Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC

Size: px

Start display at page:

Download "Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC"

Marilynn Harvey
5 years ago
Views:

1 Understanding Cyber Risk in the Dental Office Melissa Moore Sanchez, CIC

Data Breaches are Escalating Between February 5, 2005 and May 26, 2012 561,465,563 records containing sensitive personal information have been involved in security breaches!

2 Data Breaches are Escalating Between February 5, 2005 and May 26, ,465,563 records containing sensitive personal information have been involved in security breaches! HIPAA Health Insurance Portability and Accountability Act of 1996 Health care organizations must maintain reasonable and appropriate technical and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information Source: Privacy Rights Clearinghouse Chronology of Data Breaches Security Breaches 2005 Present Posted Date: April 5, 2005 Updated Date: May 28, Safeguards must apply to both transmission of information, as well as storage Cyber Risk Exposures Identify theft from lost or stolen PHI Theft of laptop, Smartphone Employee error Malicious employee intent Inappropriate destruction of patient data HIPAA Requires notification within 60 days of a privacy breach involving an individual s HIPAA-covered personal health Requires business associates to meet most security requirements that previously applied only to covered entities Authorizes State Attorneys General to bring suit for HIPAA violations Requires notification of the Department of Health & Human Services and the media in privacy breaches involving 500 or more individuals U. S. Federal Legislation Sarbanes-Oxley Act On December 8, 2009, the House passed the Data Accountability and Trust Act (H.R. 2221) The legislation would, among other things, require all businesses to implement safeguards to protect reasonably foreseeable data vulnerabilities and to notify customers if their personal information is breached

3 HIPAA HITECH Act What is the HITECH Act? The Health Information Technology for Economic and Clinical Health (HITECH) Act significantly modified and strengthened many aspects of the HIPAA Security Rule, including the penalties that the U.S. Department of Health and Human Services (HHS) could impose for violations of the HIPAA rules HIPAA HITECH Act It was designed to protect the confidentiality, integrity, and availability of health information which is vulnerable to and must be protected from: Hacker and disgruntled employee abuse Untrained personnel mishandling Exploitation by people not having a need to know Unplanned system outages Burglary and theft Fire, flood, and other natural disasters HIPAA HITECH Penalties For HITECH Act Violations Who is affected and what is the exposure? Covered Entities (CES) include all health care providers (physicians, dentists, therapists, psychologists, pharmacists, etc.), health care clearinghouses, and health plans (i.e., health insurance companies) that electronically store, process or transmit electronic health information (EPHI) A New Civil Monetary Penalty (CMP) System makes monetary penalties mandatory for violations HITECH Act section (d) Became effective February 18, 2009 Requires civil penalties be funneled back into the Department of Health and Human Services Office of Civil Rights enforcement budget. HIPAA The HIPAA law requires all health care Covered Entities (CES) and their Business Associates (BAS) safeguard the privacy of patient health information. The HIPAA law also requires CES and BAS to implement required security measures to protect patient health information Penalties for HITECH Act Violations Violations range from did not know to willful neglect - not corrected Penalties range from $100 to $50,000 for each violation Penalties are capped at $1,500,000 for each violation

4 Penalties for HITECH Act Violations Did not know $100-50,000* $1,5 M Cap ** Reasonable cause $1,000 50,000* 1,5 M Cap ** Willful Neglect Corrected $10,000 50,000* 1,5 M Cap ** Willful Neglect Uncorrected 50,000* 1,5 M Cap ** * Each violation ** Penalty cap for multiple violations of an identical requirement or prohibition in a calendar year How Does This Affect Me? Each state s requirements may be different than my practicing state State s laws will supersede if stricter You may have patients living in other states/countries who will need to be contacted State Security Breach Notification Laws Currently 47states (plus Puerto Rico, Washington D. C. & Virgin Islands) require notification after unauthorized access to PHI Many states require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies Some states allow private right of action for violations Many states have their own violation/penalty structure in addition to HIPAA Different countries have their own requirements Data Breach Can Happen to Anyone and It s Happening Everyday Theft or lost laptop, smart phone or flash drive Sensitive information of dozens of patients found in recycling bin Trusted employee selling patient information Burglary resulting in stolen computers IT incident caused patient information to be exposed The server was hacked and records stolen Employee made an error Cloud technology will afford more opportunities Some State Examples Connecticut: Insurance Department Bulletin IC-25 All licensees and registrants of the Department notify the Department (Commissioner) of any information security incident which affects any Connecticut residents as soon as the incident is identified, but no later than five (5) calendar days after the incident. Massachusetts: 201 CMR 17 Protection of Personal Information All businesses that store Massachusetts Residents personal information must develop a written information security program (WISP) Nevada: Mandates that data collectors doing business in Nevada comply with Payment Card Industry Data Security Standards (PCI DSS) California: Augments federal HIPAA provisions Breach requires notice to California Department of Health and affected individuals within 5 days State can fine institution up to $250,000 per violation Allows private right of action Cyber Risk Trends Data breaches are increasing Malicious attacks were up 31% in 2010, from 24% in 2009, from 12% in 2008 Lost/stolen laptops account for 35% of data breaches Negligence (employee errors) leading cause 41% Ponemon Institute, LLC 2010 Annual Study: U. S. Cost of a Data Breach

