healthcare cyber security webinar

PRESENTED BY HEALTH CARE MANAGEMENT

& ARTHUR J. GALLAGHER RISK

MANAGEMENT SERVICES

JANUARY 23 , 2013

Healthcare Cyber Security

AJG & HCM

Arthur J. Gallagher

Arthur J. Gallagher & Co., one of the world's largest insurance brokerage and risk management services firms, provides a full range of retail and wholesale property/casualty (P/C) brokerage and alternative risk transfer services globally, as well as employee benefit brokerage, consulting and actuarial services. Gallagher also offers claims and information management, risk control consulting and appraisal services to clients around the world.

Health Care Management

Health Care Management is a cutting edge medical and technology consulting firm that specializes in improving your practices efficiencies and cutting costs through outsourcing practice management, medical billing and technology services with the use of CCHIT Certified EMR software, network monitoring technologies and highly trained specialists.

Speakers

Jill JordanJoe Dylewski

Joe is a twenty-five year Information Technology veteran, with ten years spent exclusively in the Healthcare Industry. In addition to holding positions as an Infrastructure Project Manager and Healthcare IT Infrastructure Specialist responsible for Local Area Network, Wide Area Network, and Telephony Services, Joseph has also served as a Healthcare IT Services Practices Director and Account Manager. During that time, he led and his teams executed successful high-impact/large dollar projects for Electronic Medical Record and HIPAA Compliance implementations across multiple Healthcare Providers and Payers in Michigan. He leveraged that experience to develop a cost-effective, time-efficient, and repeatable model to assist in the assessment and remediation of HIPAA compliance for Covered Entities and Business Associates of all sizes. Joseph earned his Bachelor’s of Business Administration in Information Technology and his Masters Degree in Mathematics from Eastern Michigan University. He also holds the following certifications: Certified HIPPA Professional, HIPAA Certified Security Specialist, and Information Technology Infrastructure Library Foundation. Joe is an Assistant Professor at Madonna University, is frequently invited as a subject matter expert in speaking engagements, and is viewed as a national thought leader in Physician Practice and Business Associate HIPAA compliance.

Jill is a National Resource for Cyber Risk & Professional Liability for Arthur J. Gallagher Risk Management Services, Inc. with focus on the Midwest Region. Jill manages and produces a diverse book of Professional Liability accounts consisting of Technology Errors & Omissions, Cyber Risk, and Media Liability.

Jill has over 11 years experience as an insurance broker and has been with the Cyber Risk Group of Arthur J Gallagher for the last five and a half years. Jill began her career with Arthur J Gallagher in the Houston, TX office working on property and casualty middle market and risk management accounts with a focus on the Energy Industry.

Jill earned her BA in general studies from Louisiana State University. She is also a member of the Professional Liability Underwriters Society (PLUS)

Environment

HIPAA 101• HIPAA – Health Insurance Portability and

Accountability Act of 1996• Insurance Portability• Fraud Prevention• Administrative Simplification• Privacy of Protected Health Information

(PHI)• Security of Protected Health Information

HIPAA – Title II

HIPAATitle

II Administrative

Simplification

Electronic Data

Interchange

(Transaction and Code

Sets)

Privacy Rule

Security Rule

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Security Rule

The HIPAA Security Rule focuses on the Confidentiality Integrity Availability

...of Protected Health information

Where is the PHI?

Private Cloud / Data Center

Private Cloud / Data Center

Health Information Exchange

(HIE)

Health Information Exchange

(HIE)

EMR

Physician Practice

IT Services

Document Destruction

Insurance Company

Health System

Lab

DR Site

© 2012 Health Care Management

The HITECH Act

HITECH - The Health Information Technology for Economic Recovery and Reinvestment Act of 2009 Began in 2004 with Bush Administration vision

for Electronic Health Records by 2014 Signed into law February 17, 2009 as a portion of

ARRA Appropriated $44,000 to $63,000 to be provided

as individual reimbursement to physicians who adopt and “meaningfully use” Electronic Medical Records

• The disbursement schedule for ARRA funds began in 2011 and is staggered across five years

HIPAA Enforcement

HIPAA Now Has Teeth Fines and Enforcement

• Maximum fines raised from $25K to $1.5M• Enforced by the Office of Civil Rights• Currently building HIPAA audit candidate target list

• Fines collected fund and support the enforcement process

• Funds appropriated within HITECH to develop enforcement efforts within the State’s Attorney General Office

• Practitioners face maximum OCR fines of $50,000 for falsely attesting to M.U. Measure #15

• Ignorance no longer tolerated

Compliance Effort vs. Risk

“By exercising reasonable diligence would not

have known”

“Due to Willful

Neglect if the violation

is not corrected”

“Due to Willful

Neglect if the violation

is corrected”

