Transcript Document

Are Your Secrets Safe?
Cyber Security In
Today’s Healthcare Workplace
Ryan Bowers and Bob Ludolph  Pepper Hamilton LLP
Ryan Bowers
• Privacy, Security and Data Protection
Practice Group
248.359.7745
[email protected]
• Focus on technology law, IP transactions,
software licensing
• Companies of all sizes - startups through
established tech companies
• In-house counsel and software company
experience
Robert Ludolph
• Labor and Employment Practice Group
248.359.7368
[email protected]
• Supervises investigations of
misappropriated proprietary and personal
information
• Advises on employment discrimination,
executive agreements and ERISA issues
• Drafts non-competition and nonsolicitation agreements
What’s the Big Deal
• Data breaches are becoming more prevalent and
costly.
• Laws are in a state of flux.
• HIPAA adds extra requirements and consequences.
• New technologies present new and varied problems.
• Amount and transmission of data is increasing at
unprecedented rates!
Data – New Hardware
• Google Glass
• Health wearables
• Apple Healthkit
• Google Fit
• Pill Scanning Technology
Data – Wearables
• Global Wearable Medical
Device Market:
− $2.0B in 2012
− $5.8B in 2019
• Applications:
− Heart Rate and Vitals
− Activity Monitors
− ECG, EEG, EMG
− Baby Monitoring
− Diabetes
Data – Explosion of Health IT Startups
• Medical records and imaging
• Tele-medicine
• Off-shore transcription
• Physician collaboration
• Clinical trials
• Post-discharge patient monitoring
• Physician-only social networking
• FICO scores for health?
Data – What could go wrong?
• Data accuracy
• Standard of care
• Trust in startups and third party
software
• Physician learning curve
• Privacy
• Data Security and Data
Breaches!
Target Breach
• Hacked via vendor refrigeration contractor
• Information of 110
Million people
compromised
• $61 million in hackingrelated expenses
• VP Technology / CIO /
CEO resigns
Community Health Systems Breach
• Data from 5.4M patients,
including social security numbers
• Cost: $75-$150M
• Class action filed immediately
• Hackers used the Heartbleed bug
to access VPN credentials
• CHS used a lot of open source
or free security software
• Bug reported in April – records
still being stolen in June
Community Health Systems Breach
• FBI:
− “Health care providers typically do not use the same high
levels of security technology as companies in other
industries.”
− Health care providers and payers could be targeted
− Health Information Exchanges may be particularly
tempting for hackers
HIPAA Concerns
The Privacy Rule protects all "individually identifiable
health information" held or transmitted by a covered entity
or its business associate, in any form or media, whether
electronic, paper, or oral.
HIPAA Concerns
Individually identifiable health information” is information,
including demographic data, that relates to:
• the individual’s past, present or future physical or
mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of
health care to the individual,
and that identifies the individual or for which there is a
reasonable basis to believe can be used to identify the
individual.
HIPAA Violation Penalties – ‘Nuff said!
HIPAA Violation
Minimum Penalty
Individual did not know
$100 per violation
annual maximum for repeat
violations
$25,000
(and by exercising reasonable diligence would
not have known)
that he/she violated HIPAA
HIPAA violation due to
reasonable cause but not due to
willful neglect
$1,000 per violation
Annual maximum $100,000
HIPAA violation due to willful
neglect but violation is corrected
within required time
$10,000 per violation
annual maximum
$250,000
HIPAA violation is due to willful
neglect and is not corrected
$50,000 per violation
annual maximum of $1.5 million
Cyber Threats
Anonymous
Hackers ?
Employee Practices
Recent Study
• 63% of employees use personal email for sensitive
work documents
− 74% believe that their companies approve!
• 63% use remote storage (USB) for work files
• 45% use sites like Dropbox and Box to share
sensitive business information
• 30% use cloud storage for work-related files
Reasons
• 52%
Convenience over company system
• 18%
Mobile access
Practical Steps Companies Must Take
1. Preparation
2. Detection
3. Analysis and
Prioritization
4. Investigation and
Mitigation
5. Notification
−
−
47 different statutes!