Industries Most Affected Breach Related Expenses 47% 18% 16% 18% Edu - 18% Gov - 18% Med - 16% Biz - 47% Notification Public Relations Forensics Legal Creating letter Advertising and Legal expenses

5 Industries Most Affected Breach Related Expenses 47% 18% 16% 18% Edu - 18% Gov - 18% Med - 16% Biz - 47% Notification Public Relations Forensics Legal Creating letter Advertising and Legal expenses for Responses to or other notification press releases outside attorney claims or suits Printing or design Call Center Cost of forensic Payment of Operations examinations judgments or Mailing or other settlements transmissions Other services for Cost to remediate affected persons discovered vulnerabilities Credit monitoring Cyber Risk Understanding the Trend Breach Expenses by Activity The findings of this benchmark study pertain to the actual data breach experience of 51 U.S. companies from 15 different industry sectors, all of which participated in the 2010 study. TOP FINDINGS For the first time, malicious or Data breaches in 2010 cost criminal attacks are the most their companies an average of expensive cause of data $214 per compromised record breaches up $10 (5 percent) from last year. For the third straight year The most expensive data direct costs accounted for a breach included in this year s larger proportion of overall data study cost a company $35.3 breach costs million 88% of organizations surveyed had at least one data breach Activity Percent Dollar Investigation & Forensics 11% $23 Audit & Consulting Services 10% $21 Outbound Contact 5% $10 Inbound Contact 6% $13 Public Relations/Communications 1% $2 Legal Services Defense 14% $30 Legal Services Compliance 2% $4 Fee or Discounted Services* 1% $2 Identity Protection Services* 2% $4 Lost Customer Business* 39% $83 Customer Acquisition Cost* 9% $19 Total 100% $214 Research conducted by Ponemon Institute, LLC 2010 Annual Study: U.S. Cost of a Data Breach * Uninsurable costs Ponemon Institute, LLC 2010 Annual Study: Cost of a Data Breach Data Breach Trends Chronology of Data Breaches April 23, 2012 Office of Dr. Gloria Traje-Quitoriano, Fresno, CA Laptop was stolen from her husband s car. The laptop contained patient names, Social Security numbers, dates of birth, phone numbers and addresses. The laptop was not encrypted. Lost laptops account Negligence remains the for 35% of data most common threat, breaches and cost more and an increasingly - $258* per expensive one compromised record - Breaches from negligence in 2010 averaged $196 per record, up $42 (27 percent) from 2009 April 20, 2012 Office of Dr. Rex Smith, Eugene, OR An office burglary that occurred on or around February 19 resulted in the theft of medications and a computer. The computer contained patient names, Social Security numbers, and dates of birth. It is unclear if the computer was encrypted. The total number of patients affected and all types of information exposed are also unclear. April 19, 2012 Cigna Dental, Bloomfield, Connecticut On March 23, 2012, an employee sent an unencrypted document to the personal s of herself and her son. The document contained the first names of customers and their SS numbers. Cigna became aware of the incident and took immediate action. The employee claimed she sent the document to obtain help with work from her son. She confirmed that both she and her son deleted the and was fired. April 12, 2012 Perry Dental, Riverside, CA Computer equipment that contained patient insurance information was taken during an office burglary. * Will only go up with Cloud technology and smart phones Research conducted by Ponemon Institute, LLC 2010 Annual Study: U.S. Cost of a Data Breach Published on Privacy Rights Clearinghouse ( Today s date: May 29,

