UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Similar documents
How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Cyber Insurance: What is your bank doing to manage risk? presented by

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

HIPAA & Privacy Compliance Update

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

PULSE TAKING THE PHYSICIAN S

Cyber Security Issues

Cybersecurity The Evolving Landscape

What is Cybersecurity?

Healthcare HIPAA and Cybersecurity Update

You ve Been Hacked Now What? Incident Response Tabletop Exercise

Security Audit What Why

Cybersecurity and Nonprofit

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Incident Response Table Tops

Legal Aspects of Cybersecurity

HIPAA 2017 Compliancy Group, LLC

Electronic Communication of Personal Health Information

The Impact of Cybersecurity, Data Privacy and Social Media

mhealth SECURITY: STATS AND SOLUTIONS

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Cyber Risks in the Boardroom Conference

Security Breaches: How to Prepare and Respond

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

Information Governance, the Next Evolution of Privacy and Security

What to do if your business is the victim of a data or security breach?

ID Theft and Data Breach Mitigation

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Today s Security Threats: Emerging Issues Keeping CFOs Up at Night Understanding & Protecting Against Information Security Breaches

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Ransomware A case study of the impact, recovery and remediation events

Security and Privacy Breach Notification

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

2017 Annual Meeting of Members and Board of Directors Meeting

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

Effective Strategies for Managing Cybersecurity Risks

Cybersecurity Auditing in an Unsecure World

What It Takes to be a CISO in 2017

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

Ransomware, Viruses, and Hackers in Health Care: Five Steps to Avoid Being the Next Victim. Michael Overly and Chanley Howell.

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

HIPAA Privacy, Security and Breach Notification

DeMystifying Data Breaches and Information Security Compliance

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

Employee Privacy in the Electronic Workplace

Data Compromise Notice Procedure Summary and Guide

Putting It All Together:

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

HIPAA UPDATE. Michael L. Brody, DPM

Data Breach Preparation and Response. April 21, 2017

Cyber fraud and its impact on the NHS: How organisations can manage the risk

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Lessons Learned: A Real Life Data Breach. Jigar Kadakia Partners HealthCare

The Data Breach: How to Stay Defensible Before, During & After the Incident

PTLGateway Data Breach Policy

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Defending Our Digital Density.

716 West Ave Austin, TX USA

Mobile Technology meets HIPAA Compliance. Tuesday, May 2, 2017 MT HIMSS Conference

Assessing Your Incident Response Capabilities Do You Have What it Takes?

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

This Webcast Will Begin Shortly

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Jeff Wilbur VP Marketing Iconix

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Dealing with the Reality of a Privacy Breach: Civil Litigation, Regulatory Response, and Minimizing Your Risks

Modeling Factors Associated with Healthcare Data Breaches. Session #155, March 3, 2018 Dr. Alex McLeod, Dr. Diane Dolezel, Texas State University

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018

The HIPAA Omnibus Rule

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Altius IT Policy Collection Compliance and Standards Matrix

Business continuity management and cyber resiliency

ACM Retreat - Today s Topics:

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

HIPAA Compliance is not a Cybersecurity Strategy

Hacking and Cyber Espionage

Art of Performing Risk Assessments

CCISO Blueprint v1. EC-Council

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Emerging Issues: Cybersecurity. Directors College 2015

Preparing for a Breach October 14, 2016

2018 Guide to Building Your Security Strategy. January 23, pm 2 pm ET

Forging a Stronger Approach for the Cybersecurity Challenge. Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Understanding the Impact of Data Privacy January 2012

Transcription:

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA ljohnson@ffalaw.com

INTRODUCTION Cyber attacks increasing Liability/actions resulting from cyber incidents increasing Private consumer actions Negligence: failing to adhere to industry standards Breach of Contract/Privacy Government regulation FCC, FTC, State attorneys general = actions against careless companies Derivative suits D & O liability = Boards of Directors (for-profit and non-profit) Bottom line: are you reasonably planning for a breach?

