1. Healthcare Cyber Security
PRESENTED BY
HEALTH CARE MANAGEMENT
&
ARTHUR J. GALLAGHER RISK MANAGEMENT
SERVICES
JANUARY 23, 2013
2. AJG & HCM
Arthur J. Gallagher Health Care Management
Arthur J. Gallagher & Co., one of the Health Care Management is a cutting
world's largest insurance brokerage edge medical and technology
and risk management services firms, consulting firm that specializes in
provides a full range of retail and improving your practices efficiencies
wholesale property/casualty (P/C) and cutting costs through outsourcing
brokerage and alternative risk practice management, medical billing
transfer services globally, as well as and technology services with the use
employee benefit brokerage, of CCHIT Certified EMR software,
consulting and actuarial services. network monitoring technologies and
Gallagher also offers claims and highly trained specialists.
information management, risk
control consulting and appraisal
services to clients around the world.
3. Speakers
Joe Dylewski Jill Jordan
Joe is a twenty-five year Information Technology veteran, with ten years Jill is a National Resource for Cyber Risk & Professional Liability
spent exclusively in the Healthcare Industry. In addition to holding positions for Arthur J. Gallagher Risk Management Services, Inc. with focus
as an Infrastructure Project Manager and Healthcare IT Infrastructure on the Midwest Region. Jill manages and produces a diverse book
Specialist responsible for Local Area Network, Wide Area Network, and of Professional Liability accounts consisting of Technology Errors
Telephony Services, Joseph has also served as a Healthcare IT Services & Omissions, Cyber Risk, and Media Liability.
Practices Director and Account Manager. During that time, he led and his
teams executed successful high-impact/large dollar projects for Electronic Jill has over 11 years experience as an insurance broker and has
Medical Record and HIPAA Compliance implementations across multiple been with the Cyber Risk Group of Arthur J Gallagher for the last
Healthcare Providers and Payers in Michigan. He leveraged that experience five and a half years. Jill began her career with Arthur J Gallagher
to develop a cost-effective, time-efficient, and repeatable model to assist in in the Houston, TX office working on property and casualty middle
the assessment and remediation of HIPAA compliance for Covered Entities market and risk management accounts with a focus on the Energy
and Business Associates of all sizes. Industry.
Joseph earned his Bachelor’s of Business Administration in Information Jill earned her BA in general studies from Louisiana State
Technology and his Masters Degree in Mathematics from Eastern Michigan University. She is also a member of the Professional Liability
University. He also holds the following certifications: Certified HIPPA Underwriters Society (PLUS)
Professional, HIPAA Certified Security Specialist, and Information
Technology Infrastructure Library Foundation.
Joe is an Assistant Professor at Madonna University, is frequently invited as
a subject matter expert in speaking engagements, and is viewed as a national
thought leader in Physician Practice and Business Associate HIPAA
compliance.
4. Environment
HIPAA 101
• HIPAA – Health Insurance Portability and
Accountability Act of 1996
• Insurance Portability
• Fraud Prevention
• Administrative Simplification
• Privacy of Protected Health Information (PHI)
• Security of Protected Health Information
5. HIPAA – Title II
HIPAA
Title II
Administrative
Simplification
Electronic Data
Interchange
Security Rule Privacy Rule
(Transaction and
Code Sets)
Administrative Physical Technical
Safeguards Safeguards Safeguards
6. Security Rule
The HIPAA Security Rule focuses on the
Confidentiality
Integrity
Availability
...of Protected Health information
8. The HITECH Act
HITECH - The Health Information Technology for
Economic Recovery and Reinvestment Act of 2009
Began in 2004 with Bush Administration vision for
Electronic Health Records by 2014
Signed into law February 17, 2009 as a portion of ARRA
Appropriated $44,000 to $63,000 to be provided as
individual reimbursement to physicians who adopt and
―meaningfully use‖ Electronic Medical Records
• The disbursement schedule for ARRA funds began in
2011 and is staggered across five years
9. HIPAA Enforcement
HIPAA Now Has Teeth
Fines and Enforcement
• Maximum fines raised from $25K to $1.5M
• Enforced by the Office of Civil Rights
• Currently building HIPAA audit candidate target list
• Fines collected fund and support the enforcement process
• Funds appropriated within HITECH to develop enforcement
efforts within the State’s Attorney General Office
• Practitioners face maximum OCR fines of $50,000 for falsely
attesting to M.U. Measure #15
• Ignorance no longer tolerated
10. Compliance Effort vs. Risk
Increasing Degree of HIPAA Compliance Effort
―Due to ―Due to ―Due to ―By exercising
Willful Willful Reasonable reasonable
Neglect if the Neglect if the Cause and not diligence
violation is violation is Willful would not
not corrected‖ corrected‖ Neglect‖ have known‖
Decreasing Degree of HIPAA Compliance Risk
11. OCR Audits and Current Activity
HIPAA Audits
