13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC...
Transcript of 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC...
![Page 1: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/1.jpg)
13th AMC Security & Privacy Conference June 12, 2017
Tatiana Melnik
Melnik Legal PLLC
734-358-4201
Tampa, FL
Ryan Vlcko
McLaren Health Care Corporation
810-342-1174
Flint, MI
![Page 2: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/2.jpg)
I. A Few Words About McLaren
II. Why the Focus on Vendors?
III. Tips and Lessons from the Trenches
A. The “Right” Process
B. Risk Mitigation
Business Associate Agreements
Insurance
C. The Break Up and Holding Vendors
Accountable
Outline
![Page 3: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/3.jpg)
o Headquartered in Flint, Michigan
o Fully integrated health network 12 hospitals
operates Michigan’s largest network of cancer centers and providers
ambulatory surgery centers, imaging centers, home health and hospice providers, retail medical equipment showrooms, and pharmacy services
an employed primary care physician network
commercial and Medicaid HMOs covering more than 250,000 lives
a wholly owned medical malpractice insurance company
![Page 4: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/4.jpg)
Key Operational Statistics (2015)
Discharges 102,597
ER Visits 405,098
Surgeries 92,052
Births 6,057
Ambulatory Visits 3.2 Million
Home Care Visits 175,516
Hospice Days 79,994
Licensed Beds 3,096
Community Benefit $201 Million
Employees 22,000
Days of Inpatient Care 461,882
Contracted Providers 40,317
Annual Payroll $1.2 Billion
Net Revenue $3.5 Billion
![Page 5: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/5.jpg)
![Page 6: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/6.jpg)
Healthcare = Vendors
© Continua Health Alliance, http://continuaalliance.org
![Page 7: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/7.jpg)
Vendors Create Risks
• Processed and analyzed
over 100 terabytes of
traffic daily
• 49,917 unique malicious
events
• 723 unique malicious
source IP
![Page 8: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/8.jpg)
Breaches Disclosed to OCR: Top 10 Based on Patient Impact
Vendors Create Risks
Entity Name Type No. Patients
Impacted
Date
Reported
Cause
Anthem, Inc. Health Plan 78,800,000 03/13/2015 Hacking/IT Incident
Premera Blue Cross Health Plan 11,000,000 03/17/2015 Hacking/IT Incident
Excellus Health Plan, Inc. Health Plan 10,000,000 09/09/2015 Hacking/IT Incident
Science Applications
International Corp.
Business Associate 4,900,000 11/04/2011 Loss
Univ. Cal. - LA Provider 4,500,000 07/17/2015 Hacking/IT Incident
Community Health
Systems
Business Associate 4,500,000 08/20/2014 Theft – Network
Server
Advocate Health and
Hospitals Corp.
Provider 4,029,530 08/23/2013 Theft – Network
Server
Medical Informatics
Engineering
Business Associate 3,900,000 07/23/2015 Hacking/IT Incident
Banner Health Provider 3,620,000 08/03/2016 Hacking/IT Incident
Newkirk Products, Inc. Business Associate 3,466,120 08/09/2016 Hacking/IT Incident
![Page 9: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/9.jpg)
Breaches Disclosed to OCR: Top 10 Based on Patient Impact
Vendors Create Risks
Entity Name Type No. Patients
Impacted
Date
Reported
Cause
Anthem, Inc. Health Plan 78,800,000 03/13/2015 Hacking/IT Incident
Premera Blue Cross Health Plan 11,000,000 03/17/2015 Hacking/IT Incident
Excellus Health Plan, Inc. Health Plan 10,000,000 09/09/2015 Hacking/IT Incident
Science Applications
International Corp.
Business Associate 4,900,000 11/04/2011 Loss
Univ. Cal. - LA Provider 4,500,000 07/17/2015 Hacking/IT Incident
Community Health
Systems
Business Associate 4,500,000 08/20/2014 Theft – Network
Server
Advocate Health and
Hospitals Corp.
Provider 4,029,530 08/23/2013 Theft – Network
Server
Medical Informatics
Engineering
Business Associate 3,900,000 07/23/2015 Hacking/IT Incident
Banner Health Provider 3,620,000 08/03/2016 Hacking/IT Incident
Newkirk Products, Inc. Business Associate 3,466,120 08/09/2016 Hacking/IT Incident
![Page 10: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/10.jpg)
Vendors Create Risks
Source: Ponemon Institute, 2016 Cost of a
Data Breach Study (US only data)
![Page 11: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/11.jpg)
Vendors Create Risks
Source: Ponemon Institute, 2016 Cost of a
Data Breach Study (US only data)
![Page 12: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/12.jpg)
I. A Few Words About McLaren
II. Why the Focus on Vendors?
III. Tips and Lessons from the Trenches
A. The “Right” Process
B. Risk Mitigation
Business Associate Agreements
Insurance
C. The Break Up and Holding Vendors
Accountable
Outline
![Page 13: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/13.jpg)
o Is there a “right” process for vendor management?
o The “right” process is….
The one that mitigates the most risk for the company?
The one that closes transactions fastest so that we can go back to treating patients?
The one you can get your team to follow?
o Are these all the same goals? Mutually exclusive?
The “Right” Process
![Page 14: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/14.jpg)
The “Right” Process
Not Defined
• No process defined
• Ad hoc and inconsistent
Defined & Established
• Consistent but unstructured approach
• Document and detailed, but not measured or enforced
Continuous Improvement
• Ongoing monitoring, measuring, and process improvements
• Best practices and benchmarking
![Page 15: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/15.jpg)
o What is McLaren’s process?
o How does McLaren determine
what contracts get reviewed?
