Cyberhacking Data Breach: Who Is Winning the War on PHI and PII?

Linda VincentPrincipalVincent & AssociatesSan Pedro, California

6C-1

Today’s Plan of Action/Discussion

• What are the risks in data breaches• What are your strategies when it happens• What are resources for prevention and for

protection• Key takeaways

6C-2

Just What is Cybersecurity

• Information technology security• Focus of protecting computers, networks,

programs and data• Prevention of unintended or unauthorized

access, change or destruction.• Everyday term—Data Breaches

6C-3

Device Management• Have a BYOD policy and procedure in place

– Allow no other users (family) to access device– No personal work on employer computer (banking, searching internet)– Maintain a lost or stolen policy– Return policy if terminated or terminating– Employer access at anytime– Add two-factor authentication

• All mobile devices should have encryption• All should have anti-virus and be up to date• All should use a VPN• Remember, an employee can unknowingly download malware!

6C-4

2016 Review of 6 Most Serious Cyber Threats

• Ransomware• Mega data breaches• Identity theft• Smartphone insecurities• IoT ~ The internet of things• Augmented reality gaming

6C-5

Ransomware• Will block access to your files and systems• Allows no access until you pay• Two types

– Encrypting• Blocks system with algorithms—Decryption—Pay up

– Lockers• Locks you out—Pay or no access

• Request ransom is usually BitCoins– If you don’t pay in specific period, it may double or then may never

gain access again– Bitcoin (CNN money) a currency that was created in 2009 by an

unknown person using the alias Satoshi Nakamoto. Transactions are made with no middle men—Meaning, no banks! There are no transaction fees and no need to give your real name.

6C-6

Healthcare Now THE Most Targeted by Ransomware

• Earlier this year—Hollywood Presbyterian• No data backup• Used paper and pencil 10 days• Finally resorted to paying ransom for access -$17,000

– FBI suggests not to

• Chino Valley and Desert Valley in CA both got hit this year as well

• Methodist Hospital in Kentucky also fell to ransomware (‘Locky’)

6C-7

Just What are Botnetsand Their Threat in Spreading Malware

and Creating Data Breaches

• Botnets are a collection of computerized devices, under control of hacker

• These devices are infected with malware-thus remotely controlled

• They can spread spam, malware, viruses, DOS attacks• They are also called a zombie army~today’s largest

threat in digital universe

6C-8

4 Steps to Prevent Botnets From Attacking Your System

1.Use a different password for each and every account

2.Install effective anti-malware software—Keep it up to date

3.Avoid downloading and running pirated software4.Don’t be afraid to seek professional help

There is legislation called Botnet Prevention Act—It’s not having success.

6C-9

Data Breach Dangers• Data often includes, names, DoB, social security numbers, credit

card accounts and numbers, healthcare information• Difficulty lies in harder to detect plan breach vs credit card breach• Medical files have more info and longer ‘self life’ more valuable

– The ‘Dark Web’ gets 10-20 times more cash for medical information than credit cards

• Wikipedia:The dark web is the World Wide Web content that exists on darknets, overlay networks which use the public Internet but which require specific software, configurations or authorization to access.[2][3] The dark web forms a small part of the deep web, the part of the Web not indexed by search engines

• Consider who is maintaining data, and how it’s protected

6C-10

Data Protection is a Fiduciary Duty

• Employers must understand protecting health plan information is their duty

• Create a plan for protecting information on and off site, and who are the 3rd party vendors

• Create a record for the protection plan• Involve the IT department at every level

6C-11

HHS has Initiated Phase Two of Audits

• New HIPAA compliance audits are happening• First phase is about covered entities• Next focus will be on Business Associates• Must maintain written privacy and security

policies• Case report University of Miss. Med. Center—

$2.75 Million settlement

6C-12

Case of HIPAA Violations UMMC

• Began with unsecured electronic protect health information (‘ePHI’)• Affected 10,000 individuals• Investigation by OCR (Office of Civil Rights) that UMMC was aware

of risks vulnerabilities to own systems since 2005• No risk management until breach occurred

