response costs; and (3)
fines/ penalties. Examples include notifying consumers of breach; forensic services;
credit-monitoring services; public relations; legal assistance (with or without choice)
 Specific Insurance Gaps (See Appendix)
• Cyber exclusions in D&O liability insurance
• War and terrorism exclusions in cyber insurance
• Coverage of physical loss resulting from cyber attacks
38

Insurance Policies—Are They Worth it?
Before purchasing cyber security insurance products, consider:
 Understand what steps are needed under relevant insurance policies
(notification timing; who selects attorneys and third party service providers
to investigate and remediate the breach)
 Negotiate to include the Company’s preferred vendors before placing the
insurance policy
 Ensure the insurance carrier’s coverage is sufficient, both in terms of amount
and in terms of types of claims
 Ask whether the carrier offers an insurance discount if the Company has
performed a risk assessment
 Implement retention processes so all needed documentation to support a
claim or insurance loss is preserved
39

EBG Capabilities
 EBG’s Privacy and Security Law Group routinely:
• Conducts privacy and risk assessments, including the identification of appropriate
corrective measures;
• Develops policies and procedures; and
• Provide client training on data security issues.
 EBG regularly advises health care companies on:
• Preserving digital evidence;
• Conducting a forensic analysis of implicated data;
• Determining the source of the breach and preventing future loss;
• Analyzing the relevant notification requirements;
• Preparing notifications through trusted notification agencies;
• Negotiating with government agencies and local law enforcement; and
• Defending against private litigation and government investigations.
40

EBG Capabilities
 EBG’s Privacy and Security Law Group includes:
• Attorneys who are industry-recognized privacy and security professionals.
oThe only law firm that is a HITRUST Common Security Framework (“CSF”)
Assessor and several of our attorneys are also individually designated by
HITRUST as Certified CSF Practitioners.
oOne attorney who twice won the internationally recognized Capture the Flag
event at the Defcon Hacking Conference
oThe Data Breach/Cybersecurity Litigation Group includes a number of EBG’s
most seasoned litigators.
 Privacy and Security Team leads:
41
Robert Hudock
Tel: 202-861-1893
Email: rhudock@ebglaw.com
Patricia Wagner
Tel: 202-861-4182
Email: pwagner@ebglaw.com

 National Association of Insurance Commissioners (NAIC)
• Consumer Cybersecurity Bill of Rights
(http://www.naic.org/documents/committees_ex_cybersecurity_tf_exposure_draft_cyberse
curity_bill.pdf)
• NAIC Cybersecurity Task Force (http://www.naic.org/committees_ex_cybersecurity_tf.htm)
 OCR Guidance Document
• Guidance on Risk Analysis Requirements under the HIPAA Security Rule
(http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf)
 FDA Guidance Documents Concerning Cybersecurity and Medical Devices
• Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication
(http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm)
• Guidance for Industry—Cybersecurity for Networked Medical Devices Containing Off-the-
Shelf (OTS) Software
(http://www.fda.gov/RegulatoryInformation/guidances/ucm077812.htm)
Appendix
Role Regulators and Trade Associations Play in Relation to Cybersecurity
42

 Data Breach Notification Laws: A Fifty State Survey: Second Edition –
American Health Lawyers Association
 Major Cyber Breaches Reveal Potential Cyber Insurance Coverage Gaps
• Joseph T. Verdesca, Paul A. Ferrillo, and Gabriel Gershowitz
(http://www.weil.com/~/media/files/pdfs/cyber_security_alert2_jan2015_v31.pdf)
Additional Resources
43

Appendix
Cybersecurity:
Boardroom Implications
(2014)

1. How will we know we have been hacked or breached, what makes us certain or how will we find out?
2. What are best practices for cyber security and where do our practices differ?
3. In management’s opinion, what is the biggest weakness in our IT systems? If we wanted to deal the most
damage to the company, how would we go about it?
4. Does our external auditor indicate we have deficiencies in IT? If so, where?
5. Where do management and our IT team disagree on cyber security?
6. Were we told of cyber attacks that already occurred and how severe they were? For significant breaches, is the
communication adequate as information is obtained regarding the nature and type of breach, the data
impacted, and potential implications to the company and the response plan?
7. What part of our IT infrastructure can contribute to a significant deficiency or material weakness?
8. What do we consider our most valuable assets; how does our IT system interact with those assets; do we think
there is adequate protection in place if someone wanted to get them or damage them; what would it take to
feel comfortable that they are protected? Do we believe we can ever fully protect those asset? How should we
monitor the status of their protection?
9. Are we investing enough so our corporate operating and network systems are not easy targets by a determined
hacker?
10. Where can we generate more revenue and marginal profitability by making changes in IT?
--National Association of Corporate Directors (NACD), Cybersecurity: Boardroom Implications (2014)
Appendix
10 Questions Directors Can Ask Management in Anticipation of Breaches
45

1. How did we learn about the breach? Were we notified by an outside agency or was the breach found
internally?
2. What do we believe was stolen?
3. What has been affected by the breach?
4. Have any of our operations been compromised?
5. Is our crisis response plan in action, and is it working as planned?
6. Whom do we have to notify about this breach (materiality), whom should we notify, and is our legal team
prepared for such notifications?
7. What steps is the response team taking to ensure that the breach is under control and the hacker no longer has
access to the internal network?
8. Do we believe the hacker was an internal or external actor?
9. What were the weakness in our system that allowed it to occur( and why)?
10. What steps can we take to make sure this type of breach does not happen again, and what efforts can we make
to mitigate any losses caused by the breach?
--National Association of Corporate Directors (NACD), Cybersecurity: Boardroom Implications (2014)
Appendix
10 Questions Directors Can Ask Management Once a Breach is Found
46

Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?

Similar to Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready? (20)

More from Epstein Becker Green

More from Epstein Becker Green (20)

Recently uploaded

Recently uploaded (20)

Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?