“Due to Reasonable Cause and not Willful Neglect”

Increasing Degree of HIPAA Compliance Effort

Decreasing Degree of HIPAA Compliance Risk

OCR Audits and Current Activity

HIPAA AuditsAudit ProtocolAudit Identification and RolloutAudit Triggers

Self-reported Breach Patient Complaint Random Audit

Cyber Security Trends

2012 2011 2010 2009 2008 2007

310 Publicized Breaches Reported

Annually


Annually


Annually


Annually


Annually


Annually

9,235,228 Records Exposed






(as of 9/25/12) (94 Million from TJX incident)

2012 Breaches by Industry:






Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking:

3.2% of Breaches 7.0% of Breaches 8.2% of Breaches 11.4% of Breaches 11.9% of Breaches 7% of Records

2.3% of Records 2.7% of Records 30% of Records 0% of Records 52.5% of Records 6.9% of Records

Educational: Educational: Educational: Educational: Educational: Educational:

14.8% of Breaches 14.3% of Breaches 9.8% of Breaches 15.7% of Breaches 20% of Breaches 24.9% of Breaches

19.1% of Records 3.6% of Records 9.9% of Records 0.4% of Records 2.3% of Records 1% of Records

Govt./Military: Govt./Military: Govt./Military: Govt./Military: Govt./Military: Govt./Military:

11% of Breaches 11.4% of Breaches 15.7% of Breaches 18.1% of Breaches 16.8% of Breaches 24.7% of Breaches

20.4% of Records 43.7% of Records 7.5% of Records 35.7% of Records 8.3% of Records 6.4% of Records

Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare:

34.2% of Breaches 16.3% of Breaches 24.2% of Breaches 13.7% of Breaches 14.8% of Breaches 14.5% of Breaches

20.5% of Records 20.5% of Records 11.6% of Records 5.1% of Records 20.5% of Records 3.1% of Records

All Other Business: All Other Business: All Other Business: All Other Business: All Other Business: All Other Business:

36.8% of Breaches 46.9% of Breaches 42% of Breaches 41.2% of Breaches 36.6% of Breaches 28.9% of Breaches

37.7% of Records 33.7% of Records 41% of Records 58.9% of Records 16.5% of Records 82.6% of Records

Causes of a Breach

39% Negligenc

e

24% System Failure

37% Malicious or

Criminal Acts

Major Risk Concerns

Human Error Hackers Rogue Employees Independent Contractors Social Media Mobile Devices A Changing Regulatory Environment Cloud Computing

Response Cost Per Record

$15 for Notification

$13 for Discovery / Forensics / Legal Expenses

$35 for Credit Monitoring and ID Theft Services

Estimated Total Cost of a Breach

$194 per record - estimated average cost of a security/privacy breach (includes response costs, defense and damages)

$5.5M total cost per breach

15% of total cost - average cost to defend a claim

12011 Annual Study: U.S. Cost of a Data Breach—by The Penomon Institute, LLC; Sponsored by Symantec

Cyber Liability – Coverage Descriptions

Security & Privacy Liability Covers the defenses costs and damages arising from the failure to prevent: Unauthorized access to the Insured’s computer system and use of data by outsider (hacker). Unauthorized access and/or use of confidential information by an employee. Theft or loss of data (electronic or paper). Transmission of a malicious code.

Privacy Regulatory Action Covers:

Investigative costs for civil demand or proceeding, arising from a security breach, brought by or on behalf of a governmental agency, including requests for information related thereto.

Fines & penalties where insurable by law.

Breach Response Covers the expenses incurred within one year of a security breach for: Investigation, including computer forensics, to determine cause of security breach. Hiring a crisis management and/or public relations firm. Notifying potential victims of the breach as required by state law. Credit monitoring for potential victims. Identity Theft services, including identity restoration.

Coverage Descriptions Cont.

Media Liability Covers the defense costs and damages arising from an error or omission in the creation or

distribution of content for: Personal Injury – including defamation, slander, invasion of privacy and emotional distress. Intellectual Property Infringement - including copyright, domain name, title, slogan,

trademark and trade name (excludes patent infringement).

Cyber Extortion Covers the investigation expenses and payments made to a party threatening to attack the

Insured’s computer system or to release, use or destroy confidential information.

Network Interruption Covers the expenses for lost income from an interruption to the Insured’s computer

system as a result of a security breach.

Data Recovery/Restoration Covers the expenses incurred to: Restore, recreate or recollect electronic data damaged or lost by a security breach.

So What Can You Do?

Prevention Having a proper risk assessment done Following through with assessment recommendations Being adamant about precautionary measures

Preparation Having a Cyber policy put into effect Having the right limits and coverage in place Having a plan of action ready to go

Questions?

healthcare cyber security webinar

Health & Medicine