jackson walker l.l.p. 2323 ross ave., suite 600 dallas, texas … · 2017. 8. 25. · lessons from...
TRANSCRIPT
![Page 1: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/1.jpg)
Lessons from
Breach Street:What you can learn from recent HIPAA
enforcement actions
Jeffery P. Drummond
Jackson Walker L.L.P.
2323 Ross Ave., Suite 600
Dallas, Texas 75201
[email protected]• 214-953-5781
www.hipaablog.blogspot.com
![Page 2: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/2.jpg)
• 1996: HIPAA statute passes
• 2000/2001: Privacy Rule published
• 2003: Privacy Rule enforceable, Security Rule
published
• 2005: Security Rule enforceable
• 2009: HITECH Act passes, initial regulations
passed
• 2013: HITECH “omnibus rule”
A brief history of HIPAA
![Page 3: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/3.jpg)
“HITECH” Act and Omnibus
Rule Provisions• New Data Breach Rules
– “unsecured” PHI is the key
• Standard Exceptions:
– Wrong person at the right covered entity
• Workforce member access in good faith
• Person authorized to access PHI generally
– Recipient not reasonably likely to retain PHI
• General Exception:
– Was “no substantial harm”
– Now “low risk of compromise”
![Page 4: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/4.jpg)
Older Breaches:The Classics
![Page 5: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/5.jpg)
Sony Pictures
• 11/14 Ransom-style hack
• Stolen & released info
– movie scripts, emails, salary lists, >47,000 SSN
• Attributed to North Korea (The Interview)
• At least $41 MM investigation and remediation
![Page 6: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/6.jpg)
Target
• 12/13: Email hack on HVAC
vendor
• Skimming technology on POS
– 40 million credit card numbers, CVVs
– 70 million cardholder names, addresses, etc.
• 46% ↓ in Dec. profits
• $291 MM expenses related to breach ($90 MM
insurance) (2016 10-K)
![Page 7: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/7.jpg)
Home Depot
• Third party vendor hacked
• Another POS skimming attack
– 56 million credit & debit accts
– 53 million emails
• $261 MM expenses related to breach ($100
MM insurance) (2016 10-K)
![Page 8: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/8.jpg)
Ashley Madison
• Life is short. Have an affair.®
• 32 million affected members
– Email addresses, account details
• Suicides (actual damages)
![Page 9: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/9.jpg)
Older HIPAA Breaches• Anthem (2015)
– Hackers gained “Admin” access by successfully phishing
several people in the IT department, 80 million individuals
information compromised
– $115 Million settlement in June 2017
• Affinity Health Plans (2010 breach, 2013 fine)
– Old copiers sold without clearing hard drives
– $1.2 Million fine
• Sutter Health (2011 breach)
– A thief breaks a window with a rock and steals a desktop
computer with 4.3 million patients’ data
![Page 10: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/10.jpg)
Older HIPAA Breaches
• Raleigh Orthopaedic Clinic (2013)
– Contractor hired to convert film to digital actually stole
films to extract silver content
– Failed to have a BAA in place (wouldn’t have helped)
– $750,000 fine
• University of Washington Medicine (2015)
– Employee downloads malware
– Covered Entity doesn’t have risk assessment
– $750,000 fine
![Page 11: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/11.jpg)
New Breaches
![Page 12: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/12.jpg)
Recent HIPAA Breaches
• Care New England (2013/2017)
– Integrated delivery system’s MSO lost backup tapes
– Fined specifically for no HITECH-updated BAA with the
(related entity) MSO
– $400,000
• Moral of the Story:
– Update your BAAs (like it’s 2013)
– Make sure you have BAAs, even with related entities
![Page 13: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/13.jpg)
Recent HIPAA Breaches
• Metro Community (2012/2017)
– Phishing attack exposes PHI
– Corrective actions taken, but no initial risk analysis
– $400,000
• Moral of the Story:
– Do an initial risk analysis
– If you did one, do another one; just in case. . . .
![Page 14: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/14.jpg)
Recent HIPAA Breaches
• Children’s Medical Center (Dallas) (2009/2017)
– Lost Blackberry in 2009, stolen laptop in 2013, neither
encrypted
– Lack of risk management plans (despite hiring consultants
to give good advice
– $3.2 Million (failed to respond to proposed fine)
• Moral of the Story
– If you hire consultants, you must do as they say
– Work with OCR and be responsive
![Page 15: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/15.jpg)
Recent HIPAA Breaches
• Presence Health (2013/2017)
– Paper OR schedules go missing 10/22
– Presence sends notification 1/31-2/5 (101-106 days)
– $475,000 (coulda been $400 million, each day is a
violation)
• Moral of the Story:
– Once you determine it’s a breach, start sending notices
– Rule isn’t even that “you have 60 days,” but you definitely
don’t have any MORE than 60 days.