ROADMAP Trends in cybersecurity and risks Industry standards Legal Standards readily available security measures FTC v. Wyndham, 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. 2015). Healthcare Cybersecurity Definitions & Cases Preparing for a cybersecurity breach

CYBERSECURITY TRENDS Ransomware ( 3,500%) Cryptolocker/Bitcoin Increased portable devices Hollywood Presbyterian Med. Ctr. 2016 40 Bitcoin = $17,000 Phishing CEO Fraud Scam W2 Wire Funds

CYBERSECURITY TRENDS CONT D Healthcare cyber breaches 63% in 2016 93 major hospital/medical systems Banner Health (3.6M records) Newkirk (3.4M) 21 st Century Oncology (2.2M) Valley Anesthesiology Consultants (.88M) Prediction: Healthcare remains top target in 2017 (Source: Experian) Cyber hackers responsible for 31% of major 2016 HIPAA breaches

CYBERSECURITY RISKS SPAM/Internet Ads BYOD (Bring Your Own Device) lost; unencrypted, etc. Inadequate security measures Failure to back-up data & test Unencrypted PHI or PII Broad administrative privileges Employees Rogue and the untrained Third Party Vendors Access, contracts

CYBERSECURITY RISKS CONT D. Unfettered administrative access Remove privileges Further protection from malicious code Unpatched Microsoft and 3 rd party software Remote access Unsegmented network

BREACH - Defined Healthcare Definition HIPAA & HITECH: Impermissible use or disclosure that compromises the security or privacy of the PHI. Presumption of a breach unless can demonstrate low probability the PHI has been compromised based upon risk assessment of various factors: Type of information at issue Likelihood of re-identification To whom disclosure was made Mitigation Some exceptions to definition of breach. Good faith, unintentional acquisition, access. Resource: US Dept. of Health & Human Services HHS.gov; HIPAA and Health Information Privacy

ANATOMY OF A BREACH --- ---

HEALTHCARE CYBERSECURITY: UPDATES Not business as usual Trends Shift from coincidental breaches (lost devices) to targeted and well-executed attacks. Anthem (2015) PHI and PII accessed for 80M customers and employees. Healthcare databases contain all relevant data points to steal financial information. Community Health Systems (2014) PHI and PII accessed by Chinese hackers to perpetrate insurance fraud. 4.5M patient records affected.

HEALTHCARE CYBERSECURITY: Ransomware UPDATES Hollywood Presbyterian Med. Ctr. (2016) hackers used malware to infect computers and stopped communication; demanded $17K to restore. Physicians unable to access EMR for one week. Hospital paid the ransom. Cause? Employee opened infected e-mail or downloaded the malware from a pop-up ad which allowed the virus to enter the network.

HEALTHCARE CYBERSECURITY: UPDATES Univ. of Washington Medicine (2013) Phishing attack: a hospital billing employee clicked on malicious link in e-mail. Link contained malware which accessed and took over employee s computer Quickly contained the next day PHI and PII accessed Organization had not trained employees or developed a security-aware environment. Fine of $750,000 and corrective action plan

HEALTHCARE CYBERSECURITY - PREPARATION Cybersecurity Prep = Natural Disaster Prep How will you manage if unable to access patient records? Back-up all data on separate networks. What communication methods will be used if electronic communication is unavailable? How will you ensure patient safety if applications cannot be accessed?

INCIDENT RESPONSE Take appropriate measures before, during, and after a cyber incident: Conduct a risk or gap assessment Identify security vulnerabilities and take appropriate remedial measures.» What is your data? Where is it? Does Network have an intrusion detection or prevention system? Are mobile devices encrypted? Remote access? Firewalls? Regular back-up protocol? Examine third-party vendors/business contacts Review existing contracts» E.g., Target breach Demand protective provisions/anti-malware software Implement audit structure Consider multi-factor authentication

INCIDENT RESPONSE (CONT D) Develop policies and procedures Passwords, updates, encryption BYOD Employee training / testing» Penetration testing» Competencies Cyber insurance Assemble key participants CISOs/CIOs IT forensics Legal PR Law enforcement Customer/client relations personnel

RESPONSE PLAN Purpose: Ensures response to the data breach or other cyber incident is executed in the most efficient and effective way possible in order to mitigate liability, damage and lost of productivity. Practice breach simulation identify weaknesses Regular review and update of Plan

AFTER AN INCIDENT Reporting requirements following breach of PHI: Regulated industries HIPAA Breach Notification Rule, 45 CFR 164.400-414 HITECH Act, 13407, applies to vendors of PH records and third party service providers O.R.C. 1349.19 Ohio s Notification Statute (non-regulated industries) As soon as possible, no later than 45 days Public relations Mitigate adverse publicity following a cyber incident Post-mortem: what did we learn? What worked? What did not?

CLOSING Security = driving force; after-thought Know organization s gaps Implement policies and procedures; train employees, update, document noncompliance Develop a written response plan and practice execution; update Test back-ups and restore procedures Encrypt What is commercially reasonable? What have you learned from other healthcare breaches?

CONTACT Lindsay M. Johnson, Esq. Partner Freund Freeze & Arnold Co., LPA ljohnson@ffalaw.com (937) 222-2424

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback