managing hipaa data breaches...data breaches by the numbers $6.5 million – average cost of a data...
TRANSCRIPT
![Page 1: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/1.jpg)
©Shipman&GoodwinLLP2016.Allrightsreserved.
WilliamJ.Roberts,Esq.
June15,2016
ManagingHIPAADataBreaches
![Page 2: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/2.jpg)
Agenda• WhataretheRisksofaBreach?
• IdenPfyingInternalThreats• IdenPfyingExternalThreats• RespondingtoaDataBreach
2
![Page 3: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/3.jpg)
DataBreachesbytheNumbers$6.5million–averagecostofadatabreach
11%-increaseincostbetween2014and2015
$217–averagecostperlostorstolenrecord
112million–numberofindividuals(U.S.only)affectedbyahealthcaredatabreachin2015
432million–numberofhackedaccounts(U.S.only)in2014
Sources:(1)2015CostofDataBreachStudy:UnitedStates,PonemonInsPtuteResearch;(2)DataBreachesInHealthcareTotaledOver112MillionRecordsIn2015,Forbes,12/31/2015
3
![Page 4: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/4.jpg)
DataBreaches
• BreachesareincreasinginsophisPcaPon,frequencyandseverity
• HealthcareisaprimarytargetofbreachacPvityandissubjecttoheightenedgovernmentscruPnyandenforcement
• Threatscanbecategorizedintwoways:u External
u Internal
4
![Page 5: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/5.jpg)
IdenPfyingInternalThreats
• Insiderthreatsaretwofold:u “MaliciousInsider”–Wishtodoharmtocompany
Ø Canbeemployeethegforpersonalorbusinessgain
Ø Terminatedemployeestakingdata
Ø Accessingdataoutsidescopeofemployment
Ø Employeespurposelymisusingdata
5
![Page 6: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/6.jpg)
IdenPfyingInternalThreats• Insiderthreatsaretwofold:
u “Careless”or“Negligent”InsiderØ Noillwill,butthroughcarelessness,negligenceorlackoftraining,createsopeningsfordataloss
Ø Study:“TheHumanFactorinDataProtecPon”(hhp://www.ponemon.org/local/upload/file/The_Human_Factor_in_data_ProtecPon_WP_FINAL.pdf)
Ø EmployeesarelikelygreatestthreattoPHI
Ø Includeslostfiles,laptops,mobiledevices
6
![Page 7: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/7.jpg)
IdenPfyingExternalThreats
• Externalthreatstaketwoforms–u AnahackonyourinformaPonsystemsorthegofphysicalfiles,or
u AnahempttotrickanemployeetodivulgesensiPveinformaPon
7
![Page 8: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/8.jpg)
Cybersecurity–TheStats
Averageannualnumberofcybersecurityincidents:80to90million
Increaseincybersecurityincidentsfrom2014–2015:38%
Projectedglobalcostofcyberahacksin2019:2.1trillionUSdollars
hhp://expandedramblings.com/index.php/cybersecurity-staPsPcs/Source:
8
![Page 9: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/9.jpg)
It’sPhishingSeason!• “Phishing”isanahempttouseemailtotrickarecipientintodisclosingpersonalinformaPon,suchasfinancialaccountinformaPon
• WeareseeingincreasedsophisPcaPonandvolumeofahempts
hhps://blog.cyveillance.com/cyveillance-phishing-report-top-targets-june-22-2015/
9
![Page 10: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/10.jpg)
Masquerading• “Masquerading”isascaminwhichtheperpetratorassumestheidenPtyofaknown,trustedcolleaguetotrickthecolleagueintotakingsomeacPon,ogensendingemployeeorfinancialdataorwiringfunds
10
![Page 11: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/11.jpg)
ARansomforYourData• AransomwareahackisoneinwhichaperpetratorassumescontrolofyourdataandwillnotreleaseitunPlpaymentismade(orthreatenstofurtherdiscloseitunlesspaymentismade)
• Paymentisogenrequestedinbitcoin
11
![Page 12: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/12.jpg)
You’veBeenHacked• Hackingahemptsare
increasinglycommoninallindustrysectors
• Healthcare,educaPon,government,retailandfinancearethemostpopulartargets
• SmallenPPesarejustaslikely(ifnotmorelikely)tobetargetsaslarge,well-knowncorporaPons
Source:IndianapolisStar,12/15/14
12
![Page 13: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/13.jpg)
RespondingtoaDataBreachDiscovery
InvesPgaPon
NoPficaPon(s)MiPgaPon
DamageControl
13
![Page 14: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/14.jpg)
Discovery• ReporPngStructure:
u IncidentnoPficaPonpolicyu Employee/stafftrainingu Cultureoftransparency,notfearu Considermockbreaches
