13th amc security & privacy conference · 2017. 6. 12. · melnik legal pllc...
TRANSCRIPT
13th AMC Security & Privacy Conference June 12, 2017
Tatiana Melnik
Melnik Legal PLLC
734-358-4201
Tampa, FL
Ryan Vlcko
McLaren Health Care Corporation
810-342-1174
Flint, MI
I. A Few Words About McLaren
II. Why the Focus on Vendors?
III. Tips and Lessons from the Trenches
A. The “Right” Process
B. Risk Mitigation
Business Associate Agreements
Insurance
C. The Break Up and Holding Vendors
Accountable
Outline
o Headquartered in Flint, Michigan
o Fully integrated health network 12 hospitals
operates Michigan’s largest network of cancer centers and providers
ambulatory surgery centers, imaging centers, home health and hospice providers, retail medical equipment showrooms, and pharmacy services
an employed primary care physician network
commercial and Medicaid HMOs covering more than 250,000 lives
a wholly owned medical malpractice insurance company
Key Operational Statistics (2015)
Discharges 102,597
ER Visits 405,098
Surgeries 92,052
Births 6,057
Ambulatory Visits 3.2 Million
Home Care Visits 175,516
Hospice Days 79,994
Licensed Beds 3,096
Community Benefit $201 Million
Employees 22,000
Days of Inpatient Care 461,882
Contracted Providers 40,317
Annual Payroll $1.2 Billion
Net Revenue $3.5 Billion
Healthcare = Vendors
© Continua Health Alliance, http://continuaalliance.org
Vendors Create Risks
• Processed and analyzed
over 100 terabytes of
traffic daily
• 49,917 unique malicious
events
• 723 unique malicious
source IP
Breaches Disclosed to OCR: Top 10 Based on Patient Impact
Vendors Create Risks
Entity Name Type No. Patients
Impacted
Date
Reported
Cause
Anthem, Inc. Health Plan 78,800,000 03/13/2015 Hacking/IT Incident
Premera Blue Cross Health Plan 11,000,000 03/17/2015 Hacking/IT Incident
Excellus Health Plan, Inc. Health Plan 10,000,000 09/09/2015 Hacking/IT Incident
Science Applications
International Corp.
Business Associate 4,900,000 11/04/2011 Loss
Univ. Cal. - LA Provider 4,500,000 07/17/2015 Hacking/IT Incident
Community Health
Systems
Business Associate 4,500,000 08/20/2014 Theft – Network
Server
Advocate Health and
Hospitals Corp.
Provider 4,029,530 08/23/2013 Theft – Network
Server
Medical Informatics
Engineering
Business Associate 3,900,000 07/23/2015 Hacking/IT Incident
Banner Health Provider 3,620,000 08/03/2016 Hacking/IT Incident
Newkirk Products, Inc. Business Associate 3,466,120 08/09/2016 Hacking/IT Incident
Breaches Disclosed to OCR: Top 10 Based on Patient Impact
Vendors Create Risks
Entity Name Type No. Patients
Impacted
Date
Reported
Cause
Anthem, Inc. Health Plan 78,800,000 03/13/2015 Hacking/IT Incident
Premera Blue Cross Health Plan 11,000,000 03/17/2015 Hacking/IT Incident
Excellus Health Plan, Inc. Health Plan 10,000,000 09/09/2015 Hacking/IT Incident
Science Applications
International Corp.
Business Associate 4,900,000 11/04/2011 Loss
Univ. Cal. - LA Provider 4,500,000 07/17/2015 Hacking/IT Incident
Community Health
Systems
Business Associate 4,500,000 08/20/2014 Theft – Network
Server
Advocate Health and
Hospitals Corp.
Provider 4,029,530 08/23/2013 Theft – Network
Server
Medical Informatics
Engineering
Business Associate 3,900,000 07/23/2015 Hacking/IT Incident
Banner Health Provider 3,620,000 08/03/2016 Hacking/IT Incident
Newkirk Products, Inc. Business Associate 3,466,120 08/09/2016 Hacking/IT Incident
Vendors Create Risks
Source: Ponemon Institute, 2016 Cost of a
Data Breach Study (US only data)
Vendors Create Risks
Source: Ponemon Institute, 2016 Cost of a
Data Breach Study (US only data)
I. A Few Words About McLaren
II. Why the Focus on Vendors?
III. Tips and Lessons from the Trenches
A. The “Right” Process
B. Risk Mitigation
Business Associate Agreements
Insurance
C. The Break Up and Holding Vendors
Accountable
Outline
o Is there a “right” process for vendor management?
o The “right” process is….
The one that mitigates the most risk for the company?
The one that closes transactions fastest so that we can go back to treating patients?
The one you can get your team to follow?
o Are these all the same goals? Mutually exclusive?
The “Right” Process
The “Right” Process
Not Defined
• No process defined
• Ad hoc and inconsistent
Defined & Established
• Consistent but unstructured approach
• Document and detailed, but not measured or enforced
Continuous Improvement
• Ongoing monitoring, measuring, and process improvements
• Best practices and benchmarking
o What is McLaren’s process?
o How does McLaren determine
what contracts get reviewed?
