healthcare cyber security webinar
TRANSCRIPT
PRESENTED BY HEALTH CARE MANAGEMENT
& ARTHUR J. GALLAGHER RISK
MANAGEMENT SERVICES
JANUARY 23 , 2013
Healthcare Cyber Security
AJG & HCM
Arthur J. Gallagher
Arthur J. Gallagher & Co., one of the world's largest insurance brokerage and risk management services firms, provides a full range of retail and wholesale property/casualty (P/C) brokerage and alternative risk transfer services globally, as well as employee benefit brokerage, consulting and actuarial services. Gallagher also offers claims and information management, risk control consulting and appraisal services to clients around the world.
Health Care Management
Health Care Management is a cutting edge medical and technology consulting firm that specializes in improving your practices efficiencies and cutting costs through outsourcing practice management, medical billing and technology services with the use of CCHIT Certified EMR software, network monitoring technologies and highly trained specialists.
Speakers
Jill JordanJoe Dylewski
Joe is a twenty-five year Information Technology veteran, with ten years spent exclusively in the Healthcare Industry. In addition to holding positions as an Infrastructure Project Manager and Healthcare IT Infrastructure Specialist responsible for Local Area Network, Wide Area Network, and Telephony Services, Joseph has also served as a Healthcare IT Services Practices Director and Account Manager. During that time, he led and his teams executed successful high-impact/large dollar projects for Electronic Medical Record and HIPAA Compliance implementations across multiple Healthcare Providers and Payers in Michigan. He leveraged that experience to develop a cost-effective, time-efficient, and repeatable model to assist in the assessment and remediation of HIPAA compliance for Covered Entities and Business Associates of all sizes. Joseph earned his Bachelor’s of Business Administration in Information Technology and his Masters Degree in Mathematics from Eastern Michigan University. He also holds the following certifications: Certified HIPPA Professional, HIPAA Certified Security Specialist, and Information Technology Infrastructure Library Foundation. Joe is an Assistant Professor at Madonna University, is frequently invited as a subject matter expert in speaking engagements, and is viewed as a national thought leader in Physician Practice and Business Associate HIPAA compliance.
Jill is a National Resource for Cyber Risk & Professional Liability for Arthur J. Gallagher Risk Management Services, Inc. with focus on the Midwest Region. Jill manages and produces a diverse book of Professional Liability accounts consisting of Technology Errors & Omissions, Cyber Risk, and Media Liability.
Jill has over 11 years experience as an insurance broker and has been with the Cyber Risk Group of Arthur J Gallagher for the last five and a half years. Jill began her career with Arthur J Gallagher in the Houston, TX office working on property and casualty middle market and risk management accounts with a focus on the Energy Industry.
Jill earned her BA in general studies from Louisiana State University. She is also a member of the Professional Liability Underwriters Society (PLUS)
Environment
HIPAA 101• HIPAA – Health Insurance Portability and
Accountability Act of 1996• Insurance Portability• Fraud Prevention• Administrative Simplification• Privacy of Protected Health Information
(PHI)• Security of Protected Health Information
HIPAA – Title II
HIPAATitle
II Administrative
Simplification
Electronic Data
Interchange
(Transaction and Code
Sets)
Privacy Rule
Security Rule
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Security Rule
The HIPAA Security Rule focuses on the Confidentiality Integrity Availability
...of Protected Health information
Where is the PHI?
Private Cloud / Data Center
Private Cloud / Data Center
Health Information Exchange
(HIE)
Health Information Exchange
(HIE)
EMR
Physician Practice
IT Services
Document Destruction
Insurance Company
Health System
Lab
DR Site
© 2012 Health Care Management
The HITECH Act
HITECH - The Health Information Technology for Economic Recovery and Reinvestment Act of 2009 Began in 2004 with Bush Administration vision
for Electronic Health Records by 2014 Signed into law February 17, 2009 as a portion of
ARRA Appropriated $44,000 to $63,000 to be provided
as individual reimbursement to physicians who adopt and “meaningfully use” Electronic Medical Records
• The disbursement schedule for ARRA funds began in 2011 and is staggered across five years
HIPAA Enforcement
HIPAA Now Has Teeth Fines and Enforcement
• Maximum fines raised from $25K to $1.5M• Enforced by the Office of Civil Rights• Currently building HIPAA audit candidate target list
• Fines collected fund and support the enforcement process
• Funds appropriated within HITECH to develop enforcement efforts within the State’s Attorney General Office
• Practitioners face maximum OCR fines of $50,000 for falsely attesting to M.U. Measure #15
• Ignorance no longer tolerated
Compliance Effort vs. Risk
“By exercising reasonable diligence would not
have known”
“Due to Willful
Neglect if the violation
is not corrected”
“Due to Willful
Neglect if the violation
is corrected”
“Due to Reasonable Cause and not Willful Neglect”
