Healthcare Data Breaches: Handle with Care.

Similar documents
RIMS Cyber Presentation

STEPPING INTO THE A GUIDE TO CYBER AND DATA INSURANCE BREACH

CYBER LIABILITY REINSURANCE SOLUTIONS

HEALTHCARE BREACH TRIAGE

Evaluating Your Company s Data Protection & Recovery Plan

How to mitigate risks, liabilities and costs of data breach of health information by third parties

Cyber Liability State of the Insurance Market & Risk Update Sept 8, ISACA North Texas

Protecting Against the High Cost of Cyberfraud

CYBER LIABILITY INSURANCE OVERVIEW FOR. Prepared by: Evan Taylor NFP

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

AFTER THE OMNIBUS RULE

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC

Cyber & Privacy Liability and Technology E&0

ARE YOU HIP WITH HIPAA?

What is a privacy breach / security breach?

You ve been hacked. Riekie Gordon & Roger Truebody & Alexandra Schudel. Actuarial Society 2017 Convention October 2017

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

Privacy and Data Breach Protection Modular application form

Cyber Insurance 2017:

Cyber, Data Risk and Media Insurance Application form

When The Wind Blows: Renewable Energy Risk Management Strategies

H E A L T H C A R E L A W U P D A T E

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

Cyber Risk Mitigation

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

Insuring your online world, even when you re offline. Masterpiece Cyber Protection

HITRUST CSF and CSF Assurance Program Requirements for Health Information Exchanges Version 1.1

DEBUNKING MYTHS FOR CYBER INSURANCE

JAMES GRAY SPECIAL GUEST 6/7/2017. Underwriter, London UK Specialty Treaty Beazley Group

Business Associate Risk

Highlights of the Omnibus HIPAA/HITECH Final Rule

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Why choose Hiscox C-Suite?

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

PRIVACY AND CYBER SECURITY

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Cyber Risks & Insurance

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

BEAZLEY BREACH RESPONSE INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES SHORT FORM APPLICATION

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

CYBER LIABILITY: TRENDS AND DEVELOPMENTS: WHERE WE ARE AND WHERE WE ARE GOING

503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Anatomy of a Data Breach

Surprisingly, only 40 percent of small and medium-sized enterprises (SMEs) believe their

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

HIPAA Security How secure and compliant are you from this 5 letter word?

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

CYBER ATTACKS AFFECTING FINANCIAL INSTITUTIONS GUS SPRINGMANN, AON PAVEL STERNBERG, BEAZLEY

Be the GAME CHANGER.

HIPAA Final Omnibus Rule Playbook

OLD DOMINION UNIVERSITY PCI SECURITY AWARENESS TRAINING OFFICE OF FINANCE

We re Under Cyberattack Now What?! John Mullen, Partner/Co-founder, Mullen Coughlin Jason Bucher, Senior Underwriting Manager, Schinnerer Cyber

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Credit Card Handling Security Standards

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Cyber Exposures: The Importance of Risk Identification and Transfer. Presented By: Joe Weipert

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

CYBER AND INFORMATION SECURITY COVERAGE APPLICATION

Cyber Risk Management

ACC Compliance and Ethics Committee Presentation February 19, 2013

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Insurance Requirement Provisions in Technology Contracts: Mitigating Risk, Maximizing Coverage

Add our expertise to yours Protection from the consequences of cyber risks

Cyber Liability Insurance for Sports Organizations

Directors & Officers Insurance 101

Determining Whether You Are a Business Associate

T A B L E of C O N T E N T S

Cyber breaches: are you prepared?

Cyber-Insurance: Fraud, Waste or Abuse?

Privacy Rule - Complaint Investigations

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HIPAA Privacy Overview

HIPAA and Lawyers: Your stakes have just been raised

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

Negotiating Business Associate Agreements

OMNIBUS RULE ARRIVES

View the Replay on YouTube. HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense

Crawford Cyber Risk Services. A definitive solution for cyber-related events

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

Cyber Risk & Insurance

CyberRisk: What we know and what we don't know

Cyber Enhancement Endorsement

HOW TO INSURE CYBER RISKS? Oulu Industry Summit

FIDUCIARY LIABILITY Risk review performed for: Date:

Data Breaches in ERISA Benefit Plans: Prevention and Response

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

Data Breach Program Pricing Companies with revenues less than $1,000,000

The Privacy Rule. Health insurance Portability & Accountability Act

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Cyber Liability & Data Breach Insurance Claims

NZI LIABILITY CYBER. Are you protected?

A FRAMEWORK FOR MANAGING CYBER RISK APRIL 2015

UCLA Policy 420: Breaches of Computerized Personal Information

Cyber Risk Proposal Form

Transcription:

Healthcare Data Breaches: Handle with Care November 13, 2012 ID Experts Webinar www.idexpertscorp.com

The material presented in this presentation is not intended to provide legal or other expert advice as to any of the subjects mentioned, but rather is presented for general information only. You should consult knowledgeable legal counsel or other knowledgeable experts as to any legal or technical questions you may have. Further, the insurance discussed is a product summary only. For actual terms and conditions of any insurance product, please refer to the policy. Coverage may not be available in all states. 2

Presenters Jeremy Henley Insurance Solutions, ID Experts jeremy.henley@idexpertscorp.com Anthony Dagostino VP, Professional Risk, ACE Group Anthony.Dagostino@acegroup.com 3

Webinar Agenda Emerging trends in data breach How healthcare data breaches are different Proven strategies to optimize your breach response Privacy liability insurance coverage and benefits 4

Mobile Threats New technologies create new risks Use of multiple mobile devices creates multiple data access points Often unencrypted Increasing use of personal devices (BYOD trend) 5

