2. Speaker Introductions
Rebecca Frigy Romine, Shareholder,
HIPAA|Health Information Privacy and
Security, Polsinelli
Montez Fitzpatrick, Director of Information
Security and Compliance, Keystone
Technologies
J. Monte Shields, Manager, Agency
Marketing, The Keane Insurance Group, Inc.
2
3. Agenda
Recent cyber security attacks and threats
Placing your organization in the best
position to prevent and respond to an attack
An attack has happened, now what? Health
care organization legal obligations and
mitigation approaches
Effectively working with your cyber liability
insurance carrier and law enforcement
3
4. Recent Cyber Security Attacks,
Threats, and Trends
2017 Cyber Healthcare & Life Sciences Survey
found that 47 percent of providers and health
plans had a security-related HIPAA violation or
a cybersecurity attack that impacted data.
Increase of 10% from 2015
Office for Civil Rights data regarding Breaches
involving 500+ individuals
Ransomware – WannaCry
Phishing and Social Engineering
Other Attacks
4
5. Preparing for a Cybersecurity Attack
It’s not a matter of IF an attack will occur, but
rather WHEN…
Steps to take to help address the WHEN:
Implementing an effective compliance program
Information assurance and information system
architecture
Obtaining adequate cyberliability coverage
5
6. Key Security-Related Aspects of an
Effective Compliance Program
View the HIPAA Security Rule only as a
baseline and policy framework requirement
– Risk Analysis and Risk Management Plans
– Encryption and password management
– “Addressable” does not mean “Optional”
Ensuring internal/external expertise is
readily available
Effective workforce training and monitoring
Effective incident response procedures
6
8. Value of Information Assurance
Triple Funnel
INTELLIGENCE
RISK
BUSINESS CONTINUITY
8
9. Value of Information Assurance
Triple Funnel
INTELLIGENCE
RISK
BUSINESS CONTINUITY
Ø
actualize
assign
realize
9
10. Value of Information Assurance
Triple Funnel
INTELLIGENCE
actualize
What assets do we have;
What are they worth?
Who are our adversaries;
What are their capabilities?
Ø
10
11. Value of Information Assurance
Triple Funnel
RISK
assign
Analysis
Management
Assessment
11
13. Value of Information Assurance
Triple Funnel
BUSINESS CONTINUITY
realize
Operations
13
14. Value of Information Assurance
BUSINESS CONTINUITY
Operations
EMERGENCY MODE
OPERATIONS
DISASTER
RESPONSE
INCIDENT HANDLING
BUSINESS
CONTINUITY
BUSINESS
CONTINUITY
14
17. Incident Handling Preparation
Assign Roles and Responsibilities
Assert Information needed to Construct
Event
Define Relationships with Third Parties
Train your Team
17
18. Cyberliability Coverage
Risk Management Solutions
– Eliminate Risk
• For some risks this is impossible
– Minimize/Reduce Risk
• Risk Analysis – make adjustments/corrections
• HIPAA Compliance
• Train Staff – security, notification, response
– Transfer Risk – Insurance
• Purchase a separate policy
18
19. Cyberliability Coverage
Types of coverage
Medical malpractice policies have limited
coverage for Cyber Liability
– Covers only named insured
– Limited liability limits
– Limited coverage
Most GL policies and BOPs exclude Cyber
Liability or have limited coverage
– Needs to be added by a rider or endorsement
– Limited coverage – No coverage for regulatory
violations
19
20. Cyberliability Coverage
Purchase Stand Alone Coverage
– Make sure the policy includes:
• $1,000,000 limit
• Data loss
• Data breaches
• Regulatory violation coverage – HIPAA, HITECH, RAC, etc.
• Notification expenses, credit monitoring, forensics, PR
• Business interruption
• Multimedia coverage for slander, libel, copyright, false ads
• Read the exclusions
Reporting and working with your insurance carrier
20
21. Effectively Responding to an Attack
Time is of the Essence
– Immediate Isolation
– Notification Timeframes (including insurance
carrier)
Engaging Outside Assistance
– Security forensic experts
– Legal counsel
– Law Enforcement
Returning to Business As Usual
21
22. Legal Obligations Following an Attack
HIPAA Breach Risk Assessment and
Notification Obligations
– Must consider whether PHI was unavailable, not
just whether it was impermissibly accessed,
used, or disclosed.
State Law Notification Requirements
Addressing Weaknesses and Vulnerabilities
Preparing for a Potential Investigation
22
23. Key Takeaways
Too small to be a target is a myth.
Preparation does not equate to Prevention,
but is the most important mitigation step.
All individuals at your organization are
responsible and need to be involved.
Time is always of the essence.
Human error cannot be 100% prevented,
but awareness goes a long way.
23