Data Breaches in Healthcare: Responding to Skyrocketing Cyber...

The audio portion of the conference may be accessed via the telephone or by using your computer's

speakers. Please refer to the instructions emailed to registrants for additional information. If you

have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.

Presenting a live 90-minute webinar with interactive Q&A

Data Breaches in Healthcare:

Responding to Skyrocketing Cyber Attacks Managing Risk, Responding to Breaches and OCR Investigations, Minimizing HIPAA Liability

Today’s faculty features:

1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific

THURSDAY, MARCH 24, 2016

Joshua Carlson, Principal, Joshua Carlson, P.A., Minneapolis

Richard DeNatale, Partner, Jones Day, San Francisco

Todd S. McClelland, Partner, Jones Day, Atlanta

Tips for Optimal Quality

Sound Quality

If you are listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, you may listen via the phone: dial

1-866-927-5568 and enter your PIN when prompted. Otherwise, please

send us a chat or e-mail [email protected] immediately so we can

address the problem.

If you dialed in and have any difficulties during the call, press *0 for assistance.

Viewing Quality

To maximize your screen, press the F11 key on your keyboard. To exit full screen,

press the F11 key again.

FOR LIVE EVENT ONLY

Continuing Education Credits

In order for us to process your continuing education credit, you must confirm your

participation in this webinar by completing and submitting the Attendance

Affirmation/Evaluation after the webinar.

A link to the Attendance Affirmation/Evaluation will be in the thank you email

that you will receive immediately following the program.

For additional information about continuing education, call us at 1-800-926-7926

ext. 35.

FOR LIVE EVENT ONLY

Program Materials

If you have not printed the conference materials for this program, please

complete the following steps:

Click on the ^ symbol next to “Conference Materials” in the middle of the left-

hand column on your screen.

Click on the tab labeled “Handouts” that appears, and there you will see a PDF of

the slides for today's program.

Double click on the PDF and a separate page will open.

Print the slides by clicking on the printer icon.

FOR LIVE EVENT ONLY

Data Breaches in Healthcare:

Responding to Threat of Cyber Attacks

March 24, 2016

Richard DeNatale

Todd McClelland

Introduction

Numerous factors have combined to create a “perfect storm” of cybersecurity risk in the healthcare sector

• External factors

• Targeted by cyber criminals

• Targeted by state actors

• Black market for PHI

• Systemic factors

• Multiple points of entry create vulnerabilities

• Culture of open information exchange creates security challenges

• Some companies slow to invest in IT infrastructure and security

6

Introduction

Numerous factors have combined to create a “perfect storm”

•Legal/regulatory factors

• Highly regulated industry

• Mandatory disclosure requirements

• Regulators becoming more focused on enforcement

• Aggressive and experienced plaintiffs’ class action counsel

• Legal landscape may be shifting in favor of plaintiffs on standing and damages issues

7

Source: Verizon DBIR 2013-2015 8

Topics

I. Breach Preparedness Strategies

A. Cyber risk assessments

B. Vendor management

C. Cyber Insurance

II. Responding to the Breach

A. Effective response planning

B. PHI reporting and notice obligations

C. Damage mitigation

D. Pursuing insurance recovery

III. Responding to an OCR investigation

A. HIPAA and regulatory compliance

B. Interacting with regulators

C. Establishing investigation parameters

D. Data protection

9

Cyber Risk Assessments

10

Key HIPAA Assessment Activities

• Assessments are required under the HIPAA Security Rule. For example:

• 164.308(a)(1)(ii)(A) – Conduct a risk analysis

• 164.308(a)(1)(ii)(B) – Implement a risk management program

• 164.308(a)(8) – Periodic evaluation

11

Key Assessment Activities

Risks and risk management program

Identify ePHI data flows and changes to systems

Compliance gap analysis and mitigation recommendations

Review Incident Response Plan(s)

Review applicable security policies and procedures

Meet key information security stakeholders

Review insurance policies

Review key vendor contracts and investigate “Shadow IT”

Data governance program review

12

Questions your risk assessment should help you answer

Where do you process, store, create or

receive ePHI?