Outsourcing Risks Economics drives organizations to outsource software & services The cloud introduces new, difficult to control risks Business services, especially outside the US, multiple data exposure risks 6

Root Causes of Data Breaches Top Breach Triggers (number of claims) Human error 20% Hack 20% Lost/stolen laptop 15% Paper 9% Lost/stolen tapes/cds 9% Privacy policy violation 4% Lost/stolen USB 4% Software error 3% Lost/stolen mobile 3% By Type of Organization (number of claims) Hospitals 58% MCO 20% Vendor (billing/tpa/ IT/software) 11% Office/rehab/LTC 10% ACE USA Healthcare Privacy Claim Trends, 2012 7

Healthcare Data Breaches are Different Type of data lost Complexity of rules and regulations Common threats Rigorous enforcement Reputational harm Costs Cyber/privacy insurance 8

Financial Burden of Healthcare Breach First Party Expenses Breach coach/consultant IT forensics firm Legal Compliance with regulations Indemnification rights Notification Call center Public relations/crisis management Credit monitoring/freezing EOB monitoring ID restoration/investigation Third Party Expenses Lawsuits Regulatory violation allegations (HIPAA/HITECH) Patient claims (emotional distress, mental anguish) Regulatory fines HIPAA HITECH PCI-DSS FTC AG inquiries/fines HHS/OCR audits and investigations 9

Employee Misplaces Flash Drive An employee misplaced a key chain with an attached flash drive, which contained the PHI of approximately 270 patients. The provider retained counsel and notified the impacted individuals. Insured costs: $27,000 in legal fees and notification costs The claim scenarios described here are hypothetical and are offered solely to illustrate the types of situations that may result in claims. These scenarios are not based on actual claims and should not be compared to an actual claim. The precise coverage afforded by any insurer is subject to the terms and conditions of the policies as issued. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law. 10

External Vendor Can t Find Hard Drives A healthcare provider contracted with a national vendor to relocate hard drives and servers. The provider discovered several missing hard drives containing PHI after taking inventory. The provider retained legal counsel to analyze regulatory obligations as well as vendors to conduct forensics, to notify impacted individuals, and to offer credit monitoring services. The notifications resulted in regulatory inquiries and the filing of several class action suits. Costs adding up! Forensics, legal fees, notification, call center, CM Legal fees (class actions & responses to regulatory inquiries) The claim scenarios described here are hypothetical and are offered solely to illustrate the types of situations that may result in claims. These scenarios are not based on actual claims and should not be compared to an actual claim. The precise coverage afforded by any insurer is subject to the terms and conditions of the policies as issued. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law. 11

Understanding Gaps Reduces Risks Complete an annual privacy and security risk assessment Data inventory Policy review IT security review Business associate assessment Cyber liability insurance review 12

When a Breach Occurs Follow a prescribed approach, such as the ID Experts YourResponse Method (below) 13

Discover Phase Determine what happened What are the facts of the incident? Are forensics necessary? Treat findings like evidence, because it is. 14

Discover Phase Preliminary Work Contact applicable parties ASAP Insurer Breach coach Law firm Law enforcement Affected banks Forensics firms Initial Steps Compliance assessment Operations analysis o o o Vendor/subcontractor contract review Applicable regulators Internal policies in place Develop timeline Prepare budget Assess vendors (forensics/pr/etc.) Document everything 15

Analyze Determine if the incident is a breach Analyze the facts with applicable federal and state laws. What data? Was it exposed? Is there an exception (safe harbor) that applies? Is there a risk of harm? Is there a notification obligation? If no notification obligation, document analysis. 16

Formulate Formulate a risk proportionate response What was the nature of the event Type of data lost Needs of breach population Sensitivity of organizational reputation Industry or stakeholder expectations Applicable laws and regulations Real and/or perceived risk of lawsuit 17

Respond Sending the letter Taking the calls Handling the press Managing escalations Monitoring legal activity 18

Privacy Liability Coverage It s not just Cyber insurance Coverage is for enterprise-wide risk from IT to HR to regulatory fines and penalties Three primary types of coverage: Privacy liability Data breach expenses Network security liability Also available: Internet media liability Network extortion Business interruption & digital asset loss 19

Privacy Liability Coverage Buyers are not just IT, but are: Risk Managers, CISO/CPO, General Counsel Compliance Officers CFO Affirmative coverage is key! What s the intent of your GL, Crime, D&O? 20

Privacy Liability Coverage Does your policy include coverage for: Independent contractors? Temp staff, and part time help? Unencrypted data? Hard copy documents and spoken word? Mobile devices? Third party vendors related to your IT? Does your insurance carrier: Provide access to tools, resources, and pre-negotiated rates for pre-screened data breach vendors? Have underwriters, product managers, and claims handlers dedicated to privacy/cyber liability in the healthcare industry? 21

Privacy Liability Coverage Post-Breach Response Does your insurance carrier s approach fit your industry? Resources should be scalable to your organization complement or completely outsource your incident response process? Vendor choice is important! Don t overlook your third party liability coverage Patient class actions Statutory damages Credit card issuer demands Regulatory fines and penalties (where insurable) Premium range depending upon coverage levels 22

Wrap up Follow a multi-discipline approach to minimize data breach risk Privacy and compliance should be involved in data breach response decision-making process, One-size fits all approach doesn t work for data breaches Best practices for selecting privacy liability insurance policy Review policy language carefully Understand the tools and resources the carrier provides Evaluate the level of experience of claims staff 23

Q&A Jeremy Henley Insurance Solutions Executive ID Experts Jeremy.henley@idexpertscorp.com 760-304-4761 Anthony V. Dagostino Vice President Eastern Zone Manager & Healthcare Privacy/Technology Product Manager ACE USA Anthony.Dagostino@acegroup.com 201-479-6381 24

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback