health care industry privacy & cybersecurity: emerging ......– valuable for both identity...
TRANSCRIPT
Health Care Industry
Emerging Legal IssuesWebinar Series
Privacy & Cybersecurity:Evolving Risks and LiabilityTrends
September 29, 2015Robin B. CampbellElliot Golding
The webinar will begin shortly, please stand by. The materials and a recording will besent to you after the event.
• Part I – Proactive Privacy & Security Discussion– IoT
– Cloud Computing
– Big Data and Analytics
– Insider Threat
– BYOD
– Mobile Applications
– Effective Privacy Statements
• Part II – Assess Risk and Develop Compliance Program– Importance of a Robust Program
– Regulatory Enforcement & Litigation Trends
– Components of an Effective Risk Assessment
Overview
2Privileged and Confidential
• Health care entities are being pushed by consumers andgovernment for greater efficiencies:
– To drive down costs
– To improve overall health
• Includes increased reliance on:
– Electronic records
– Mobile, social, and cloud technologies
• Yet, consumers and regulators also pushing for increasedprivacy
The Evolving Landscape
3Privileged and Confidential
• Move Beyond HIPAA
• Attack Privacy/Security Proactively
• Understand Your Risks
• Develop Program to Address
Best Practice
4Privileged and Confidential
• IoT = everyday objects have network connectivity, allowingthem to send and receive data
• Connectivity of devices will continue to affect health careindustry
• Innovative and connected medical devices are on the rise,but so are concerns over IoT in health care, such as:– Concerns around security of data
– Concerns around use of data
– Liability for connectivity failure
• Recent FDA cybersecurity guidance for medical devices
The Internet of Things (IoT)
5Privileged and Confidential
• Ubiquitous collection of data
• Difficult to anonymize data
• Unbeknownst to consumers
• Notice, consent, opt-outs are difficult
• Limited ability to disclose improper use of data
• IoT enforcement already occurring
Internet of Things Issues
6Privileged and Confidential
• How will both old and new IoT devices be monitored forvulnerabilities?
• How will information about security flaws be received, includingpatches?
• Is there an industry standard or best practice that is beingutilized?
• Is the data collected all necessary? For how long?
• Can the data collected be de-identified?
• What is the process for handling data breach and customernotification?
Questions You Should Be Asking AboutYour IoT Security
7Privileged and Confidential
• Know your vendor– Security standard? (ISO, NIST)
• Consider data ownership and issues common to moretraditional vendors
• Use meaningful access controls to safeguard data• Implement Business Associate Agreements with external cloud
providers• Unique challenges of health information exchanges• Potential special circumstances
– Foreign members? (Safe Harbor)– Government clients? (Privacy Act)
Cloud Considerations
8Privileged and Confidential
• Big Data = using data to make informed decisions aboutpeople and interactions (vs. “lots of data”)
• Could be key to improving health but must be done incompliant manner (without “hoarding” data)
• Concerns over increased liability– HIPAA may not adequately cover proposed analytics– Managed care companies may use de-identified patient-level
data but risk of re-identification remains– No clear outline of patient consent leaves companies
vulnerable to individual suit– Anonymous, aggregated data runs risk of inadvertent
discrimination and misprofiling
Big Data Issues
9Privileged and Confidential
• Shift to more customer-driven approach means practicaltransparency is key
• But notice and consent can become problematic– Frequency of use may burden consumer with consent requests– Unknown future uses means consent may be uninformed or
ineffective
• Maintaining ability to disclose information so that otherscan conduct their own analyses– Iceland’s DNA research project
• Creative uses of analytics– Claims disputes
Analytics Issues
10Privileged and Confidential
Insider Threat Issues
$40 billionin U.S.
losses insingle year- SpecterSoft2014 Insider
Threat Survey
Definition:
• a current or former employee, contractor, or business partner
• who has or had authorized access to an organization’s network, system, ordata
• who has intentionally exceeded or intentionally used that access in amanner that negatively affected the confidentiality, integrity, or availabilityof the organization’s information or information systems
2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie MellonUniversity and Price Waterhouse Cooper, April 2014
11Privileged and Confidential
Insider Threat Best Practices
Awareness
• Insider threat awarenesstraining for employees
• Know your assets
• Close the doors tounauthorized dataexfiltration
• Anticipate and managenegative issues in thework environment
• Establish a baseline ofnormal network devicebehavior
Policies & Enforcement
• Document and enforcepolicies and controls
• Implement strict passwordand account management
• Enforce separation ofduties and least privilege
• Define cloud servicesecurity agreements
• Control and monitorprivileged users
• Institutionalize systemchange controls
• Develop employeetermination procedure
• Implement secure backupand recovery processes
• Develop a formalizedinsider threat program
Monitoring
• Enterprise-wide riskassessments
• Monitorsuspicious/disruptivebehavior
• Audit employee actions
• Monitor and controlremote access from allend points, includingmobile devices
• Be especially vigilantregarding social media
12Privileged and Confidential
• What data is being collected?
• How is data secured?
• How long is data stored?
• Is any data being shared?
• Are all app functions necessary?
