health care industry privacy & cybersecurity: emerging ......– valuable for both identity...

Health Care Industry

Emerging Legal IssuesWebinar Series

Privacy & Cybersecurity:Evolving Risks and LiabilityTrends

September 29, 2015Robin B. CampbellElliot Golding

The webinar will begin shortly, please stand by. The materials and a recording will besent to you after the event.

• Part I – Proactive Privacy & Security Discussion– IoT

– Cloud Computing

– Big Data and Analytics

– Insider Threat

– BYOD

– Mobile Applications

– Effective Privacy Statements

• Part II – Assess Risk and Develop Compliance Program– Importance of a Robust Program

– Regulatory Enforcement & Litigation Trends

– Components of an Effective Risk Assessment

Overview

2Privileged and Confidential

• Health care entities are being pushed by consumers andgovernment for greater efficiencies:

– To drive down costs

– To improve overall health

• Includes increased reliance on:

– Electronic records

– Mobile, social, and cloud technologies

• Yet, consumers and regulators also pushing for increasedprivacy

The Evolving Landscape


• Move Beyond HIPAA

• Attack Privacy/Security Proactively

• Understand Your Risks

• Develop Program to Address

Best Practice


• IoT = everyday objects have network connectivity, allowingthem to send and receive data

• Connectivity of devices will continue to affect health careindustry

• Innovative and connected medical devices are on the rise,but so are concerns over IoT in health care, such as:– Concerns around security of data

– Concerns around use of data

– Liability for connectivity failure

• Recent FDA cybersecurity guidance for medical devices

The Internet of Things (IoT)


• Ubiquitous collection of data

• Difficult to anonymize data

• Unbeknownst to consumers

• Notice, consent, opt-outs are difficult

• Limited ability to disclose improper use of data

• IoT enforcement already occurring

Internet of Things Issues


• How will both old and new IoT devices be monitored forvulnerabilities?

• How will information about security flaws be received, includingpatches?

• Is there an industry standard or best practice that is beingutilized?

• Is the data collected all necessary? For how long?

• Can the data collected be de-identified?

• What is the process for handling data breach and customernotification?

Questions You Should Be Asking AboutYour IoT Security


• Know your vendor– Security standard? (ISO, NIST)

• Consider data ownership and issues common to moretraditional vendors

• Use meaningful access controls to safeguard data• Implement Business Associate Agreements with external cloud

providers• Unique challenges of health information exchanges• Potential special circumstances

– Foreign members? (Safe Harbor)– Government clients? (Privacy Act)

Cloud Considerations


• Big Data = using data to make informed decisions aboutpeople and interactions (vs. “lots of data”)

• Could be key to improving health but must be done incompliant manner (without “hoarding” data)

• Concerns over increased liability– HIPAA may not adequately cover proposed analytics– Managed care companies may use de-identified patient-level

data but risk of re-identification remains– No clear outline of patient consent leaves companies

vulnerable to individual suit– Anonymous, aggregated data runs risk of inadvertent

discrimination and misprofiling

Big Data Issues


• Shift to more customer-driven approach means practicaltransparency is key

• But notice and consent can become problematic– Frequency of use may burden consumer with consent requests– Unknown future uses means consent may be uninformed or

ineffective

• Maintaining ability to disclose information so that otherscan conduct their own analyses– Iceland’s DNA research project

• Creative uses of analytics– Claims disputes

Analytics Issues


Insider Threat Issues

$40 billionin U.S.

losses insingle year- SpecterSoft2014 Insider

Threat Survey

Definition:

• a current or former employee, contractor, or business partner

• who has or had authorized access to an organization’s network, system, ordata

• who has intentionally exceeded or intentionally used that access in amanner that negatively affected the confidentiality, integrity, or availabilityof the organization’s information or information systems

2014 US State of Cybercrime Survey, CSO Magazine, U.S. Secret Service, Software Engineering Institute CERT Program at Carnegie MellonUniversity and Price Waterhouse Cooper, April 2014


Insider Threat Best Practices

Awareness

• Insider threat awarenesstraining for employees

• Know your assets

• Close the doors tounauthorized dataexfiltration

• Anticipate and managenegative issues in thework environment

• Establish a baseline ofnormal network devicebehavior

Policies & Enforcement

• Document and enforcepolicies and controls

• Implement strict passwordand account management

• Enforce separation ofduties and least privilege

• Define cloud servicesecurity agreements

• Control and monitorprivileged users

• Institutionalize systemchange controls

• Develop employeetermination procedure

• Implement secure backupand recovery processes

• Develop a formalizedinsider threat program

Monitoring

• Enterprise-wide riskassessments

• Monitorsuspicious/disruptivebehavior

• Audit employee actions

• Monitor and controlremote access from allend points, includingmobile devices

• Be especially vigilantregarding social media


• What data is being collected?

