health care data breach discovery – strategies for ... 3 | health care data breach discovery –...

Pillsbury Winthrop Shaw Pittman LLP

Health Care Data Breach Discovery –Strategies for Immediate ResponseMarch 27, 2014

Faculty

Gerry HinkleyPartnerPillsbury Winthrop Shaw Pittman LLP

Sarah FlanaganPartnerPillsbury Winthrop Shaw Pittman LLP

Lara FordeResponse Team ManagerAllClear ID

Daren HutchisonAssociate DirectorNavigant Consulting

2 | Health Care Data Breach Discovery – Strategies for Immediate Response

Overview


How to prepare for the inevitable breach

What to do immediately upon a suspected breach

How to structure and conduct an investigation and forensic analysis

Identify best practices for communications planning

Identify best practices for notification, compliance and remediation

Approaches to training and discipline

Preparing for enforcement and litigation

Managing privacy litigation


Preparing for the Inevitable Breach

Engage your risk management department and buy Cyber Insurance: know what your coverage will and won’t do for you

Employ a centrally managed system designed to detect and prevent the unauthorized use and transmission of data in motion, at rest and at endpoints

Perform a “rolling” risk assessment with continuous security improvements

Train and authenticate personnel

Authorize and limit applications

Continuously audit security and integrity internally and externally


Adopt Policies and Procedures

Processes for discovering breaches

Procedures and forms for reporting

Mechanisms for determining if unsecured PHI involved individuals affected applicable notification requirements


Adopt Policies and Procedures (Continued)

Processes for determining appropriate mitigation developing advice to affected individuals creating and distributing notices determining and creating other forms of communication accounting for notification reporting to Secretary of HHS


What To Do Immediately after a Breach Is Suspected

Discovery – when does it occur? When discovered (or should have discovered) by someone other than

the person who committed the breach This starts the clock for notification requirements


What To Do Immediately after a Breach Is Suspected (Continued)

Upon Discovery – kick off the response Internal report – prompt, upstream reporting is critical Involve legal counsel to enable attorney-client privilege Take immediate steps to close the breach Preserve all evidence Responsible official refers to policies and procedures previously

adopted to develop initial plan for response Publish and implement plan for response Confirm and implement lines of authority Establish communications plan Notify senior management and breach team Begin planning for notification and mitigation Begin forensic investigation

Investigation

R.E.S.P.O.N.D. Acronym:

R.equest Information Interviews

E.valuate the Situation Ongoing Threat? Types of Data/Information Involved

S.ecure the “Crime Scene” and/or S.top the “Attack” Password Changes Maintain Affected Device, Machine, System Integrity

P.reserve Evidence Stop Purge of Backups Forensics


Investigation (Continued)

O.rganize the Examination Forensics Scope Internal Reports

N.otify Individuals and/or N.ote Findings Data Mining and Enrichment Forensic Reports

D.etermine Causes Follow-up Analyses


Forensic Analysis

Data Involved Devices/Machines/Networks Email Archives System Databases Backups & Logs (Need to Recreate?)

Log Analysis Network Traffic Website Activity Email Message Tracking System Auditing Anti-Virus Reports

PII/PHI Data Mining Standardization and Conversion of Data Patterns and Terms Searching


Forensic Analysis (Continued)

Notification Lists Enrichment Address Inclusion

Remediation Malware or Virus Cleansing

Process & Findings Written Report Verbal Debrief

Follow-up Incident Response Gap Assessment System Changes, Access Rights, Identifiers (Account Numbers,

Passwords) System Assessments, Security Audits, Pen Testing


Best Practices: Breach Communications Planning

Involve the right stakeholders from the beginning Internal: Executives, Board, General Counsel, IT, Customer Service,

Marketing External: Attorney, Response Vendors, Law Enforcement, Regulators,

Crisis Management firm, Insurer Healthcare-specific contacts/regulators: HHS, OCR, etc.

Identify a decision maker for the incident, keep all stakeholders informed

Provide employee guidelines: answering customer questions, posting on social media, speaking with the media


Best Practices: Notification and Compliance

Experienced breach attorney will help ensure compliance FEDERAL LAW: HIPAA/HITECH notice requirements STATE LAW: Forty-six states, the District of Columbia, Guam, Puerto

Rico and the Virgin Islands Example: California 5 day notification window for breaches containing

certain health records

Consider reaching out to regulators proactively and keeping them informed A courtesy phone call goes a long way Focus on what you are doing to help their citizens


Best Practices: Notification and Remediation

Don’t require individuals to enroll in order to receive help

Excellent customer service and remediation rebuilds trust

Offer the appropriate identity protections for the data lost


Don’t Require Enrollment to Get Help

Enrollment requirements increase resentment, calls, complaints and usage of expensive protection features Consumers resent being asked to give out their information after you

exposed it Drives higher usage of expensive protections like credit monitoring Regulators know that enrollment blocks 90% of consumers from

receiving help


Excellent Service and Remediation Rebuilds Trust

Excellent customer service is the key to rebuilding trust Offer to resolve any harm that results from the breach Provide a call center staffed by identity theft experts Know if your data will be sold: Regulators are investigating data brokers


Offer Appropriate Protections

Choose protections based on the risk linked to the data Avoid credit monitoring unless you lose SSNs Not effective for PHI breaches unless SSNs involved Most expensive service


Training and Discipline

Training – lessons learned Directly address problems identified Emphasize pertinent policies and procedures Identify resources to consult

Consider discipline if violation of policy or procedure Underscores institution takes it seriously Tension between discipline and need for witness testimony


Preparation for Enforcement Actions and Litigation

Privilege and investigation Time period for notices challenging in organizing investigation Counsel should be involved

Preservation of arguably relevant material and communications

Points of contact with agencies and media

Investigation materials

Relationship with other parties involved in breach (e.g., vendors)


Privacy-Related Enforcement Actions and Lawsuits on the Rise

Increase in healthcare privacy breach actions More medical data maintained electronically Data on mobile or home devices Mandatory notice to consumers

Increase in agency attention and enforcement AG unit

Statutory and nominal damages and strict liability attract class actions


Challenges in Managing Privacy Litigation

Protected medical information – protective orders

Ongoing relationships with patient plaintiffs and staff/caregivers involved in breach

Class actions Unsettled law Nominal damages – huge exposure

Impact of settlements on agencies

Media reporting



Questions and Answers

Thank You for Participating!


Gerry HinkleyPartnerPillsbury Winthrop Shaw Pittman LLPPhone: 415.983.1135 [email protected]

Sarah FlanaganPartnerPillsbury Winthrop Shaw Pittman LLPPhone: 415.983.1190 [email protected]

Lara FordeResponse Team ManagerAllClear IDPhone: [email protected]

Daren HutchisonAssociate DirectorNavigant ConsultingPhone: 303.383.7322 [email protected]

health care data breach discovery – strategies for ... 3 | health care data breach discovery –...

Documents