![Page 16: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/16.jpg)
Recent HIPAA Breaches
• Children’s Digestive Health (2015/2017)
– BA: FileFax; longtime doc. mgmt/destruction vendor
– Dumpster-diver found documents
– No BAA; $31,000 (small matter, small fine)
• Moral of the Story:
– Getting BAAs may require analysis of old relationships
– Children’s had zero responsibility for the breach or
connection to the discovery, but that’s who OCR could go
after
![Page 17: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/17.jpg)
Recent HIPAA Breaches
• Memorial (FL) Healthcare System (2011/2017)
– Affiliated physician staffs accessing wrong PHI
– Departed employees access continued to be used
– Had policies, failed to implement and audit
– $5.5 Million
• Moral of the Story
– Having policies only good if you implement them
– Employees can be your biggest problem
– Control the other provider you let access your data
![Page 18: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/18.jpg)
Recent HIPAA Breaches
• CardioNet (2012/2017)
– First wireless service provider breach (but breach was a
stolen laptop)
– Insufficient risk analysis/management
– $2.5 Million
• Moral of the Story:
– Do a good risk analysis, and be able to prove it
– OCR loves novelty
![Page 19: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/19.jpg)
Recent HIPAA Breaches
• Memorial Hermann (2015/2017)
– Staff reported ID card fraud to law enforcement
– Named patient in press release
– $2.4 Million
• Moral of the Story:
– You can obey the law, even if it’s unpopular
– If you do any more, be EXTRA careful
– Defending yourself can be problematic
![Page 20: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/20.jpg)
Recent HIPAA Breaches
• CareFirst BCBS (Maryland) (2014/2017)
– Hacker infiltrated CareFirst’s subscriber database
– Subscribers notified timely
– No OCR action, but subscribers sued (class action)
– Court did not dismiss: risk of future injury is enough
• Moral of the Story:
– Even if you survive OCR, you can still be sued
– Class action lawyers keep class-actioning
![Page 21: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/21.jpg)
Ransomware
![Page 22: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/22.jpg)
Ransomware
• Attacks on the rise
• Malware used to extract ransom payment in exchange
for unblocking an asset that belongs to the victim
• Crypto-ransomware-cryptor encrypts the victims files
and data and decryption can only be accomplished by
use of decryption key
• Decryption key provided, sometimes, after payment
of ransom
Source:
Kaspersky.com
![Page 23: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/23.jpg)
Preventing Ransomware
• Educate
– Phishing and spear-phishing
• Regularly back up and verify restorability
– Backup to offline subsystem
• Protect all systems and devices
– System mapping vital to recovery
• Use and maintain security software
– Regularly patch applications and operating systems
– Update security application and its anti-malware database
![Page 24: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/24.jpg)
OCR’s (incorrect) Guidance on
Ransomware• July 2016, OCR issues “Guidance” via a “Fact Sheet” on
HIPAA obligations in a ransomware situation
• “When electronic protected health information (ePHI) is
encrypted as the result of a ransomware attack, a breach has
occurred because the ePHI encrypted by the ransomware
was acquired (i.e., unauthorized individuals have taken
possession or control of the information), and thus is a
‘disclosure’ not permitted under the HIPAA Privacy Rule.”
• In most ransomware attacks, there is no possession or control
taken by the attacker (although control removed from owner)
• Be forewarned, though: this is OCR’s position.
![Page 25: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/25.jpg)
Breach Planning:What to do before and after
![Page 26: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/26.jpg)
Before A Breach
• Know your legal requirements (HIPAA and others)
• Know your data, threats, risks and vulnerabilities
– Risk Analysis
– Policies and Procedures
– Train Your Employees
– Be Prepared for a Breach (BIRT)
– Audit and Assess
• Consider Cyberliability Insurance
![Page 27: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/27.jpg)
Risk Analysis Components
• Know what data matters
• Where your data resides
• Know how your data moves
• Know your vulnerabilities, threats, and risks
• Analyze and prioritize
• Execute current fixes and plan for future ones
• Lather, rinse, repeat
![Page 28: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/28.jpg)
After a Breach
• Deploy BIRT:– Corrective measures
– Contact legal counsel
– Contact PR company
– Contact insurer
– Data breach notifications
– Credit monitoring/call centers
![Page 29: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/29.jpg)
After a Breach
• Prepare for lawsuits and investigations
• Learn from mistakes that caused breach
• Learn from mistakes made reacting to it
• Re-conduct a risk analysis
![Page 30: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/30.jpg)
Questions?
![Page 31: Jackson Walker L.L.P. 2323 Ross Ave., Suite 600 Dallas, Texas … · 2017. 8. 25. · Lessons from Breach Street: What you can learn from recent HIPAA enforcement actions Jeffery](https://reader036.vdocuments.us/reader036/viewer/2022090715/60edb9f2a1f9816dc33e93b2/html5/thumbnails/31.jpg)
Lessons from
Breach Street:What you can learn from recent HIPAA
enforcement actions
Jeffery P. Drummond
Jackson Walker L.L.P.
2323 Ross Ave., Suite 600
Dallas, Texas 75201
[email protected]• 214-953-5781
www.hipaablog.blogspot.com