• How is data secured?

• How long is data stored?

• Is any data being shared?

• Are all app functions necessary?

• How do you display your mobile privacy policy?

• How do users access information/restrict sharing?

• Who do users contact with questions?

Questions You Should Be Asking AboutYour Mobile Apps


• Be truthful about what your app can do• Be clear and conspicuous with disclosures

– Make choices easy to find and use– Consider using icons and pop-up notifications– Call special attention to unexpected data practices

• Think about privacy from the start– Tailor privacy practices to data being collected– Limit data collection to only what you need

• Keep kids in mind• Never collect sensitive information without consent• Implement reasonable security to protect data

FTC & State AG Mobile App Guidance


• Any personal device that employees use for workpurposes (smartphones, tablets, laptops, etc.)

• Risks include:

BYOD Issues

– Data security (system only as secureas least secure user/ device)

– Corporate liability (leaks,inappropriate activity, negligence)

– Litigation and discovery(preservation, spoliation, protectingpersonal information)

– Employee privacy concerns


• Security measures

• Technology assessments

• Training

• Privacy policies

• Compliance reviews– HIPAA & Gramm-Leach-Bliley Act

– State security mandates

– Data destruction laws

– Global data protection laws

– Contractual requirements

How Do We Address BYOD Issues?


• Say what you do and do what you say

– Scope

– Information collected

– Uses and disclosures

• Keep up with published guidance

– FTC and California AG (and others)

• Special issues

– Opting out

– California Privacy Rights

– Data Sale (RadioShack)

Effective Privacy Statement Components


• Increased competition means health care companies arereaching out directly to consumers

– Telemarketing efforts can run afoul of TelephoneConsumer Protection Act (TCPA)

• New technology, IoT, mobile, and social use require goodpublic facing privacy statements

• Notices of Privacy Practices are not enough

• User-friendly, layered privacy statements are just asimportant for health care as they are for retail

– Just-in-time disclosures may not be sufficient

Evolving Market Requires Greater PrivacyPolicy Transparency


Topics:

• Importance of a Robust Program

• Regulatory Enforcement & Litigation Trends

• Components of an Effective Compliance Program

Part II: Assess Risk and Develop ComplianceProgram


• Help understand threats and mitigate risk

• Manage evolving government regs/policies

• Prepare for the inevitable incident

• Strengthen legal defenses

Importance of a Robust Program


• Insider Threats Snowden

Negligent employees

• Vendors/Supply Chain

• Nation States China

Russia

Iran

• Hacktivists

• Organized Crime

• Dude in his Mom’s Basement

What Are The Threats?


What Are They After?

• Protected Health Information– Valuable for both identity theft and Medicare / Medicaid fraud

– Insurers targeted because they have the most PHIA stolen medical identity has a street value of $50, compared to $14-$18 fora stolen credit card number and just $1 for a stolen Social Security number

• Intellectual property/trade secrets

• Damage and disruption to infrastructure

• Financial gain (PCI, PII, PHI)

• Reputational harm (email)

• National security impact


• Theories of recovery/claims:– Negligence– Breach of Contract– Unfair Trade Practices– Breach of Privacy– State Statutes – e.g., CMIA– Tort Claims– Shareholder Actions

• Direct impact/business harm• Reputational harm• C-suite impact

Types of Consequences


• Federal statutes– HIPAA (including HITECH and GINA)– 42 CFR Part 2 Regs (substance abuse)– Fair Credit Reporting Act (FCRA)– Computer Fraud and Abuse Act (CFAA)– Gramm-Leach-Bliley Act (GLBA)– Federal Trade Commission Act (FTC) Section 5 Authority

• State statutes– California Confidentiality of Medical Information Act (CMIA)– Privacy, Security, Breach Notification, Data Destruction

• Standards– National Institute of Standards and Technology (NIST)– International Organization for Standardization (ISO)– Payment Card Industry Data Security Standard (PCI-DSS)

Relevant Statutes & Standards


• Increased Executive Branch interest– White House Proposed Legislation

– Executive Orders

– State of the Union Address

• More regulators involved– FTC and SEC 2015 Cybersecurity Priorities

– HHS (of course)

• More legislation and regulations– Multiple national data breach notification proposals

– Consumer Privacy Bill of Rights

– Efforts to tighten state law (NY Safe Harbor for security)

• More breach litigation (and bigger breaches)

Major Trends


HHS Has Been Busy


• Regulators have been active– 14 OCR settlements in past two years (all six-figures or more), plus

thousands of investigations

– State AGs also active

– FTC stepping up enforcement, even for health care (LabMD)

• OCR Audits are (still) coming… probably– Plan to audit 109 health plans (out of 350 total covered entities) in

