13th AMC Security & Privacy Conference June 12, 2017

Transcription

1 13th AMC Security & Privacy Conference June 12, 2017 Tatiana Melnik Melnik Legal PLLC Tampa, FL Ryan Vlcko McLaren Health Care Corporation Flint, MI

2 Outline I. A Few Words About McLaren II. Why the Focus on Vendors? III. Tips and Lessons from the Trenches A. The Right Process B. Risk Mitigation Business Associate Agreements Insurance C. The Break Up and Holding Vendors Accountable

3 o Headquartered in Flint, Michigan o Fully integrated health network 12 hospitals operates Michigan s largest network of cancer centers and providers ambulatory surgery centers, imaging centers, home health and hospice providers, retail medical equipment showrooms, and pharmacy services an employed primary care physician network commercial and Medicaid HMOs covering more than 250,000 lives a wholly owned medical malpractice insurance company

4 Key Operational Statistics (2015) Discharges 102,597 ER Visits 405,098 Surgeries 92,052 Births 6,057 Ambulatory Visits 3.2 Million Home Care Visits 175,516 Hospice Days 79,994 Licensed Beds 3,096 Community Benefit $201 Million Employees 22,000 Days of Inpatient Care 461,882 Contracted Providers 40,317 Annual Payroll $1.2 Billion Net Revenue $3.5 Billion

5

6 Healthcare = Vendors Continua Health Alliance,

7 Vendors Create Risks Processed and analyzed over 100 terabytes of traffic daily 49,917 unique malicious events 723 unique malicious source IP

8 Vendors Create Risks Breaches Disclosed to OCR: Top 10 Based on Patient Impact Entity Name Type No. Patients Impacted Date Reported Cause Anthem, Inc. Health Plan 78,800,000 03/13/2015 Hacking/IT Incident Premera Blue Cross Health Plan 11,000,000 03/17/2015 Hacking/IT Incident Excellus Health Plan, Inc. Health Plan 10,000,000 09/09/2015 Hacking/IT Incident Science Applications International Corp. Business Associate 4,900,000 11/04/2011 Loss Univ. Cal. - LA Provider 4,500,000 07/17/2015 Hacking/IT Incident Community Health Systems Advocate Health and Hospitals Corp. Medical Informatics Engineering Business Associate 4,500,000 08/20/2014 Theft Network Server Provider 4,029,530 08/23/2013 Theft Network Server Business Associate 3,900,000 07/23/2015 Hacking/IT Incident Banner Health Provider 3,620,000 08/03/2016 Hacking/IT Incident Newkirk Products, Inc. Business Associate 3,466,120 08/09/2016 Hacking/IT Incident

9 Vendors Create Risks Breaches Disclosed to OCR: Top 10 Based on Patient Impact Entity Name Type No. Patients Impacted Date Reported Cause Anthem, Inc. Health Plan 78,800,000 03/13/2015 Hacking/IT Incident Premera Blue Cross Health Plan 11,000,000 03/17/2015 Hacking/IT Incident Excellus Health Plan, Inc. Health Plan 10,000,000 09/09/2015 Hacking/IT Incident Science Applications International Corp. Business Associate 4,900,000 11/04/2011 Loss Univ. Cal. - LA Provider 4,500,000 07/17/2015 Hacking/IT Incident Community Health Systems Advocate Health and Hospitals Corp. Medical Informatics Engineering Business Associate 4,500,000 08/20/2014 Theft Network Server Provider 4,029,530 08/23/2013 Theft Network Server Business Associate 3,900,000 07/23/2015 Hacking/IT Incident Banner Health Provider 3,620,000 08/03/2016 Hacking/IT Incident Newkirk Products, Inc. Business Associate 3,466,120 08/09/2016 Hacking/IT Incident

10 Vendors Create Risks Source: Ponemon Institute, 2016 Cost of a Data Breach Study (US only data)

11 Vendors Create Risks Source: Ponemon Institute, 2016 Cost of a Data Breach Study (US only data)

12 Outline I. A Few Words About McLaren II. Why the Focus on Vendors? III. Tips and Lessons from the Trenches A. The Right Process B. Risk Mitigation Business Associate Agreements Insurance C. The Break Up and Holding Vendors Accountable

13 The Right Process o Is there a right process for vendor management? o The right process is. The one that mitigates the most risk for the company? The one that closes transactions fastest so that we can go back to treating patients? The one you can get your team to follow? o Are these all the same goals? Mutually exclusive?