Time frames critical
6. Post-incident activity
How to Prepare
Failing to prepare is preparing to fail.
John Wooden
How to Prepare
Know Your Data!
Nature of data (encrypted?)
Flow of data (online connectivity? Cloud?)
Location of data / users
Ownership v. License
Open Source?
Access
How to Prepare
• Set up Response Team
• Assess the environment
• Train for the attack and counterattack
Prepare For Your Next Data Breach
• Establish written policies and procedures to regulate
compliance
− Privacy Policy (data collection, sharing and
retention/destruction)
− Data Breach Policy
− Institute a Business Continuity Plan
− Bring Your Own Device (BYOD) Policy
• Most data breach laws have “own notification policy
exception”
BYOD: Definition
Bring Your Own Device
Permitting employees to bring personally-owned
mobile devices (laptops, tablets, and smart
phones) to their workplace, and
Defining the use of those devices to access
confidential proprietary information and
applications.
BYOD: Statistics
80% of employees presently use personal
technology for business purposes.
By 2017, 50% of US employers will stop
providing devices to employees.
BYOD: Why?
• Cost reduction
• Employee freedom of
choice
• Increased productivity and
responsiveness
• Innovation and
collaboration
Only Two Kinds of Companies
• 54% of organizations have had 5 or more data
breach incidents involving a mobile device containing
regulated data in the past two years.
• On average, 6,000 records were lost or stolen in
each such data breach.
Trade Secret Issues
Trade Secret
• Any “formula, pattern, compilation, program, device,
method, technique” in which
• Employers have taken “reasonable measures” under
the circumstances to protect the secrecy of the
information.
Misappropriation of Trade Secrets
• Is the information
“misappropriated” if employer
gives employee permission to
access confidential information
on his or her personal device?
BYOD
BYOD: Issues
• Employment issues
• Security risks
• Restrictions on employers’ ability to access and control
Are the savings and efficiencies worth
the costs and exposure?
BYOD Policy
Reduce risks by:
• Having a clear policy in place
• Limiting employees entitled to use personal devices
• Training management on company’s right to access
and employee’s reasonable expectations of privacy
• Segregate personal and work data where possible
• Prohibiting circumventing or disabling security features
BYOD Policy Components
• No expectation of privacy in the workplace
• Prohibit sharing of devices
• Must report lost or stolen devices
• Prohibit use of cloud-based storage of proprietary data
• Obtain employee consent to monitoring
• Obtaion employee consent to remote wiping
• Instruction to employee to preserve data
Other Policies Implicated by BYOD
• Electronic Communications/Social Media
• Confidentiality
• Code of Conduct
• Return of Company Property
• Intellectual Property
• EEO & Harassment
• Recording Time and Overtime
• Leaves of Absence
• Workplace Safety
Other Practices Implicated by BYOD
• Employment Agreements
• Non-competition and Non-solicitation Agreements
• Separation Agreements
• Independent Contractor Agreements
• Records Management and Retention
• Litigation Holds
Do You Have a Cyber Security Strategy?
• Collection and management personally identifiable
information
• Design and implementation of effective security means
• Training of supervisors and employees
• Review contractors and vendors
• Monitoring compliance
• Development of breach response procedures
Comprehensive Security Environment
• On Boarding
• Periodic Reminders
• Sunset Passwords
• Confidentiality Acknowledgements
• Restrict Storage
• Exit Strategies
Compliance Strategy
• Understand the legal environment
• Survey the risk landscape
• Assess the benefit of cyber
insurance
• Prepare for the inevitable data
breach
• Organize data security teams
− IT
− Legal
− Communications
− Human Resources
Do Not Simply REACT
Review Your Policies
Monitor the Cyber Risks
Foster an Organizational Commitment to Security
Conduct Regular Audits
Understand the Legal Compliance Environment
Train Your Team Members
Questions & Answers
Bob Ludolph
[email protected]
248.359.7368
Ryan Bowers
[email protected]
248.359.7745