What are your “use cases”? What ePHI

do you create or receive? How is it

used?

What are the threats (internal and

external) to your ePHI?

Is your data identified and classified?

Is someone reviewing your logs? How

often?

Are you storing documentation related to

your security program?

Who has access to your data?

Who is responsible for your information

security program, especially w/r/t ePHI?

Is your data appropriately secured?

Are information/systems monitored?

What is the impact if information is lost,

accessed or compromised?

Are you prepared for a breach?

How do you dispose of your data?

Who within your organization knows

the answers to these questions?

13

Vendor Management

14

Due Diligence

• Increasing due diligence

• Senior management is becoming more aware of third party exposure

• In large part arising from potential legal exposure and enforcement actions

• Contracting parties are becoming more inquisitive

• Questionnaires

• Breach history

• Security Walk-throughs

• Third party audit/assessment review

• Substantiate due diligence was conducted

• Spend is not the right metric for determining which deals get scrutinized.

15

Contracts

Privacy and security issues continue to be contentious in vendor contracts:

HIPAA compliance

Risk apportionment, insurance

Privacy and security representations, warranties and commitments

Breach notification

Audit rights

Changes / Governance

Cloud

16

Audits

• Common after breach disclosures

• Increasing actions against those who fail to regularly review their third party vendors

• Customer/Vendor Tensions:

• Frequency

• Cost

• Who conducts the audit

• What level of access

• Scope

• Cloud services

17

Expectations for 2016+

Continuing push for risk assessment formalization that will include third party vendors.

More enforcement actions

More risk for companies that outsource their data processing activities

Growing complications with breach response, especially cloud.

18

Quick Hits

CISOs and counsel need to work more closely together when contracting with vendors.

Vendor day.

Stay tuned to laws that will affect vendor relationships.

Update dated vendor contracts to address privacy and security issues.

19

Cyber Insurance

20

Cyber Insurance

Insurance coverage has become a critical part of breach preparedness.

Three major shifts in U.S. insurance market over past decade:

New categories of emerging cyber risk

Development of new cyber policy forms

Exclusion of cyber/internet exposures from traditional policies

CGL Policies - Personal Injury Coverage

• Traditionally covered “publication, in any manner, of material that violates a person’s right of privacy”

– including claims involving electronic data transmitted over the internet

• As of April 1, 2014, new exclusion added to standard ISO form barring coverage for data breach claims

21

Cyber Insurance policies cover five major categories of costs

1. Third-party liability coverage for claims and lawsuits

Arising out of security breach, disclosure of PII/PHI, violation of company privacy policy

Covers cost of defense, settlement, or judgment

2. Regulatory coverage for government claims and investigations

Covers cost of defense, fines, or penalties

o Make sure definition of “Claim” includes OCR investigations

Cyber Insurance

22

3. Event Management/Data Breach Response coverage

Covers cost of post-breach forensic and legal investigations

4. Privacy Notification Coverage

Covers cost of breach notice to affected individuals (customers, patients)

May cover credit monitoring or identity theft protection for affected individuals

5. First Party Coverage, akin to property insurance

Covers cost of restoring data and systems

Business interruption coverage for lost revenue

Cyber Insurance

23

• Legal fees for breach response

• Forensic investigation

• Breach Notice

• ID protection/credit monitoring

Response Costs

• Class action defense costs and settlement

• Defense of government proceedings

• Government fines/penalties

• Card brand claims & assessments

Legal Claims

• Restoration of data

• Lost revenue/business interruption

• Extra expenses

• Loss of goodwill / customer confidence

Business Losses

Cyber Insurance

24

Cyber Insurance

Cyber policies are still in their infancy, which creates multiple challenges for buyers

Policies are extremely complex

Standard forms have not yet emerged.

