UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Transcription

1 UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

2 INTRODUCTION Cyber attacks increasing Liability/actions resulting from cyber incidents increasing Private consumer actions Negligence: failing to adhere to industry standards Breach of Contract/Privacy Government regulation FCC, FTC, State attorneys general = actions against careless companies Derivative suits D & O liability = Boards of Directors (for-profit and non-profit) Bottom line: are you reasonably planning for a breach?

3 ROADMAP Trends in cybersecurity and risks Industry standards Legal Standards readily available security measures FTC v. Wyndham, 2015 U.S. App. LEXIS (3d Cir. N.J. 2015). Healthcare Cybersecurity Definitions & Cases Preparing for a cybersecurity breach

4 CYBERSECURITY TRENDS Ransomware ( 3,500%) Cryptolocker/Bitcoin Increased portable devices Hollywood Presbyterian Med. Ctr Bitcoin = $17,000 Phishing CEO Fraud Scam W2 Wire Funds

5 CYBERSECURITY TRENDS CONT D Healthcare cyber breaches 63% in major hospital/medical systems Banner Health (3.6M records) Newkirk (3.4M) 21 st Century Oncology (2.2M) Valley Anesthesiology Consultants (.88M) Prediction: Healthcare remains top target in 2017 (Source: Experian) Cyber hackers responsible for 31% of major 2016 HIPAA breaches

6 CYBERSECURITY RISKS SPAM/Internet Ads BYOD (Bring Your Own Device) lost; unencrypted, etc. Inadequate security measures Failure to back-up data & test Unencrypted PHI or PII Broad administrative privileges Employees Rogue and the untrained Third Party Vendors Access, contracts

7 CYBERSECURITY RISKS CONT D. Unfettered administrative access Remove privileges Further protection from malicious code Unpatched Microsoft and 3 rd party software Remote access Unsegmented network

8 BREACH - Defined Healthcare Definition HIPAA & HITECH: Impermissible use or disclosure that compromises the security or privacy of the PHI. Presumption of a breach unless can demonstrate low probability the PHI has been compromised based upon risk assessment of various factors: Type of information at issue Likelihood of re-identification To whom disclosure was made Mitigation Some exceptions to definition of breach. Good faith, unintentional acquisition, access. Resource: US Dept. of Health & Human Services HHS.gov; HIPAA and Health Information Privacy

9 ANATOMY OF A BREACH

10 HEALTHCARE CYBERSECURITY: UPDATES Not business as usual Trends Shift from coincidental breaches (lost devices) to targeted and well-executed attacks. Anthem (2015) PHI and PII accessed for 80M customers and employees. Healthcare databases contain all relevant data points to steal financial information. Community Health Systems (2014) PHI and PII accessed by Chinese hackers to perpetrate insurance fraud. 4.5M patient records affected.

11 HEALTHCARE CYBERSECURITY: Ransomware UPDATES Hollywood Presbyterian Med. Ctr. (2016) hackers used malware to infect computers and stopped communication; demanded $17K to restore. Physicians unable to access EMR for one week. Hospital paid the ransom. Cause? Employee opened infected or downloaded the malware from a pop-up ad which allowed the virus to enter the network.

12 HEALTHCARE CYBERSECURITY: UPDATES Univ. of Washington Medicine (2013) Phishing attack: a hospital billing employee clicked on malicious link in . Link contained malware which accessed and took over employee s computer Quickly contained the next day PHI and PII accessed Organization had not trained employees or developed a security-aware environment. Fine of $750,000 and corrective action plan

13 HEALTHCARE CYBERSECURITY - PREPARATION Cybersecurity Prep = Natural Disaster Prep How will you manage if unable to access patient records? Back-up all data on separate networks. What communication methods will be used if electronic communication is unavailable? How will you ensure patient safety if applications cannot be accessed?

14 INCIDENT RESPONSE Take appropriate measures before, during, and after a cyber incident: Conduct a risk or gap assessment Identify security vulnerabilities and take appropriate remedial measures.» What is your data? Where is it? Does Network have an intrusion detection or prevention system? Are mobile devices encrypted? Remote access? Firewalls? Regular back-up protocol? Examine third-party vendors/business contacts Review existing contracts» E.g., Target breach Demand protective provisions/anti-malware software Implement audit structure Consider multi-factor authentication

15 INCIDENT RESPONSE (CONT D) Develop policies and procedures Passwords, updates, encryption BYOD Employee training / testing» Penetration testing» Competencies Cyber insurance Assemble key participants CISOs/CIOs IT forensics Legal PR Law enforcement Customer/client relations personnel

16 RESPONSE PLAN Purpose: Ensures response to the data breach or other cyber incident is executed in the most efficient and effective way possible in order to mitigate liability, damage and lost of productivity. Practice breach simulation identify weaknesses Regular review and update of Plan

17 AFTER AN INCIDENT Reporting requirements following breach of PHI: Regulated industries HIPAA Breach Notification Rule, 45 CFR HITECH Act, 13407, applies to vendors of PH records and third party service providers O.R.C Ohio s Notification Statute (non-regulated industries) As soon as possible, no later than 45 days Public relations Mitigate adverse publicity following a cyber incident Post-mortem: what did we learn? What worked? What did not?

18 CLOSING Security = driving force; after-thought Know organization s gaps Implement policies and procedures; train employees, update, document noncompliance Develop a written response plan and practice execution; update Test back-ups and restore procedures Encrypt What is commercially reasonable? What have you learned from other healthcare breaches?

19 CONTACT Lindsay M. Johnson, Esq. Partner Freund Freeze & Arnold Co., LPA (937)