• How do you display your mobile privacy policy?
• How do users access information/restrict sharing?
• Who do users contact with questions?
Questions You Should Be Asking AboutYour Mobile Apps
13Privileged and Confidential
• Be truthful about what your app can do• Be clear and conspicuous with disclosures
– Make choices easy to find and use– Consider using icons and pop-up notifications– Call special attention to unexpected data practices
• Think about privacy from the start– Tailor privacy practices to data being collected– Limit data collection to only what you need
• Keep kids in mind• Never collect sensitive information without consent• Implement reasonable security to protect data
FTC & State AG Mobile App Guidance
14Privileged and Confidential
• Any personal device that employees use for workpurposes (smartphones, tablets, laptops, etc.)
• Risks include:
BYOD Issues
– Data security (system only as secureas least secure user/ device)
– Corporate liability (leaks,inappropriate activity, negligence)
– Litigation and discovery(preservation, spoliation, protectingpersonal information)
– Employee privacy concerns
15Privileged and Confidential
• Security measures
• Technology assessments
• Training
• Privacy policies
• Compliance reviews– HIPAA & Gramm-Leach-Bliley Act
– State security mandates
– Data destruction laws
– Global data protection laws
– Contractual requirements
How Do We Address BYOD Issues?
16Privileged and Confidential
• Say what you do and do what you say
– Scope
– Information collected
– Uses and disclosures
• Keep up with published guidance
– FTC and California AG (and others)
• Special issues
– Opting out
– California Privacy Rights
– Data Sale (RadioShack)
Effective Privacy Statement Components
17Privileged and Confidential
• Increased competition means health care companies arereaching out directly to consumers
– Telemarketing efforts can run afoul of TelephoneConsumer Protection Act (TCPA)
• New technology, IoT, mobile, and social use require goodpublic facing privacy statements
• Notices of Privacy Practices are not enough
• User-friendly, layered privacy statements are just asimportant for health care as they are for retail
– Just-in-time disclosures may not be sufficient
Evolving Market Requires Greater PrivacyPolicy Transparency
18Privileged and Confidential
Topics:
• Importance of a Robust Program
• Regulatory Enforcement & Litigation Trends
• Components of an Effective Compliance Program
Part II: Assess Risk and Develop ComplianceProgram
19Privileged and Confidential
• Help understand threats and mitigate risk
• Manage evolving government regs/policies
• Prepare for the inevitable incident
• Strengthen legal defenses
Importance of a Robust Program
20Privileged and Confidential
• Insider Threats Snowden
Negligent employees
• Vendors/Supply Chain
• Nation States China
Russia
Iran
• Hacktivists
• Organized Crime
• Dude in his Mom’s Basement
What Are The Threats?
21Privileged and Confidential
What Are They After?
• Protected Health Information– Valuable for both identity theft and Medicare / Medicaid fraud
– Insurers targeted because they have the most PHIA stolen medical identity has a street value of $50, compared to $14-$18 fora stolen credit card number and just $1 for a stolen Social Security number
• Intellectual property/trade secrets
• Damage and disruption to infrastructure
• Financial gain (PCI, PII, PHI)
• Reputational harm (email)
• National security impact
22Privileged and Confidential
• Theories of recovery/claims:– Negligence– Breach of Contract– Unfair Trade Practices– Breach of Privacy– State Statutes – e.g., CMIA– Tort Claims– Shareholder Actions
• Direct impact/business harm• Reputational harm• C-suite impact
Types of Consequences
23Privileged and Confidential
• Federal statutes– HIPAA (including HITECH and GINA)– 42 CFR Part 2 Regs (substance abuse)– Fair Credit Reporting Act (FCRA)– Computer Fraud and Abuse Act (CFAA)– Gramm-Leach-Bliley Act (GLBA)– Federal Trade Commission Act (FTC) Section 5 Authority
• State statutes– California Confidentiality of Medical Information Act (CMIA)– Privacy, Security, Breach Notification, Data Destruction
• Standards– National Institute of Standards and Technology (NIST)– International Organization for Standardization (ISO)– Payment Card Industry Data Security Standard (PCI-DSS)
Relevant Statutes & Standards
24Privileged and Confidential
• Increased Executive Branch interest– White House Proposed Legislation
– Executive Orders
– State of the Union Address
• More regulators involved– FTC and SEC 2015 Cybersecurity Priorities
– HHS (of course)
• More legislation and regulations– Multiple national data breach notification proposals
– Consumer Privacy Bill of Rights
– Efforts to tighten state law (NY Safe Harbor for security)
• More breach litigation (and bigger breaches)
Major Trends
25Privileged and Confidential
HHS Has Been Busy
26Privileged and Confidential
• Regulators have been active– 14 OCR settlements in past two years (all six-figures or more), plus
thousands of investigations
– State AGs also active
– FTC stepping up enforcement, even for health care (LabMD)
• OCR Audits are (still) coming… probably– Plan to audit 109 health plans (out of 350 total covered entities) in