14 The Right Process Not Defined No process defined Ad hoc and inconsistent Defined & Established Consistent but unstructured approach Document and detailed, but not measured or enforced Continuous Improvement Ongoing monitoring, measuring, and process improvements Best practices and benchmarking

15 The Right Process o What is McLaren s process? o How does McLaren determine what contracts get reviewed? Importance of the vendor? Value of the transaction? Risk to the organization? Term of commitment? Are these all the same goals? Mutually exclusive?

16 The Right Process o Successful vendor management is a Team Sport Business Lead Purchasing Security Officer Compliance Legal Risk Management o But, who is the Coach?

17 Vendor Risk Mitigation o Vendor Due Diligence Vendor security questionnaire Audit self-certify or disinterested third party vendor? Certificate of insurance How much is an indemnification provision from a judgment proof company worth? General online search or search on Shodan? Check OCR wall of shame o Can due diligence be done on every vendor?

18 Vendor Contracting o Business Associate Agreements vs. Master Services Agreements what do they say about: Reporting Data breach insurance Using off-shore vendors? Damages caps? Data use

19 Vendor Contracting o Secondary Uses of Data Data is the new commodity Many vendors want the rights to share data outside the specific contract relationship to provide additional services... to whom? Permissible under HIPAA? Maybe some say yes, some say no, some say depends on who is doing the de-identification Specific analysis required How does this impact --- Indemnification? Damages caps that are set at the fees received during the 12 months prior to when the claim arose?

20 Vendor Contracting o Business Associate Agreements Scope of authorization to use data Who determines when there is a breach? Is there a requirement to notify in the event of a security incident Timeline must be considered, particularly if organization is operating in multiple states or servers a patient population pool that crosses state lines Who determines when notice is required and who sends that notice? Watch your insurance policy on this one Is the vendor required to encrypt data? Who pays for responses to a subpoena? Caps on liability? Should there be?

21 Vendor Contracting o Indemnification Mutual or not? Consider - Should a customer be indemnifying the vendor for Vendor s negligence? acts, omissions, or negligence vs. gross negligence vs. willful misconduct Property damage/personal injury Property rights infringement claims (patent, trademark, copyright, etc.) Data breaches, security incidents, and loss of data

22 Vendor Contracting o Confidentiality Clause If the hospital is not permitted to disclose the terms of this Agreement, what happens if it has to file for a Certificate of Need? If there is an accreditation audit? What happens post-termination? Can a hospital really destroy all Confidential Information? o Rep and Warranty for Security... develop, implement, and maintain commercially reasonable physical, technical and administrative safeguards... has security protocols that meet or exceed compliance with any required laws, regulations, and the SOC 1 and SOC 2 Type II standards, which will be audited on an annual basis by a disinterested third-party auditor. Vendor will provide to Customer a copy of such audit report upon written request.

23 Insurance o A data breach is inevitable o Data breach insurance = Risk reduction o But, how do insurance companies try to reduce risks?

24 Insurance o A data breach is inevitable o Data breach insurance = Risk reduction o But, how do insurance companies try to reduce risks?

25 Insurance They try to cancel your policy. o A data breach is inevitable Columbia Casualty Co. v. Cottage Health Systems (C.D. California) Filed May 7, 2015 (first case of its o Data breach kind) insurance = Risk reduction Columbia paid $4.125M to settle a class action stemming from a breach (32,500 records disclosed; settlement class of o But, how do insurance companies try to 50,917) reduce risks? The complaint alleges that the breach occurred because Cottage and/or its third-party vendor, INSYNC Computer Solution, Inc. ( INSYNC ), stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who surfed the internet. Columbia sought to recoup funds paid

26 Insurance o Read the policy o Some policies exclude coverage o o for damages that arise out of activity that is contrary to your Privacy Policy What does your Privacy Policy say exactly? for agents or vendors where there are no contracts for losses if the data is stored in the cloud for work done by independent contractors if laptops are not encrypted (using FIPS validated encryption algorithm) Some policies require notification to the policy as a condition of coverage. How much is an indemnification provision from a judgment proof company worth?

27 The Break Up o A few final thoughts learned from when things went wrong

28 Disclaimer This slide presentation is informational only and was prepared to provide a brief overview of vendor management considerations in the healthcare industry. It does not constitute legal or professional advice. You are encouraged to consult with an attorney if you have specific questions relating to any of the topics covered in this presentation.

29 Questions Tatiana Melnik Attorney Melnik Legal PLLC Based in Tampa, FL Ryan Vlcko Staff Attorney McLaren Health Care Corporation Based in Flint, MI