Policies vary greatly in scope of coverage – some have clear deficiencies

Policies may contain onerous conditions and requirements that restrict coverage and create traps for the unwary

Many insurers now required a detailed review of policyholder’s cyber preparedness as part of underwriting process

25

Cyber Insurance

Recommendations for optimizing coverage

Take advantage of favorable market conditions to purchase more and better coverage

Review your cybersecurity profile before going to market

Consult with coverage counsel or broker experienced in data breach claims

o Understand your existing policy – and its flaws

o Understand which terms matter most in the event of a breach

Develop strategy to strengthen coverages via focused negotiations at renewal

26

Responding to the Breach:

Effective Response Planning

27

Breach Preparedness

Tune up the incident response plan, and revisit after material events or at least once a year.

Incorporate “lessons learned”

Identify and periodically meet with your team

Assign roles and responsibilities.

Enterprise focus, not IT focused

Tabletop exercises

Have outside counsel and forensics experts identified and ready to go

28

Breach Preparedness

Coordinate breach preparedness with key third party vendors

Engage your board now and during a breach

When does your board want to be informed about a breach?

Understand your insurance coverage

Address third party vendors and their response when they have an incident

Shadow IT?

Consider the attorney-client privilege before you start any investigation

29

Rapid Response Team Identification

Identify the Rapid Response Team

IT, HR, Legal, Risk Management, Communications, Security, Audit, and other key personnel

External counsel

Forensic experts

Third party notification, mail sort, and help desk providers

Public relations and communications firms

30

Role Assignments

Litigation hold scoping and development

Crisis and timeline management

Law enforcement coordination

Identification, engagement, and management of SMEs

Evidence gathering, artifact creation, reporting, and maintaining attorney-client privilege

Engagement with Board / Executives

31

Role Assignments

Regulatory compliance and investigation management

Third party audit management

Incident reporting SOP

Investigation procedures and management

FAQs (internal, external, regulatory)

Notice drafting protocols (individuals, government bodies, credit bureaus, etc.)

Forensic investigations

32

Final Preparedness Exercises

• Board / senior management engagement and training

• Guided tabletop exercises and training

• Assess key third party vendor breach readiness

• Data governance program walkthrough and tune-up

• Strategic threat intelligence evaluation

33


PHI Reporting and Notice Obligations

34

HIPAA Incident response obligations

164.308(a)(6)

Look at NIST 800-66 for guidance:

• Determine goals of incident response

• Develop and deploy an incident response team or other reasonable and appropriate response mechanism

• Develop and implement procedures to respond to and report security incidents

• Incorporate post-incident analysis into updates and revisions

35

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires covered entities and their business associates to provide notification following a breach of unsecured protected health information.

(1)Individual Notice

a. Form: Written notice by first-class mail (or substitute notice)

b. Timing: “without unreasonable delay” (no later than 60 days following discovery of breach)

c. Content: brief description of the breach, steps individuals should take to protect themselves; what covered entity is doing to investigate, mitigate, and prevent further breaches; and contact information, including a toll-free number for 90+ days where individuals can obtain additional information

(2)Media Notice

a. If breach affects >500 residents of a state.

(3)Notice to the Secretary

36


Pursuing insurance recovery

37

Cyber/data breach losses require a different approach to insurance recovery

Proactive strategy

o Need to understand coverage landscape

o Decisions must be made quickly – esp. where security incident is still ongoing

Early engagement with insurers

o To obtain necessary consents and meet policy requirements

o Insurer expectations, custom & practice

Coordination between insurance efforts and other aspects of breach response

Insurance Recovery

38

Insurance Recovery

Major breaches are crisis events

Companies must respond to multiple challenges simultaneously, each with legal risks

• May face impaired IT infrastructure or other obstacles to communication

• Insurance objectives may conflict with other corporate priorities

• Effective breach response requires decisive, focused, and coordinated action

39

Insurance Recovery

Insurance Best Practices

1. Within 1-2 weeks, develop an insurance strategy that identifies the specific steps that must be taken to obtain recovery

Review relevant policies to determine available coverage

Identify policy requirements and pitfalls

2. Integrate insurance strategy into overall breach response plan

Establish internal team to manage insurance claim, with representatives from risk management, legal, accounting, and coverage counsel.