• Needtohaveabreachresponseplaninplacetoguideresponse.Consider:u TheRightTeam:IT,compliance,HR,paPent/publicrelaPons,legalcounsel
u Back-upsforeachkey,responsibleindividual(e.g.leave,vacaPon)
14
![Page 15: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/15.jpg)
InvesPgaPon
• ThecoveredenPtymustinvesPgatethereportofthebreachwithoutdelayu Ahorney-clientprivilegeisvitaltoprotectyourinterests
u Haveexternalresourceslined-upaheadofPme:PR,forensicIT,lawenforcementcontacts,externalcounsel
u OnlyinvolvethenecessaryparPes–confidenPalityisimportant
15
![Page 16: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/16.jpg)
NoPficaPontoIndividuals• Rule:CoveredenPPesmustnoPfyaffectedindividualsfollowingthe
discoveryofabreachofunsecuredprotectedhealthinformaPonu NoPcemustbewrihenandsentbyfirst-classmail,oralternaPvely,by
e-mailiftheaffectedindividualhasagreedtoreceivesuchnoPceselectronically
u NoPcemustbeprovidedwithoutunreasonabledelayandinnocaselaterthan60daysfollowingdiscovery
u NoPcemustinclude,totheextentpossible,abriefdescripPonofthebreach,adescripPonofthetypesofinformaPonthatwereinvolvedinthebreach,thestepsaffectedindividualsshouldtaketoprotectthemselvesfrompotenPalharm,abriefdescripPonofwhatthecoveredenPtyisdoingtoinvesPgatethebreach,miPgatetheharm,andpreventfurtherbreaches,aswellascontactinformaPon
16
![Page 17: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/17.jpg)
NoPficaPontoIndividuals• Consider:
u DevelopcommunicaPonlines–tollfreenumber,email,postaladdress
u Whowillrespondtoinquiries?Internalresourcessufficientorcallcenterneeded?
u FAQsu Languageanddisabilityconcerns?u Minors?u Decedents?u CanyouhandlethecommunicaPonsin-house?
17
![Page 18: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/18.jpg)
SubsPtuteNoPce• Rule:Insufficientorout-of-datecontactinformaPonfor:u 10ormoreindividuals-thecoveredenPtymustprovidesubsPtutenoPcebyeitherposPngthenoPceonthehomepageofitswebsiteforatleast90daysorbyprovidingthenoPceinmajorprintorbroadcastmediawheretheaffectedindividualslikelyreside
Ø mustincludeatoll-freephonenumberthatremainsacPveforatleast90dayswhereindividualscanlearniftheirinformaPonwasinvolvedinthebreach
u Fewerthan10individuals-thecoveredenPtymayprovidesubsPtutenoPcebyanalternaPveformofwrihennoPce,bytelephone,orothermeans
18
![Page 19: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/19.jpg)
NoPficaPontotheMedia• Rule:CoveredenPPesthatexperienceabreachaffecPngmorethan500
residentsofastateorjurisdicPonare,inaddiPontonoPfyingtheaffectedindividuals,requiredtoprovidenoPcetoprominentmediaoutlets
u Ogenintheformofapressrelease
u Withoutunreasonabledelayandinnocaselaterthan60daysfollowingdiscovery
u MustincludethesameinformaPonrequiredfortheindividualnoPce
• Consider:u PRprofessionalassistance
u Mediatalkingpoints
u Mediapointperson–whospeaksforyourorganizaPon(andwhodoesnot)
u Controllingthemessage/coordinaPngwithemployees
u Becognizantofmedialeaks/stealthinquiries
19
![Page 20: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/20.jpg)
NoPficaPontoHHS• Rule:CoveredenPPesmustnoPfyHHSbysubmisngabreachreportformonlineu 500ormoreindividuals,coveredenPPesmustnoPfyHHSwithoutunreasonabledelayandinnocaselaterthan60daysfollowingabreach
u Fewerthan500individuals,thecoveredenPtymaynoPfyHHSofsuchbreachesonanannualbasis,duetoHHSnolaterthan60daysagertheendofthecalendaryearinwhichthebreachesarediscovered
• Consider:u Accuracyisvitalu Summarystatementmayhavesignificantconsequences
20
![Page 21: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/21.jpg)
OtherNoPficaPonObligaPons?• Dependinguponyoursector,contractualarrangementsorlocaPon,considerthefollowingaddiPonalnoPficaPonsthatmaybenecessary:u StateAhorneyGeneral(s)u Stateregulatoryagencies(e.g.DepartmentsofHealth,InsuranceorConsumerProtecPon)
u Businesspartners(e.g.HIEs,affiliates)u DepartmentsofEducaPon(stateandfederal)u PoliPcalstakeholders(esp.ifgovernmentalenPty)u Funders(looktogrants,donors)u Employees(e.g.email,IntranetposPng)
21
![Page 22: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/22.jpg)
ThoughtsonBABreaches
• AtPmes,abreachiscausedbyoroccursatyourbusinessassociate.Whenplanningforandrespondingtosuchabreach,consider:u BAAreporPng,cooperaPon,miPgaPonandliabilityissues–istheBAAyourfriendorfoe?