“Importance” of the vendor?
Value of the transaction?
Risk to the organization?
Term of commitment?
Are these all the same goals? Mutually
exclusive?
The “Right” Process
![Page 16: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/16.jpg)
o Successful vendor management
is a Team Sport
Business Lead
Purchasing
Security Officer
Compliance
Legal
Risk Management
o But, who is the Coach?
The “Right” Process
![Page 17: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/17.jpg)
o Vendor Due Diligence
Vendor security questionnaire
Audit – self-certify or “disinterested” third party vendor?
Certificate of insurance How much is an indemnification provision from
a judgment proof company worth?
General online search or search on Shodan?
Check OCR wall of shame
o Can due diligence be done on every vendor?
Vendor Risk Mitigation
![Page 18: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/18.jpg)
o Business Associate Agreements vs.
Master Services Agreements – what
do they say about:
Reporting
Data breach insurance
Using off-shore vendors?
Damages caps?
Data use
Vendor Contracting
![Page 19: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/19.jpg)
o Secondary Uses of Data Data is the new commodity
Many vendors want the rights to share data outside the specific contract relationship to provide “additional services” . . . to whom?
Permissible under HIPAA? Maybe… some say yes, some say no, some say
depends on who is doing the de-identification…
Specific analysis required
How does this impact --- Indemnification?
Damages caps that are set at “the fees received during the 12 months prior to when the claim arose”?
Vendor Contracting
![Page 20: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/20.jpg)
o Business Associate Agreements Scope of authorization to use data
Who determines when there is a “breach”? Is there a requirement to notify in the event of a “security
incident”
Timeline must be considered, particularly if organization is operating in multiple states or servers a patient population pool that crosses state lines
Who determines when notice is required and who sends that notice? Watch your insurance policy on this one…
Is the vendor required to encrypt data?
Who pays for responses to a subpoena?
Caps on liability? Should there be?
Vendor Contracting
![Page 21: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/21.jpg)
o Indemnification Mutual or not?
Consider - Should a customer be indemnifying the vendor for “Vendor’s negligence”?
“acts, omissions, or negligence ” vs. “gross negligence” vs. “willful misconduct”
Property damage/personal injury
Property rights infringement claims (patent, trademark, copyright, etc.)
Data breaches, security incidents, and loss of data
Vendor Contracting
![Page 22: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/22.jpg)
o Confidentiality Clause If the hospital is not permitted to disclose “the terms of
this Agreement”, what happens if it has to file for a Certificate of Need? If there is an accreditation audit?
What happens post-termination? Can a hospital really “destroy all Confidential Information”?
o Rep and Warranty for Security “. . . develop, implement, and maintain commercially
reasonable physical, technical and administrative safeguards”
“. . . has security protocols that meet or exceed compliance with any required laws, regulations, and the SOC 1 and SOC 2 Type II standards, which will be audited on an annual basis by a disinterested third-party auditor. Vendor will provide to Customer a copy of such audit report upon written request.”
Vendor Contracting
![Page 23: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/23.jpg)
o A data breach is inevitable…
o Data breach insurance = Risk reduction
o But, how do insurance companies try to
reduce risks?
Insurance
![Page 24: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/24.jpg)
o A data breach is inevitable…
o Data breach insurance = Risk reduction
o But, how do insurance companies try to
reduce risks?
Insurance
![Page 25: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/25.jpg)
o A data breach is inevitable…
o Data breach insurance = Risk reduction
o But, how do insurance companies try to
reduce risks?
Insurance
They try to cancel your policy ….
Columbia Casualty Co. v. Cottage Health Systems
(C.D. California) – Filed May 7, 2015 (first case of its
kind) • Columbia paid $4.125M to settle a class action stemming
from a breach (32,500 records disclosed; settlement class of
50,917)
• “The complaint alleges that the breach occurred because
Cottage and/or its third-party vendor, INSYNC Computer
Solution, Inc. (“INSYNC”), stored medical records on a
system that was fully accessible to the internet but failed to
install encryption or take other security measures to protect
patient information from becoming available to anyone who
‘surfed’ the internet.”
• Columbia sought to recoup funds paid
![Page 26: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/26.jpg)
o Read the policy…
o Some policies exclude coverage for damages that arise out of activity that is contrary to your
“Privacy Policy” … What does your Privacy Policy say exactly?
for agents or vendors where there are no contracts
for losses if the data is stored “in the cloud”
for work done by “independent contractors”
if laptops are not “encrypted” (using FIPS 140-2 validated encryption algorithm)
o Some policies require notification to the policy as a condition of coverage….
o How much is an indemnification provision from a judgment proof company worth?
Insurance
![Page 27: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/27.jpg)
o A few final thoughts learned from when
things went wrong…
The Break Up
![Page 28: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/28.jpg)
This slide presentation is informational only and was prepared to provide a brief overview of vendor management considerations in the healthcare industry. It does not constitute legal or professional advice.
You are encouraged to consult with an attorney if you have specific questions relating to any of the topics covered in this presentation.
Disclaimer
![Page 29: 13th AMC Security & Privacy Conference · 2017. 6. 12. · Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL ... a wholly owned medical malpractice insurance company](https://reader036.fdocuments.in/reader036/viewer/2022071004/5fc1c621e6a756050054a37b/html5/thumbnails/29.jpg)
Tatiana Melnik Attorney
Melnik Legal PLLC Based in Tampa, FL
734.358.4201
Ryan Vlcko Staff Attorney
McLaren Health Care Corporation
Based in Flint, MI
810.342.1174
Questions