6 Chronology of Data Breaches March 22, 2012 Flex Physical Therapy, Bothell, WA Three computers were stolen on December 30, 2011; One of the computers contained the protected health information of patients. March 22, 2012 Delta Dental, Sacramento, CA The unauthorized disclosure of paper records, sometime around December 22, 2011, may have resulted in the exposure of protected health information. March 22, 2012 Indiana Internal Medicine Consultants, Greenwood, Indiana The February 11, 2012 theft of a laptop resulted in the exposure of protected health information. March 12, 2012 Impairment Resources, LLC, San Diego, CA An office burglary on New Year s Eve 2011 resulted in the loss of hardware that contained sensitive personal information. The full names, addresses, SS numbers and medical information of clients were on the hardware. Impairment Resources notified patients in February and then filed bankruptcy in March. The high cost of handling the breach led directly to the decision to file for bankruptcy. Information Source: California Attorney General March 9, 2012 Office of Dr. David Turner An office burglary resulted in the theft of a laptop and other items. The laptop contained information of current and former patients. It is unclear what type of information the laptop contained. A widespread notification of the breach was released in March after many patients could not be reached by mail. Privacy Liability: What are the Risks? Costs? Cost to notify each affected individual by mail Cost of Credit Monitoring services for individuals whose data has been breached Cost for Call Center to manage calls from affected patients Published on Privacy Rights Clearinghouse ( Today s date: May 29, Cyber Risk Exposures Hack, theft or loss of confidential information Appropriately manage forensics after a breach has occurred Obligation to notify patients and monitor their credit record What Additional Exposures Exist? Damage to reputation; a dentist could lose the trust of his or her patients Loss of potential new business Discounted services HIPAA s high standard could be cited in civil litigation thereby creating the potential for even larger criminal and civil settlements Lawsuits from security or technology error that result in damage to your patients Privacy Liability: What are the Risks? Costs? Legal costs to manage federal and state compliance Lawsuits alleging breach of fiduciary duty in violating the right to privacy Expense to hire an attorney to defend the suit, whether frivolous or not Business interruption: cost of managing the crisis How valuable is your time? Your staff s time? It Pays To Do Your Homework Studies show those who took a more rapid response to a breach paid 54% more than companies that took a more surgical approach. Over-notified customers not at risk Customers not at risk lost confidence Quick response spent $268 per record Slower response spent $174 per record 2010 Annual Study: U. S. Cost of a Data Breach Ponemon Institute Benchmark Study

Be Prepared Create a plan, including: Know in advance which state, federal and local law enforcement agencies should be contacted Protect your affected systems for a proper forensic investigation by

7 Be Prepared Create a plan, including: Know in advance which state, federal and local law enforcement agencies should be contacted Protect your affected systems for a proper forensic investigation by the experts Know your time constraints for contacting affected patients Legal counsel for compliance issues Legal counsel for defense issues Mind Those Laptops! Laptops may contain large amounts of sensitive information Consider policies against allowing staff to connect their personal laptop or other mobile devices to computer Laptops and other mobile devices frequently have no security or no strong security Be Prepared Disc Drives and Back-up Tapes Know who you would contact to establish: Credit monitoring services Identity theft management Call center Be prepared to respond to media inquiries: Statements to the press Face book Twitter Staff response to calls Organizations may either sell or give away used disc drives. Information may still be accessible, even off of a scrubbed drive. Off-site storage or back-up tapes are fundamental to disaster recovery plans! Are tapes secure from unauthorized access? Is the data warehouse responsible for a breach? Be Prepared Cyber Risk is Here to Stay Make sure your policy is reviewed and adopted by your staff Test, review and update your technical systems regularly Monitor websites for infiltration by malicious code Monitor for malware Watch external access to computers ( e.g. repair personnel) Understand your risk! Call your cyber security insurance carrier

8 Contact Northwest Dentists Insurance Company North Creek Parkway, Suite 214 Bothell, WA NORDIC Melissa Moore Sanchez Direct: (503) Fax: (425)

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Learn more about how KeepItSafe can help to reduce costs, save time, and provide compliance for online backup, disaster recovery-as-a-service, mobile