u WhoshouldnoPfy?
u Controlofmessaging
22
![Page 23: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/23.jpg)
MiPgaPon• Rule:AcoveredenPtymusttakereasonablestepstomiPgateharmtoindividualscausedbythebreachu HIPAAislightonspecificsbutstatelawsarenowmandaPngcertainmeasures
• Consider:u WhatinformaPoncanyouprovidetoaffectedparPes?
u Creditmonitoring–when?Requiredbylaw?
u Creditcounseling,idenPtythegrecoveryservices
u IdenPtytheginsurance
23
![Page 24: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/24.jpg)
DamageControl
• Adatabreachmayinflictsignificantfinancial,operaPonalandreputaPonalcostsonacompany.Employeemoraleandconfidencemayalsosuffer.Developaplanfor:u RespondingtoquesPonsandconcernsfromcurrentandformeremployees,paPentsorcustomers
u Handlinginquiriesfromrelevantbusinesspartners
u Managingthecompany’sreputaPoninthebusinessandconsumercommuniPes
24
![Page 25: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/25.jpg)
LegalRisks
• LawsuitsCanandWillComefromSixSources:u Consumers
u Insurers
u FinancialInsPtuPons
u Shareholders
u Employees
u Government
25
![Page 26: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/26.jpg)
GovernmentEnforcement
• AHIPAAbreachmayresultinenforcementacPonsfromstateahorneygeneralsandtheHHSOfficeforCivilRights(OCR)
• Insomeinstances,otherenforcementagencies,includingconsumerprotecPon,health,educaPonorinsurancedepartments,mayhavejurisdicPonu Key–aHIPAAbreachogenviolatesotherstateandfederallaws,meaningmoreopportuniPesforenforcement
26
![Page 27: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/27.jpg)
LegalRisksandGovernmentEnforcement
• Needtoprepareforthefollowingfrom“DayOne”:u OCRinvesPgaPonandenforcementacPonu AhorneyGeneralinvesPgaPonandenforcementacPon
u LawsuitsfrompaPents,customers,businesspartners
• Everythingyoudofrompreparingforthebreachtoyourresponsetoitisinprepara7onfortheseenforcementac7onsandlawsuits
27
![Page 28: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/28.jpg)
PenalPes• Recentchangestothelawhavesignificantlyincreasedthe
penalPesforviolaPngHIPAA:
u FourPersofcivilmonetarypenalPesrangingfrom$100/perviolaPonto$1.5million/perviolaPon
u CriminalpenalPes:upto$250,000infinesandupto10yearsinprison
• BoththecoveredenPtyandindividualemployeescanbepenalizedforviolaPngHIPAA
• BreachesmayalsoresultincostlyconsentordersorcorrecPveacPonplans,lawsuitsandaddiPonalpenalPesstateenforcementacPons
28
![Page 29: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/29.jpg)
LearnfromOthers
• In2014,NewYork-PresbyterianHospitalandColumbiaUniversityenteredintosehlementfor$4.8MforfailingtosecurepaPentinfo
• Gov’tconcludedcompanies:Ø Lackedtechnicalsafeguards
Ø Failedtoconductaccurateriskanalyses
Ø FailedtodevelopadequateriskmanagementplanstoaddresspotenPalsecuritythreats
29
![Page 30: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/30.jpg)
Ques8ons+ContactInforma8on
WilliamJ.Roberts,ChairPrivacy+DataProtecPon
Tel:[email protected] Source:TheNewYorker,Sept.8,2015
“Bad news, captain. The ship’s computer has been sharing all our personal data with the Romulans.”
30
![Page 31: Managing HIPAA Data Breaches...Data Breaches by the Numbers $6.5 million – average cost of a data breach 11% - increase in cost between 2014 and 2015 $217 – average cost per lost](https://reader033.vdocuments.net/reader033/viewer/2022050314/5f772d6dc9929132a94c3526/html5/thumbnails/31.jpg)
© 2007-2016 31
855-85-HIPAA www.compliancygroup.com
Need Help With HIPAA Compliance?
§ The Guard • Total Compliance Solution • Simple • Cost-effective • Compliance with Confidence
§ Support - We work with you • Compliance Coaching • HIPAA Hotline • Education • Culture of Compliance
§ Contact Us • 855 85 HIPAA (855-854-4722) • www.CompliancyGroup.com
Incident Management
Audits SRA (Security Risk
Assessment), Administrative, Privacy
Remediation Plans
Policies, Procedures & Training
Business Associate
Management
Document Version
Employee Attestation &
Tracking