3. Identify and track all breach-related costs.

40

Insurance Recovery

Insurance Best Practices

4. Maintain active and ongoing communication with insurers

• Keep them informed of major developments

Obtain required consents for counsel and expenses

Manage insurer information requests

o Duty to cooperate requires policyholder to provide information

o Process must be managed so it doesn’t interfere with overall response efforts

41

Presenter

Richard DeNatale is a litigation partner at Jones Day who

represents policyholders in cyber insurance and data breach

coverage matters. He has been recognized in Chambers

USA as one of the nation’s leading coverage lawyers. He

has acted as lead counsel in precedent-setting coverage

litigation on data privacy issues in both California and New

York.

Rich has been retained to handle insurance strategy and cost

recovery for more than 20 data breach incidents, including

some of the largest in history. He also regularly advises

clients on cyber policy acquisitions and renewals.

He can be reached at (415) 875-5740, or at

[email protected].

42

Presenter

Todd McClelland advises clients on data breach response and

other information security-related issues, including pre-

breach cybersecurity risk assessment and management,

compliance, response preparedness, and other risk

mitigation activities. He also counsels clients on data privacy

issues, outsourcing transactions, technology and data

licensing, technology audits, and cloud transactions.

Todd is a frequent speaker at professional seminars and

author of articles on cybersecurity. He is member of the

International Association of Privacy Professionals and the

CISO Executive Network, and is recognized in The Best

Lawyers in America for his data security practice.

He can be reached at 404.581.8326, or at

[email protected]

43

OCR Authority

www.TheCarlsonFirm.Com

* OCR is responsible for enforcing the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E). One of the ways that OCR carries out this responsibility is to investigate complaints filed with it. OCR may also conduct compliance reviews to determine if covered entities are in compliance, and OCR performs education and outreach to foster compliance with requirements of the Privacy and Security Rules. Breaches and other privacy violations give rise to enforcement. Compliance with the HIPAA Privacy and Security Rules is a mandatory requirement, as is, responding to and working with the OCR during an investigation.

* Source OCR.

44

OCR Authority


The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E. This authority is vast, and since HITECH, has more teeth. All CEs, BAAs and sub BAAs all the way down the chain are subject to the privacy rule, security rule and compliance with the OCR and its authority granted in the Enforcement Rule and are subject to enforcement, with fines up to 1.5 million for a violation and potential referral to the Department of Justice for criminal investigation.

* Source OCR.

45

Responding to Breaches and OCR Investigations

www.TheCarlsonFirm.Com 46

Responding to Breaches and OCR Investigations

Joshua Carlson Esq. CIPP /G, CISSP, PCI-ISA, Chair | Minnesota State Bar Computer Technology Law Section Mr. Carlson is an attorney who practices nationally and internationally in the area of computer and technology law, namely: Healthcare Law (HIPAA & HITECH) Privacy & Security Compliance

US and international regulatory data privacy, data security compliance PCI, HIPAA, FISMA, NIST, GLBA, Safe Harbor, CyberSecurity, Cloud Security frameworks

Government cyber security & FISMA program compliance

47 www.TheCarlsonFirm.Com

AGENDA

1.OCR: by the numbers, complaints, investigations, most common issues to be aware of

2. The OCR investigation process; how to reduce risks

3. How do OCR investigations get started, how to reduce risks of an investigation

4. What to do when you get an OCR letter of investigation, what it will request, how to manage the interaction, response options and the potential results 5. Keys to handling and managing the OCR process


Intended Audience

Lawyers – Plaintiff & Defense

In-house & outside counsel

Privacy Officers

Compliance Attorneys

Boards and Organizational Leadership


Objectives

Understand causes of OCR investigation in first place (how to

prevent)

Understand what to do if (when) you do get contacted

Understand what not to do if (when) you get contacted

Understand good form and practice from beginning to end

Get your situational questions asked and answered


What does the OCR Look Like

Make sure you have visited the OCR website, know the site. http://www.hhs.gov/ocr/ There is a large amount of current information there. The information here contains many details an OCR investigator may expect you to know, or wish you knew to save everyone time. Get up to speed on the FAQs and other sources of information.


