HIMSS 15 Doing Better Business in the Era of Data Security and Privacy

Similar documents
2017 RIMS CYBER SURVEY

Putting It All Together:

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

PULSE TAKING THE PHYSICIAN S

The Impact of Cybersecurity, Data Privacy and Social Media

Cyber Risks in the Boardroom Conference

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Everyday Security: Simple Solutions to Complex Security Problems

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Cybersecurity Auditing in an Unsecure World

HIPAA Compliance is not a Cybersecurity Strategy

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

01.0 Policy Responsibilities and Oversight

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Cloud Communications for Healthcare

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

HIPAA Privacy, Security and Breach Notification

Building YOUR Privacy Program: One Size Does Not Fit All. IBM Security Services

Cyber Attack: Is Your Business at Risk?

HEALTH CARE AND CYBER SECURITY:

Latest Legal Threat for Providers Protecting Private Information in Text Messages, s and Other Electronic Transmissions

Cybersecurity The Evolving Landscape

What To Do When Your Data Winds Up Where It Shouldn t

Data Security: Public Contracts and the Cloud

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Enhancing Security With SQL Server How to balance the risks and rewards of using big data

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Cybersecurity in Higher Ed

The Evolving Threat to Corporate Cyber & Data Security

locuz.com SOC Services

Introduction. Angela Holzworth, RHIA, CISA, GSEC. Kimberly Gray, Esq., CIPP/US. Sr. IT Infrastructure Analyst

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Village Software. Security Assessment Report

Managing Cybersecurity Risk

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

Cloud Computing, SaaS and Outsourcing

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

BHConsulting. Your trusted cybersecurity partner

The NIS Directive and Cybersecurity in

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Speakers. Shellie Zavatsky Director of Internal Audit at Hurley Medical Center. Trent Long Director of Managed Privacy Services at FairWarning, Inc

Cyber Security Law --- Are you ready?

Information Governance, the Next Evolution of Privacy and Security

All Aboard the HIPAA Omnibus An Auditor s Perspective

Security and Privacy Governance Program Guidelines

Healthcare in the Public Cloud DIY vs. Managed Services

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Security Takes Center Stage

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

Larry Clinton President & CEO Internet Security Alliance

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

How to Prepare a Response to Cyber Attack for a Multinational Company.

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

Cyber Due Diligence: Understanding the New Normal in Corporate Risk

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

2016 Survey: A Pulse on Mobility in Healthcare

Dealing with the Reality of a Privacy Breach: Civil Litigation, Regulatory Response, and Minimizing Your Risks

THALES DATA THREAT REPORT

A Checklist for Cybersecurity and Data Privacy Diligence in TMT Transactions

Compliance with CloudCheckr

EXECUTIVE SUMMARY JUNE 2016 Multifamily and Cybersecurity: The Threat Landscape and Best Practices

Healthcare HIPAA and Cybersecurity Update

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

GDPR drives compliance to top of security project list for 2018

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Best Practices in Securing a Multicloud World

HITRUST Common Security Framework - Are you prepared?

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Cybersecurity and Hospitals: A Board Perspective

Cyber Security Technologies

What It Takes to be a CISO in 2017

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SIEMLESS THREAT MANAGEMENT

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

The First Six Steps to Securing Remote Locations 1

MD-HQ Utilizes Atlantic.Net s Private Cloud Solutions to Realize Tremendous Growth

Sage Data Security Services Directory

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

HIPAA Compliance & Privacy What You Need to Know Now

Information Security Risk Strategies. By

Test Data Management for Security and Compliance

Higher Education Privacy Update

Mastering Data Privacy, Social Media, & Cyber Law

Angela McKay Director, Government Security Policy and Strategy Microsoft

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cyber Attacks and Data Breaches: A Legal and Business Survival Guide

DeMystifying Data Breaches and Information Security Compliance

Data Privacy and Cybersecurity

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Transcription:

HIMSS 15 Doing Better Business in the Era of Data Security and Privacy Michael D. Stovsky, Esq. Partner and Chair, Innovations, Information Technology and IP Group Cleveland Columbus Indianapolis Philadelphia Shanghai White Plains Wilmington www.beneschlaw.com What s New? Since December, 2013 we have experienced the most severe privacy and data security breaches and incidents in our nation s history T.J. Maxx Target Home Depot Neiman Marcus Sony Verizon super cookie fine by FCC EU vs Germany the Germanwings health privacy debate 2 1

What s New? But more than 90% of all breaches are not public breaches Non-consumer based companies of all sorts Hospitals, health systems, other covered entities and business associates Disgruntled employees IT vendors Business process outsourcing providers (SaaS, IaaS, PaaS, cloud ) 3 What s Trending in Health IT Security In 2014, 42% of all serious data breaches were in the healthcare sector According to the FBI, in 2015, half of all healthcare organizations will have experienced between 1 and 5 cyber attacks in the prior 12 months, 1/3 of which will be successful 4 2