“Importance” of the vendor?
Value of the transaction?
Risk to the organization?
Term of commitment?
Are these all the same goals? Mutually
exclusive?
The “Right” Process
o Successful vendor management
is a Team Sport
Business Lead
Purchasing
Security Officer
Compliance
Legal
Risk Management
o But, who is the Coach?
The “Right” Process
o Vendor Due Diligence
Vendor security questionnaire
Audit – self-certify or “disinterested” third party vendor?
Certificate of insurance How much is an indemnification provision from
a judgment proof company worth?
General online search or search on Shodan?
Check OCR wall of shame
o Can due diligence be done on every vendor?
Vendor Risk Mitigation
o Business Associate Agreements vs.
Master Services Agreements – what
do they say about:
Reporting
Data breach insurance
Using off-shore vendors?
Damages caps?
Data use
Vendor Contracting
o Secondary Uses of Data Data is the new commodity
Many vendors want the rights to share data outside the specific contract relationship to provide “additional services” . . . to whom?
Permissible under HIPAA? Maybe… some say yes, some say no, some say
depends on who is doing the de-identification…
Specific analysis required
How does this impact --- Indemnification?
Damages caps that are set at “the fees received during the 12 months prior to when the claim arose”?
Vendor Contracting
o Business Associate Agreements Scope of authorization to use data
Who determines when there is a “breach”? Is there a requirement to notify in the event of a “security
incident”
Timeline must be considered, particularly if organization is operating in multiple states or servers a patient population pool that crosses state lines
Who determines when notice is required and who sends that notice? Watch your insurance policy on this one…
Is the vendor required to encrypt data?
Who pays for responses to a subpoena?
Caps on liability? Should there be?
Vendor Contracting
o Indemnification Mutual or not?
Consider - Should a customer be indemnifying the vendor for “Vendor’s negligence”?
“acts, omissions, or negligence ” vs. “gross negligence” vs. “willful misconduct”
Property damage/personal injury
Property rights infringement claims (patent, trademark, copyright, etc.)
Data breaches, security incidents, and loss of data
Vendor Contracting
o Confidentiality Clause If the hospital is not permitted to disclose “the terms of
this Agreement”, what happens if it has to file for a Certificate of Need? If there is an accreditation audit?
What happens post-termination? Can a hospital really “destroy all Confidential Information”?
o Rep and Warranty for Security “. . . develop, implement, and maintain commercially
reasonable physical, technical and administrative safeguards”
“. . . has security protocols that meet or exceed compliance with any required laws, regulations, and the SOC 1 and SOC 2 Type II standards, which will be audited on an annual basis by a disinterested third-party auditor. Vendor will provide to Customer a copy of such audit report upon written request.”
Vendor Contracting
o A data breach is inevitable…
o Data breach insurance = Risk reduction
o But, how do insurance companies try to
reduce risks?
Insurance
o A data breach is inevitable…
o Data breach insurance = Risk reduction
o But, how do insurance companies try to
reduce risks?
Insurance
o A data breach is inevitable…
o Data breach insurance = Risk reduction
o But, how do insurance companies try to
reduce risks?
Insurance
They try to cancel your policy ….
Columbia Casualty Co. v. Cottage Health Systems
(C.D. California) – Filed May 7, 2015 (first case of its
kind) • Columbia paid $4.125M to settle a class action stemming
from a breach (32,500 records disclosed; settlement class of
50,917)
• “The complaint alleges that the breach occurred because
Cottage and/or its third-party vendor, INSYNC Computer
Solution, Inc. (“INSYNC”), stored medical records on a
system that was fully accessible to the internet but failed to
install encryption or take other security measures to protect
patient information from becoming available to anyone who
‘surfed’ the internet.”
• Columbia sought to recoup funds paid
o Read the policy…
o Some policies exclude coverage for damages that arise out of activity that is contrary to your
“Privacy Policy” … What does your Privacy Policy say exactly?
for agents or vendors where there are no contracts
for losses if the data is stored “in the cloud”
for work done by “independent contractors”
if laptops are not “encrypted” (using FIPS 140-2 validated encryption algorithm)
o Some policies require notification to the policy as a condition of coverage….
o How much is an indemnification provision from a judgment proof company worth?
Insurance
o A few final thoughts learned from when
things went wrong…
The Break Up
This slide presentation is informational only and was prepared to provide a brief overview of vendor management considerations in the healthcare industry. It does not constitute legal or professional advice.
You are encouraged to consult with an attorney if you have specific questions relating to any of the topics covered in this presentation.
Disclaimer
Tatiana Melnik Attorney
Melnik Legal PLLC Based in Tampa, FL
734.358.4201
Ryan Vlcko Staff Attorney
McLaren Health Care Corporation
Based in Flint, MI
810.342.1174
Questions