Phase 2 of its Privacy, Security, and Breach Notification AuditProgram
• More audits from government programs– FEHBP, DoD
Regulatory Enforcement & Trends
27Privileged and Confidential
• Most breach suits dismissed because no “injury”– Injury = invasion of a legally protected interest which is:
• Concrete and particularized; and
• Actual or imminent, not conjectural or hypothetical
• Clapper v. Amnesty Int’l USA, Inc., 133 S. Ct. 1138 (2013)added that injury must be “certainly impending”
• Courts Post-Clapper have been mixed– Most find no standing (but see California and 7th Circuit)
• CMIA cases also dismissed because no evidence that lostdata actually accessed by third party
Breach Litigation Trends
28Privileged and Confidential
• TCPA Primer:– Prohibits calls to numbers on “Do Not Call” list and restricts
automated marketing calls, texts, and faxes (“Robo Calls”)• Must have prior express written consent to telemarket using
automated systems, artificial callers and prerecorded messages• No longer an “established business relationship” exception• Vicarious liability “On Behalf Of”• Special rules for “health care messages”
– Penalties = $500 to $1500 per violation, active class action bar
• TCPA Settlements in the Last Year:
TCPA Litigation Trends
• Comenity Bank, S.D. Cal.: $8.5m• AT&T Mobility, D.Mont.: $45m• Bank of America, C.D.Cal: $32m• Capital One, N.D.Ill.: $75.5m
• TruGreen, N.D.Ill.: $4.5m• LA Clippers, C.D.Cal.: $5m• Best Buy, W.D.Wash.: $4.5m
29Privileged and Confidential
Components of a Compliance Program
30Privileged and Confidential
31
1. Identify and Classify Sensitive Data andRegulated Systems
• Identify data (PHI/PII/other), networks, & systems
• Understand regulations, standards, contracts, andbest practices
• Conduct HIPAA-required risk assessment– External/insider threats and vulnerabilities– Enterprise-wide
• Minimize data
• Evaluate compliance models (ISO, NIST, HIPAA)31
Privileged and Confidential
• Review oversight and management
• Identify team roles and responsibilities
• Assess communication structure
• Implement/test controls appropriate to risk
2. Establish Clear Governance
32Privileged and Confidential
Internal:• Incident response plan• Privacy policy• Security policy• Document retention
Public facing:• Web privacy policy• Notice of Privacy Practices• Other representations (GLBA notices, etc.)
Do not overpromise (privacy or security)
3. Review and Update P&P
33Privileged and Confidential
• Assess reporting and response requirements
• Develop an Incident Response Plan and Toolkit– Intake
– Escalation
– Investigation
– Mitigation
• Retain service providers/vendors
• Conduct tabletop exercises
• Review insurance options
4. Prepare for an Incident
34Privileged and Confidential
• Follow the plan (and respond quickly)!• Assemble Response Team (and involve counsel early)• Investigate/Mitigate/Remediate Incident• Prioritize Escalation and Repair• Utilize Retained Forensic Vendors• Identify Notification/Reporting Obligations• Notify Insurance• Evaluate Information Sharing Industry/Government• Prepare Litigation Response
Key Incident Response Steps
35Privileged and Confidential
Understand Vendor Risks
• Exploitation of system andnetwork vulnerabilities
• Network access and lack ofsegregation
• Contractual liability issues
• Reputational andgovt./private contractingissues
5. Review Vendor Management Process
36Privileged and Confidential
5. Review Vendor Management Process
Manage Vendor Risks• Select capable providers and provide oversight/compliance audits
– Oversight/audits not required under HIPAA, but increasingly common
• Segregate networks and have access controls
• Review key contractual provisions
– Privacy/security standards/requirements
– Investigation
– Indemnity
– Incident response
– Audit
• Ensure access: IT design documents, change/work orders
• Provide/demand training37
Privileged and Confidential
• Identify and centralize auditprocesses
– Internal audit
– Client audit
– Government audit
• Ensure key stakeholders areinvolved
6. Analyze Audit and Reporting Processes
38Privileged and Confidential
• Upon hire and periodically thereafter
• Weekly/monthly security and privacyreminders
• Role-based and risk-based
• Test training
– Spear phishing exercises
– Tabletops
7. Conduct Training
39Privileged and Confidential
• ISACs & ISAOs
– NH-ISAC
• CRADA
• Note: Recent EO on Information Sharing andDOJ and FTC Joint Statement re Antitrust forCyber Threat Information Sharing Activities
8. Participate in Industry and GovernmentPartnerships
40Privileged and Confidential
• Access control/authentication
• Stronger passwords/smart defaults
• Physical locks
• Automated timing systems to log out users
• Secure data transfer
• Automatic deletion of data
• Prevent automatic synching of devices
9. Implement Controls to Protect Dataand Systems (Besides HIPAA)
41Privileged and Confidential
Questions?
42
Speakers – Contact Information
Robin B. [email protected]
Elliot [email protected]
Health Care Industry Emerging Legal Issues Webinar Series
• How to Survive a Subpoena/CID: November 17 - John Brennan, David O'Brien• Advertising and Marketing Issues in the Health Care Industry: TBD - Chris Cole,
David Ervin
43