Audit Protocol
Audit Identification and Rollout
Audit Triggers
Self-reported
Breach
Patient Complaint
Random Audit
12. Cyber Security Trends
2012 2011 2010 2009 2008 2007
310 Publicized 414 Publicized 662 Publicized 498 Publicized 656 Publicized 448 Publicized
Breaches Reported Breaches Reported Breaches Reported Breaches Reported Breaches Reported Breaches Reported
Annually Annually Annually Annually Annually Annually
9,235,228 Records 22,945,773 Records 16,167,542 Records 222,477,043 Records 35,691,255 Records 127,000,000 Records
Exposed Exposed Exposed Exposed Exposed Exposed
(as of 9/25/12) (94 Million from TJX
incident)
2012 Breaches by 2011 Breaches by 2010 Breaches by 2009 Breaches by 2008 Breaches by 2007 Breaches by
Industry: Industry: Industry: Industry: Industry: Industry:
Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking: Financial/ Banking:
3.2% of Breaches 7.0% of Breaches 8.2% of Breaches 11.4% of Breaches 11.9% of Breaches 7% of Records
2.3% of Records 2.7% of Records 30% of Records 0% of Records 52.5% of Records 6.9% of Records
Educational: Educational: Educational: Educational: Educational: Educational:
14.8% of Breaches 14.3% of Breaches 9.8% of Breaches 15.7% of Breaches 20% of Breaches 24.9% of Breaches
19.1% of Records 3.6% of Records 9.9% of Records 0.4% of Records 2.3% of Records 1% of Records
Govt./Military: Govt./Military: Govt./Military: Govt./Military: Govt./Military: Govt./Military:
11% of Breaches 11.4% of Breaches 15.7% of Breaches 18.1% of Breaches 16.8% of Breaches 24.7% of Breaches
20.4% of Records 43.7% of Records 7.5% of Records 35.7% of Records 8.3% of Records 6.4% of Records
Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare: Medical/Healthcare:
34.2% of Breaches 16.3% of Breaches 24.2% of Breaches 13.7% of Breaches 14.8% of Breaches 14.5% of Breaches
20.5% of Records 20.5% of Records 11.6% of Records 5.1% of Records 20.5% of Records 3.1% of Records
All Other Business: All Other Business: All Other Business: All Other Business: All Other Business: All Other Business:
36.8% of Breaches 46.9% of Breaches 42% of Breaches 41.2% of Breaches 36.6% of Breaches 28.9% of Breaches
37.7% of Records 33.7% of Records 41% of Records 58.9% of Records 16.5% of Records 82.6% of Records
13. Causes of a Breach
24%
System
Failure
39%
Negligence
37%
Malicious or
Criminal Acts
14. Major Risk Concerns
Human Error
Hackers
Rogue Employees
Independent Contractors
Social Media
Mobile Devices
A Changing Regulatory Environment
Cloud Computing
15. Response Cost Per Record
$15 for Notification
$13 for Discovery / Forensics / Legal Expenses
$35 for Credit Monitoring and ID Theft Services
16. Estimated Total Cost of a Breach
$194 per record - estimated average cost of a
security/privacy breach (includes response costs,
defense and damages)
$5.5M total cost per breach
15% of total cost - average cost to defend a claim
12011 Annual Study: U.S. Cost of a Data Breach—by The Penomon Institute, LLC; Sponsored by Symantec
17. Cyber Liability – Coverage Descriptions
Security & Privacy Liability
Covers the defenses costs and damages arising from the failure to prevent:
Unauthorized access to the Insured’s computer system and use of data by outsider (hacker).
Unauthorized access and/or use of confidential information by an employee.
Theft or loss of data (electronic or paper).
Transmission of a malicious code.
Privacy Regulatory Action
Covers:
Investigative costs for civil demand or proceeding, arising from a security breach, brought by or on
behalf of a governmental agency, including requests for information related thereto.
Fines & penalties where insurable by law.
Breach Response
Covers the expenses incurred within one year of a security breach for:
Investigation, including computer forensics, to determine cause of security breach.
Hiring a crisis management and/or public relations firm.
Notifying potential victims of the breach as required by state law.
Credit monitoring for potential victims.
Identity Theft services, including identity restoration.
18. Coverage Descriptions Cont.
Media Liability
Covers the defense costs and damages arising from an error or omission in the creation or
distribution of content for:
Personal Injury – including defamation, slander, invasion of privacy and emotional distress.
Intellectual Property Infringement - including copyright, domain name, title, slogan,
trademark and trade name (excludes patent infringement).
Cyber Extortion
Covers the investigation expenses and payments made to a party threatening to attack the
Insured’s computer system or to release, use or destroy confidential information.
Network Interruption
Covers the expenses for lost income from an interruption to the Insured’s computer system
as a result of a security breach.
Data Recovery/Restoration
Covers the expenses incurred to:
Restore, recreate or recollect electronic data damaged or lost by a security breach.
19. So What Can You Do?
Prevention
Having a proper risk assessment done
Following through with assessment recommendations
Being adamant about precautionary measures
Preparation
Having a Cyber policy put into effect
Having the right limits and coverage in place
Having a plan of action ready to go