Increasing Degree of HIPAA Compliance Effort
Decreasing Degree of HIPAA Compliance Risk
OCR Audits and Current Activity
HIPAA AuditsAudit ProtocolAudit Identification and RolloutAudit Triggers
Self-reported Breach Patient Complaint Random Audit
Cyber Security Trends
2012 2011 2010 2009 2008 2007
310 Publicized Breaches Reported
Annually
414 Publicized Breaches Reported
Annually
662 Publicized Breaches Reported
Annually
498 Publicized Breaches Reported
Annually
656 Publicized Breaches Reported
Annually
448 Publicized Breaches Reported
Annually
9,235,228 Records Exposed
22,945,773 Records Exposed
16,167,542 Records Exposed
222,477,043 Records Exposed
35,691,255 Records Exposed
127,000,000 Records Exposed
(as of 9/25/12) (94 Million from TJX incident)
2012 Breaches by Industry:
2011 Breaches by Industry:
2010 Breaches by Industry:
2009 Breaches by Industry:
2008 Breaches by Industry:
2007 Breaches by Industry:
Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking:
3.2% of Breaches 7.0% of Breaches 8.2% of Breaches 11.4% of Breaches 11.9% of Breaches 7% of Records
2.3% of Records 2.7% of Records 30% of Records 0% of Records 52.5% of Records 6.9% of Records
Educational: Educational: Educational: Educational: Educational: Educational:
14.8% of Breaches 14.3% of Breaches 9.8% of Breaches 15.7% of Breaches 20% of Breaches 24.9% of Breaches
19.1% of Records 3.6% of Records 9.9% of Records 0.4% of Records 2.3% of Records 1% of Records
Govt./Military: Govt./Military: Govt./Military: Govt./Military: Govt./Military: Govt./Military:
11% of Breaches 11.4% of Breaches 15.7% of Breaches 18.1% of Breaches 16.8% of Breaches 24.7% of Breaches
20.4% of Records 43.7% of Records 7.5% of Records 35.7% of Records 8.3% of Records 6.4% of Records
Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare:
34.2% of Breaches 16.3% of Breaches 24.2% of Breaches 13.7% of Breaches 14.8% of Breaches 14.5% of Breaches
20.5% of Records 20.5% of Records 11.6% of Records 5.1% of Records 20.5% of Records 3.1% of Records
All Other Business: All Other Business: All Other Business: All Other Business: All Other Business: All Other Business:
36.8% of Breaches 46.9% of Breaches 42% of Breaches 41.2% of Breaches 36.6% of Breaches 28.9% of Breaches
37.7% of Records 33.7% of Records 41% of Records 58.9% of Records 16.5% of Records 82.6% of Records
Causes of a Breach
39% Negligenc
e
24% System Failure
37% Malicious or
Criminal Acts
Major Risk Concerns
Human Error Hackers Rogue Employees Independent Contractors Social Media Mobile Devices A Changing Regulatory Environment Cloud Computing
Response Cost Per Record
$15 for Notification
$13 for Discovery / Forensics / Legal Expenses
$35 for Credit Monitoring and ID Theft Services
Estimated Total Cost of a Breach
$194 per record - estimated average cost of a security/privacy breach (includes response costs, defense and damages)
$5.5M total cost per breach
15% of total cost - average cost to defend a claim
12011 Annual Study: U.S. Cost of a Data Breach—by The Penomon Institute, LLC; Sponsored by Symantec
Cyber Liability – Coverage Descriptions
Security & Privacy Liability Covers the defenses costs and damages arising from the failure to prevent: Unauthorized access to the Insured’s computer system and use of data by outsider (hacker). Unauthorized access and/or use of confidential information by an employee. Theft or loss of data (electronic or paper). Transmission of a malicious code.
Privacy Regulatory Action Covers:
Investigative costs for civil demand or proceeding, arising from a security breach, brought by or on behalf of a governmental agency, including requests for information related thereto.
Fines & penalties where insurable by law.
Breach Response Covers the expenses incurred within one year of a security breach for: Investigation, including computer forensics, to determine cause of security breach. Hiring a crisis management and/or public relations firm. Notifying potential victims of the breach as required by state law. Credit monitoring for potential victims. Identity Theft services, including identity restoration.
Coverage Descriptions Cont.
Media Liability Covers the defense costs and damages arising from an error or omission in the creation or
distribution of content for: Personal Injury – including defamation, slander, invasion of privacy and emotional distress. Intellectual Property Infringement - including copyright, domain name, title, slogan,
trademark and trade name (excludes patent infringement).
Cyber Extortion Covers the investigation expenses and payments made to a party threatening to attack the
Insured’s computer system or to release, use or destroy confidential information.
Network Interruption Covers the expenses for lost income from an interruption to the Insured’s computer
system as a result of a security breach.
Data Recovery/Restoration Covers the expenses incurred to: Restore, recreate or recollect electronic data damaged or lost by a security breach.
So What Can You Do?
Prevention Having a proper risk assessment done Following through with assessment recommendations Being adamant about precautionary measures
Preparation Having a Cyber policy put into effect Having the right limits and coverage in place Having a plan of action ready to go
Questions?