Phase 2 of its Privacy, Security, and Breach Notification AuditProgram

• More audits from government programs– FEHBP, DoD

Regulatory Enforcement & Trends


• Most breach suits dismissed because no “injury”– Injury = invasion of a legally protected interest which is:

• Concrete and particularized; and

• Actual or imminent, not conjectural or hypothetical

• Clapper v. Amnesty Int’l USA, Inc., 133 S. Ct. 1138 (2013)added that injury must be “certainly impending”

• Courts Post-Clapper have been mixed– Most find no standing (but see California and 7th Circuit)

• CMIA cases also dismissed because no evidence that lostdata actually accessed by third party

Breach Litigation Trends


• TCPA Primer:– Prohibits calls to numbers on “Do Not Call” list and restricts

automated marketing calls, texts, and faxes (“Robo Calls”)• Must have prior express written consent to telemarket using

automated systems, artificial callers and prerecorded messages• No longer an “established business relationship” exception• Vicarious liability “On Behalf Of”• Special rules for “health care messages”

– Penalties = $500 to $1500 per violation, active class action bar

• TCPA Settlements in the Last Year:

TCPA Litigation Trends

• Comenity Bank, S.D. Cal.: $8.5m• AT&T Mobility, D.Mont.: $45m• Bank of America, C.D.Cal: $32m• Capital One, N.D.Ill.: $75.5m

• TruGreen, N.D.Ill.: $4.5m• LA Clippers, C.D.Cal.: $5m• Best Buy, W.D.Wash.: $4.5m


Components of a Compliance Program


31

1. Identify and Classify Sensitive Data andRegulated Systems

• Identify data (PHI/PII/other), networks, & systems

• Understand regulations, standards, contracts, andbest practices

• Conduct HIPAA-required risk assessment– External/insider threats and vulnerabilities– Enterprise-wide

• Minimize data

• Evaluate compliance models (ISO, NIST, HIPAA)31

Privileged and Confidential

• Review oversight and management

• Identify team roles and responsibilities

• Assess communication structure

• Implement/test controls appropriate to risk

2. Establish Clear Governance


Internal:• Incident response plan• Privacy policy• Security policy• Document retention

Public facing:• Web privacy policy• Notice of Privacy Practices• Other representations (GLBA notices, etc.)

Do not overpromise (privacy or security)

3. Review and Update P&P


• Assess reporting and response requirements

• Develop an Incident Response Plan and Toolkit– Intake

– Escalation

– Investigation

– Mitigation

• Retain service providers/vendors

• Conduct tabletop exercises

• Review insurance options

4. Prepare for an Incident


• Follow the plan (and respond quickly)!• Assemble Response Team (and involve counsel early)• Investigate/Mitigate/Remediate Incident• Prioritize Escalation and Repair• Utilize Retained Forensic Vendors• Identify Notification/Reporting Obligations• Notify Insurance• Evaluate Information Sharing Industry/Government• Prepare Litigation Response

Key Incident Response Steps


Understand Vendor Risks

• Exploitation of system andnetwork vulnerabilities

• Network access and lack ofsegregation

• Contractual liability issues

• Reputational andgovt./private contractingissues

5. Review Vendor Management Process


5. Review Vendor Management Process

Manage Vendor Risks• Select capable providers and provide oversight/compliance audits

– Oversight/audits not required under HIPAA, but increasingly common

• Segregate networks and have access controls

• Review key contractual provisions

– Privacy/security standards/requirements

– Investigation

– Indemnity

– Incident response

– Audit

• Ensure access: IT design documents, change/work orders

• Provide/demand training37

Privileged and Confidential

• Identify and centralize auditprocesses

– Internal audit

– Client audit

– Government audit

• Ensure key stakeholders areinvolved

6. Analyze Audit and Reporting Processes


• Upon hire and periodically thereafter

• Weekly/monthly security and privacyreminders

• Role-based and risk-based

• Test training

– Spear phishing exercises

– Tabletops

7. Conduct Training


• ISACs & ISAOs

– NH-ISAC

• CRADA

• Note: Recent EO on Information Sharing andDOJ and FTC Joint Statement re Antitrust forCyber Threat Information Sharing Activities

8. Participate in Industry and GovernmentPartnerships


• Access control/authentication

• Stronger passwords/smart defaults

• Physical locks

• Automated timing systems to log out users

• Secure data transfer

• Automatic deletion of data

• Prevent automatic synching of devices

9. Implement Controls to Protect Dataand Systems (Besides HIPAA)


Questions?

42

Speakers – Contact Information

Robin B. [email protected]

Elliot [email protected]

Health Care Industry Emerging Legal Issues Webinar Series

• How to Survive a Subpoena/CID: November 17 - John Brennan, David O'Brien• Advertising and Marketing Issues in the Health Care Industry: TBD - Chris Cole,

David Ervin

43

health care industry privacy & cybersecurity: emerging ......– valuable for both identity...

Documents