– Organizational deficiencies and oversight were lacking

• Agree to violations of HIPAA and settled for $2,750,000 • Must adopt corrective action plan for compliance

– Including unique user names– Notification of each individual whose information access, acquired,

used, disclosed

6C-13

5 Most Common HIPAA Violations

1. Lack of Business Associate agreements2. ePHI-mobile devices and apps compliance3. Healthcare data security-transmission security4. 4 Workforce security 5. Data Management/Recovery Plan

– Disposing of information– Data backup security

6C-14

IDRC 2016 Data Breach Report

• As of 7.19.16, Total breaches: 538• Total records: 12,993,474• In 2015—277 breaches exposed 112 MILLION

records • Still over 400 + days in being reported• Medical Identity Theft occurs in nearly 25% of

cases

6C-15

What is Medical Identity Theft?

Medical Identity Theft occurs when someone uses your personal information to:• Fraudulently procure medical services• Improperly acquire prescription drugs• Submit fake billings to Medicare or private

insurers• Obtain expensive medical equipment

6C-16

Impact of Medical Identity Theft

• Death• Medical records in shambles• Physical harm• Credit issues • Employment issues• On the hook for thousands of dollars• Long term recovery and dispute resolution

6C-17

Cyber Liability Insurance

• Insurance is a cost effective solution.• Work with a broker who understands it.• Premiums for coverage are now very affordable for most

plans.• Learn about cyber policy exclusions and endorsements.• Understand where mobile devices fit in to plan• A benefit plan’s other insurance policies do not provide

the needed protection since these policies were not designed for these exposures.

6C-18

Cyber Liability Policiesper NAIC (National Association of Insurance Commissioners)

• Liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.

• The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.

• The costs associated with restoring, updating or replacing business assets stored electronically.

• Business interruption and extra expense related to a security or privacy breach.

• Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.

• Expenses related to cyber extortion or cyber terrorism.

• Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.

6C-19

The Purpose of Cyber Liability Insurance

• Used to protect plan assets• Helps meet legal obligations• Provides various professionals to assist in

handling a data breach event• Offers participants certain protections

6C-20

Comprehensive Coverage!

• Provides partial to full risk transfer that risk assessments and IRPs (internal response programs)

do not eliminate• Provides experienced professionals• Provides data-packed web sites to help create

a robust internal control environment• Provides first-party cost coverage not available

in other policies• Protects against third-party liability

6C-21

Current State of the Market

• Evolving coverage; broader and cheaper• Many carriers; many approaches• Different risk appetites; size/complexity• Modular; buy only the coverage you need

6C-22

Cyber Liability Carriers

• Travelers• AIG• Chubb• Hiscox Business Insurance• Lockton Companies• Check your own D and O carrier

6C-23

Steps to Take when Breach Occurs

• Respond to allegations• Provide copies of documents related to internal investigation

and risk assessment• Provide policies and procedure regarding PHI uses,

safeguards and disclosure• Provide Business Associate agreements• Provide documents of networks scans or testing• Provide access management policy• Provide security awareness and training materials• Give evidence of anti-virus software, access controls,

password management

6C-24

How to Remove Malware

1. Go to safe mode2. Delete all temp files3. Download Malware Scanners

– Kaspersky– Malwarebytes– Super Antispy– Bit Defender

4. Run scan with Malware 5. Go back to normal operations mode

6C-25

Educational Resources• Heimdal Security ~ https://heimdalsecurity.com• Bloomberg BNA ~ www.bna.com• DataBreach Today ~ http://www.databreachtoday.com• CISCO ~ www.cisco.com/c/en/us/index.html• United States Computer Emergency Team ~ https://www.us-

cert.gov/ncas/alerts• Department of Homeland Security-Cyber ~ https://www.dhs.gov/office-

cybersecurity-and-communications• American Hospital Association Solutions ~ AHA.org • The Identity Advocate/Vincent & Associates ~www.theidentityadvocate.com

6C-26

Key Takeaways

• Act Now• Test systems now• Always back up your data• Review all business associate agreements• Know the greatest liability is still your

employees, despite hackers• Implement cyber liability insurance

6C-27

Questions?

Thank you!

6C-28