OCR: by the numbers, complaints, investigations, most common issues


Since the compliance date of the Privacy Rule in April 2003, OCR has received over 125,445 HIPAA complaints and has initiated over 854* compliance reviews. OCR has investigated and resolved over 24,047 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. OCR has successfully enforced the HIPAA Rules by applying corrective measures in all cases where an investigation indicates noncompliance by the covered entity or their business associate. To date, OCR has settled 29 such cases resulting in a total dollar amount of $27,974,400.00. OCR has investigated complaints against … national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

* Source OCR. 52



* Source OCR. 53



* Source OCR. 54



* Source OCR. 55



STATE

INVESTIGATED:

RESOLVED AFTER INTAKE AND REVIEW

INVESTIGATED:

NO VIOLATION CORRECTIVE ACTION

Alaska 10% 62% 27%

Alabama 13% 66% 21%

Arkansas 17% 61% 22%

Arizona 11% 63% 26%

California 11% 68% 21%

Colorado 11% 64% 25%

Connecticut 14% 60% 26%

District of Columbia 10% 63% 27%

You can see what average results are for your state. Use this for your firm, or your client, and this will give you some perspective.

* Source OCR.

56



Impermissible uses and disclosures of protected health information;

1.Lack of safeguards of protected health information;

2.Lack of patient access to their protected health information; OCR has recently published a brand new FAQ about many issues, e.g., emailing insecurely.

3.Lack of administrative safeguards of electronic protected health information; and

4.Use or disclosure of more than the minimum necessary protected health information.

* Source OCR. 57



The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency: 1. Private Practices; 2. General Hospitals; 3. Outpatient Facilities; 4. Pharmacies; and 5. Health Plans (group health plans and health insurance issuers)

* Source OCR. 58

OCR: The Process


* Source OCR. 59

OCR: The Process & How to Catch Issues Before a Complaint


The KEY sources/actions that can spur OCR Investigations: 1.Complaint filed – A complaint can be submitted by anyone; your brothers cousins friends sister. There is no privity requirement that requires the Complainant to be the patient. It is incredibly easy to file a complaint. (see next slide for a view of the OCR Complaint Portal Assistant website)

2.Breach reporting/notifications

3.State Attorney General actions

4.OCR Audits

5.Whistleblowers

60



Any unhappy or concerned person can go here and file a Complaint, which will get reviewed. Make sure to address issues brought to your attention locally right away.

61



Install and review systems to catch and address problems at the earliest point: 1.Watch for/track letters/e-mails/calls of complaint to Privacy Officer 2.Watch for/track letters/e-mail/calls of complaint to Compliance Officer 3.Watch for/track letters/e-mails/calls of complaint to Chief Medical Director, or other executives or any staff. 4. Have a system in place to identify complaint situations then have the proper team respond to the issues. * If OCR receives a Complaint, and Complainant says letters or e-mails or calls to leaders about problems went unaddressed, or worse, not even responded to, that will likely add to the problem, Track the issue, response and resolution like any other.

62

OCR: Failed to Catch a Problem Letter Arrives


Least enjoyable scenario, first time you hear about an issue is from the OCR.

63



Letter will state a number of business days to respond, request name, title, address and contact information of person designated to work with OCR during the investigation. Copy of internal investigation and timeline of incident Copy of findings of any internal investigation with evidence supporting conclusions (there is some benefit for outside objective analysis for the matter at hand)

Copy of HIPAA policies and procedures Proof of all corrective actions taken and all actions taken to prevent any reoccurrence of the problem Copy of breach notification letter (sample copy)

Copy of most recent risk analysis performed and for past X years Copy of most recent risk assessments Copies of policies and procedures related to access, access review, incidents, malware reports, documentation of actions to mitigate vulnerabilities to ePHI.

64



Read the letter, then read it again and open a file. Get familiar with the issue, complaint, complainant, systems etc.