What s Trending in Health IT(cont.) A recent Harris poll of health technology decision makers revealed that healthcare organizations may be reassessing the role that compliance requirements play in protecting patient data 54% said compliance requirements are the primary reason for protecting patient records 68% said that compliance is an effective means of mitigating insider threats and data breaches 63% are planning to increase breach prevention spending BUT, 92% said that that are vulnerable to insider threats 5 What s Trending in Health IT(cont.) By 2020, it is expected that 80% of health data will pass through the cloud at some point in its lifecycle The datacenters that empower the cloud are becoming increasingly centralized and therefore subject to attack as business process outsourcing becomes an even more global enterprise and larger companies acquire smaller regional players 6 3

What s Trending in Health IT(cont.) The major national and international IaaS players including Microsoft, Amazon, LexisNexis and others are accumulating market share The major regional players including Expedient and Bluebridge are working hard to compete by offering terms that are more protective 7 What s Trending in Health IT(cont.) Data analytics is ready for prime time Driving operational and clinical decision-making and change HIPAAadministrative simplification modifications to the medical data code set for International Classification of Diseases (ICD) ICD-10 effective date is October 15, 2015 Telemedicine takes off? 8 4

What s Trending in Health IT?(cont.) In the face of escalating risk, except in segments subject to regulation, corporate entities are not prepared from a policy or technical perspective to meet the challenge of privacy and security breaches Spending in this area is lagging clear evidence of necessity In-house IT departments are already overwhelmed and without the necessary depth 9 What s Trending in Health IT (cont.) In-house legal departments do not have the necessary expertise and are focused on breach response, rather than up-front preparation as a policy matter Breaches are becoming multi-billion dollar problems resulting from direct damages, penalties, lawsuits, loss of productivity, diversion of resources, and reputational harm Corporate boards are not responding quickly enough to meet the evolving threat 10 5

Federal Privacy and Information Security Law The United States does not have a comprehensive, well-defined body of privacy or information security law In the United States, federal privacy and information security law is made up of a patchwork of statutes, regulations and guidelines applicable to various industries and actors 11 What Laws Apply? For HIPAA covered entities and business associates, we of course know that a well developed body of law exists pertaining to protected health information. But, a host of other state, federal and international laws, rules and regulations may also apply and every entity operating in the health information technology space must be aware of this body of law. 12 6

Federal Privacy Law (cont.) Healthcare Privacy Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Health Information Technology for Economic and Clinical Health Act (HITECH) State privacy law International privacy law (EU, Switzerland, EEA, AMEA, Australia, Canada, Mexico and Russia) 13 Information Security Law In the United States, there is even less welldefined federal law with respect to information security than with respect to privacy Well defined information security law does exist in certain areas such as: 14 14 7

Federal Information Security Law HIPAA Security Rule Fedeal Health Information Security Breach Notification HIPAA/HITECH Interagency Guidance on Response Programs for Security Breaches State data security laws (47 states currently) International data security (EU, Switzerland, EEA, AMEA, Australia, Canada, Mexico and Russia) 15 15 Information Security Standards ISO 27001 series Statement on Auditing Standards (SSAE-16 /AT-101) Payment Card Industry Data Security Standard (PCI DSS) National Institute of Standards and Technology (NIST) Guidelines HIPAAand HITECH 16 16 8

17 Where Should the Focus Be? Board level attention Effective risk assessment and analysis Data classification Comprehensive policies and procedures for privacy, security, data breach and incident response Education and training Global thinking Contracts IT, IP, Cloud, Vendor Social media Protection of competitive intelligence and trade secrets Physical security What Do Buyers Want? CERTAINTY And CLOSURE 18 9

What Do Vendors Want? CLOSURE AND CERTAINTY 19 Top 10 Ways to Get the Deal Done Buyers and Vendors want the same things, but in a different order of priority 20 10

10. Understand that in a sophisticated health IT deal, a simple contract is not always a better contract because it is viewed by buyers and their counsel as unsophisticated and doesn t give them the necessary certainty 21 9. Understand that failing to offer reasonable market terms on data security and privacy can lengthen the sales cycle by months 22 11

8. Bring subcontractors to the table that are themselves fully compliant with applicable laws, rules and regulations, and stand behind them 23 7. Realize that there is a professional (i.e., lawyer) who is going to need to opine on the deal before it gets signed and that professional is not a risk taker 24 12

6. If you are a vendor, realize that your customer knows that you are not likely to walk away from the deal and will use every strategic advantage to obtain the terms it wants and needs including pushing you to month, quarter and year end 25 5. If you are a vendor, realize that your customer knows that your threat to have to redeploy the A- team is usually not real 26 13

4. If you are a vendor, realize that your client wants the best terms you have and not the terms you give to lesser clients, and does not want to have to ask you for it 27 3. Buy and maintain adequate insurance 28 14

2. Follow the moving money! 29 1. Hire a great lawyer that understands and has a great deal of experience in health IT deals on both sides of the table 30 15

10. 31 Michael D. Stovsky, Esq. mstovsky@beneschlaw.com 216.363.4626 Benesch, Friedlander, Coplan & Aronoff LLP 200 Public Square Street, Suite 2300 Cleveland, OH 44114 32 8355726_1.ppt 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback