UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA ljohnson@ffalaw.com
INTRODUCTION Cyber attacks increasing Liability/actions resulting from cyber incidents increasing Private consumer actions Negligence: failing to adhere to industry standards Breach of Contract/Privacy Government regulation FCC, FTC, State attorneys general = actions against careless companies Derivative suits D & O liability = Boards of Directors (for-profit and non-profit) Bottom line: are you reasonably planning for a breach?
ROADMAP Trends in cybersecurity and risks Industry standards Legal Standards readily available security measures FTC v. Wyndham, 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. 2015). Healthcare Cybersecurity Definitions & Cases Preparing for a cybersecurity breach
CYBERSECURITY TRENDS Ransomware ( 3,500%) Cryptolocker/Bitcoin Increased portable devices Hollywood Presbyterian Med. Ctr. 2016 40 Bitcoin = $17,000 Phishing CEO Fraud Scam W2 Wire Funds
CYBERSECURITY TRENDS CONT D Healthcare cyber breaches 63% in 2016 93 major hospital/medical systems Banner Health (3.6M records) Newkirk (3.4M) 21 st Century Oncology (2.2M) Valley Anesthesiology Consultants (.88M) Prediction: Healthcare remains top target in 2017 (Source: Experian) Cyber hackers responsible for 31% of major 2016 HIPAA breaches
CYBERSECURITY RISKS SPAM/Internet Ads BYOD (Bring Your Own Device) lost; unencrypted, etc. Inadequate security measures Failure to back-up data & test Unencrypted PHI or PII Broad administrative privileges Employees Rogue and the untrained Third Party Vendors Access, contracts
CYBERSECURITY RISKS CONT D. Unfettered administrative access Remove privileges Further protection from malicious code Unpatched Microsoft and 3 rd party software Remote access Unsegmented network
BREACH - Defined Healthcare Definition HIPAA & HITECH: Impermissible use or disclosure that compromises the security or privacy of the PHI. Presumption of a breach unless can demonstrate low probability the PHI has been compromised based upon risk assessment of various factors: Type of information at issue Likelihood of re-identification To whom disclosure was made Mitigation Some exceptions to definition of breach. Good faith, unintentional acquisition, access. Resource: US Dept. of Health & Human Services HHS.gov; HIPAA and Health Information Privacy
ANATOMY OF A BREACH --- ---
HEALTHCARE CYBERSECURITY: UPDATES Not business as usual Trends Shift from coincidental breaches (lost devices) to targeted and well-executed attacks. Anthem (2015) PHI and PII accessed for 80M customers and employees. Healthcare databases contain all relevant data points to steal financial information. Community Health Systems (2014) PHI and PII accessed by Chinese hackers to perpetrate insurance fraud. 4.5M patient records affected.
HEALTHCARE CYBERSECURITY: Ransomware UPDATES Hollywood Presbyterian Med. Ctr. (2016) hackers used malware to infect computers and stopped communication; demanded $17K to restore. Physicians unable to access EMR for one week. Hospital paid the ransom. Cause? Employee opened infected e-mail or downloaded the malware from a pop-up ad which allowed the virus to enter the network.
HEALTHCARE CYBERSECURITY: UPDATES Univ. of Washington Medicine (2013) Phishing attack: a hospital billing employee clicked on malicious link in e-mail. Link contained malware which accessed and took over employee s computer Quickly contained the next day PHI and PII accessed Organization had not trained employees or developed a security-aware environment. Fine of $750,000 and corrective action plan
HEALTHCARE CYBERSECURITY - PREPARATION Cybersecurity Prep = Natural Disaster Prep How will you manage if unable to access patient records? Back-up all data on separate networks. What communication methods will be used if electronic communication is unavailable? How will you ensure patient safety if applications cannot be accessed?
INCIDENT RESPONSE Take appropriate measures before, during, and after a cyber incident: Conduct a risk or gap assessment Identify security vulnerabilities and take appropriate remedial measures.» What is your data? Where is it? Does Network have an intrusion detection or prevention system? Are mobile devices encrypted? Remote access? Firewalls? Regular back-up protocol? Examine third-party vendors/business contacts Review existing contracts» E.g., Target breach Demand protective provisions/anti-malware software Implement audit structure Consider multi-factor authentication
INCIDENT RESPONSE (CONT D) Develop policies and procedures Passwords, updates, encryption BYOD Employee training / testing» Penetration testing» Competencies Cyber insurance Assemble key participants CISOs/CIOs IT forensics Legal PR Law enforcement Customer/client relations personnel
RESPONSE PLAN Purpose: Ensures response to the data breach or other cyber incident is executed in the most efficient and effective way possible in order to mitigate liability, damage and lost of productivity. Practice breach simulation identify weaknesses Regular review and update of Plan
AFTER AN INCIDENT Reporting requirements following breach of PHI: Regulated industries HIPAA Breach Notification Rule, 45 CFR 164.400-414 HITECH Act, 13407, applies to vendors of PH records and third party service providers O.R.C. 1349.19 Ohio s Notification Statute (non-regulated industries) As soon as possible, no later than 45 days Public relations Mitigate adverse publicity following a cyber incident Post-mortem: what did we learn? What worked? What did not?
CLOSING Security = driving force; after-thought Know organization s gaps Implement policies and procedures; train employees, update, document noncompliance Develop a written response plan and practice execution; update Test back-ups and restore procedures Encrypt What is commercially reasonable? What have you learned from other healthcare breaches?
CONTACT Lindsay M. Johnson, Esq. Partner Freund Freeze & Arnold Co., LPA ljohnson@ffalaw.com (937) 222-2424