Identify who the primary will be, this may be identified in the letter, there should be only 1 very knowledgeable person who is intimate with the issues to liaison with OCR

Review any insurance reporting requirement

Review with in-house or external counsel

Activate your team (which should be pre-assembled as a part of HIPAA) that will perform the investigation

Team will likely consist of; Chief Compliance Officer, Security Officer, Legal Counsel, IT, HIM, Privacy Officer

65



Perform your own internal investigation on the matter

Be aware this will likely end up a part of the OCR file/response and potentially in any FOIA requests

Require artifacts/proof of any mitigation actions taken in the organization as they will be required in the OCR response

Pay special attention and concern to the manner in which you will exchange data with the OCR, determine and agree on a secure method for exchange which complies with your policies

Make sure to follow your own entities policies and procedures in the transfer of the data with the OCR

Make sure any changes to IT systems are/were in line with the policies and procedures required by your organization (breaking more policies and procedures to fix an issue will add to the scope.)

66



OCR investigators are very busy, being organized, clear and concise in the response will help greatly

Organize your response with the supporting evidence correlated to each issue

Confirm response was received

There will likely be some iterative rounds

67



Evidence of sanctions performed for policy violations Evidence of retraining required for policy violations

For staff breaking critical policies, I recommend when a staff person violates a

policy, that the entire staff or team all have to retake the training. This helps give pause to staff who are quick to take shortcuts.

You will be required to have your Risk Analysis (step 1, before anything else) (the one single thing you must have), to hand over.

Do NOT overshare, do not just zip up the entire catalogue of policies and procedures and send over.

Be forthcoming and timely, and make sure the sharing is specific to the request. This saves everyone time.

68



Timeline to respond will be ~10 business days

You can ask for an extension or other agreed upon response time, think of a week more

Call the OCR to get a better in-person understanding of the issues and expectations of the investigator

Do not take longer than you need to respond

Phone calls and written correspondence will be the primary method for responding

It is crucial that all correspondence (phone or in writing) is accurate, specific, forthright, and is from the most knowledgeable HIPAA person on the matter

69

OCR: CE Response Options


We are not a Covered Entity or a BA and not regulated under HIPAA

Alleged violation did not occur, e.g., complainant’s description/perception or stated facts of the issue is not accurate/complete etc.

Organization is in Compliance with the Rules

Breach did occur, but, the organization had all of the requisite policies and procedures in place and took prompt corrective action, sanctions, training, organizational, procedural, policy changes.

*see prior slide, if initial issues directed to organization went ignored, and changes only as a result of OCR investigation this position may be more difficult.

70

OCR: Possible Outcomes Voluntary compliance, corrective action, or resolution agreement


Complaint dismissed (YaY) your organization was prepared and your response was on point, credible, timely and did not raise more issues.

Prepare and submit for OCR review and eventual approval of additional and modified HIPAA policies, procedures and the requisite HIPAA training on these updates

OCR requires a Compliance Agreement to be put into place which will involve oversight from OCR

Civil Fine is Imposed

OCR turns matter over to DOJ for further investigation

71

OCR: Possible Outcomes


Closing of the file.

Once the OCR is satisfied with the CEs response and corrective actions, they may call and offer “HIPAA technical assistance”.

Once the investigation is closed, you will get a letter outlining the closing, which also goes to the Complainant, and outlines the issue, actions taken and satisfaction the issues are resolved.

Review the letter and use it to continue to make improvements for the future.

72

OCR: Outcomes


73

OCR: Outcomes


74

Final Thoughts

COOPERATION after contact from the OCR is the winning approach

Organizational competence prior to receiving the OCR contact is critical to a smooth response process, you can’t make it up on the fly

Perform a test OCR investigation exercise with your team as a part of breach response exercises. www.TheCarlsonFirm.Com 75

Questions?


Joshua Carlson TheCarlsonFirm 800 Washington Avenue North, Suite 704 Minneapolis, MN 55401 [email protected]

Data Breaches in Healthcare: Responding to Skyrocketing Cyber...

Documents

Transcript of Data Breaches in Healthcare: Responding to Skyrocketing Cyber...