Before, During and After a Security Incident: How to …©2009 GARFUNKEL, WILD & TRAVIS, P.C....

© 2009 GARFUNKEL, WILD & TRAVIS, P.C.

Before, During and After a Security Incident:

How to Prepare and Respond

September 17, 2009 David A. Mebane, Esq.

Saint Barnabas Health Care SystemSenior Vice President for Legal Affairs

(973) [email protected]

Andrew E. Blustein, Esq.Garfunkel, Wild & Travis, P.C.

Partner/Director(516) 393-2218(201) 883-1030

[email protected]

1259221.ppt 2 © 2009 GARFUNKEL, WILD & TRAVIS, P.C.

AGENDA

In today’s presentation we will review the following:

• Background: What is the Goal of the Thief?• Legal Landscape• Before: Preparing for a Security Incident • During: Responding to a Security Incident• After: Documenting Actions and Preventing

Future Incidents


What is the Goal of the Thief?


What is the Goal of the Thief?

• Identity theft (e.g., taking someone’s personal information to access his or her financial accounts).

• Medical identity theft (e.g., assuming another person’s identity in order to receive medical care or submit false claims).

• Obtaining access to an individual’s personal information for curiosity or financial gain (e.g., selling a famous person’s medical records).


Identity Theft is on the Rise• In 2005, identity theft resulted in corporate and

consumer losses of $56 billion dollars.1• In 2005, medical identity theft accounted for 3

percent of identity theft crimes or 249,000 of the estimated 8.3 million people who had their identities stolen.1

• Various non-profit agencies have reported that, since 2006, identity theft continues to be a serious concern for health care providers.

• August 17, 2009 – three New Jersey men were indicted in the largest identity theft case ever prosecuted with over 130 million credit and debit card numbers stolen.

1. World Privacy Forum, Medical Identity Theft: The Information Crime that Can Kill You. Spring 2006.


Legal Landscape to Combat the Rise in

Identity Theft


Legal Landscape Federal Trade Commission

• The Federal Trade Commission (“FTC”) requires creditors (which has been interpreted as including hospitals and other providers who defer payment for services) to implement “Identity Theft Prevention Programs.” Such Programs must include policies and procedures to detect, prevent and mitigate identity theft.

• The FTC has announced that enforcement of these rules will begin November 1, 2009


Legal Landscape HIPAA

• HIPAA requires Covered Entities to implement technical, administrative and physical safeguards to protect patient information.


Legal Landscape HIPAA

• HIPAA requires covered entities to mitigate the harmful effects of unauthorized disclosures.

• The challenge in addressing mitigation is to identify what is reasonably required and/or necessary to protect the patients.


Legal Landscape HITECH Act

• Under the new HITECH Act and breach regulations (effective September 23, 2009), Covered Entities will be required to notify patients of breaches that (1) involve unsecured protected health information and (2) pose a significant risk of financial reputational, or other harm to the individual.

• In addition, Covered Entities must inform the Department of Health and Human Services (“DHHS”) of breaches either in an annual report or, if such breaches involve more than 500 people, immediately in writing.Note: Breaches involving more that 500 people will be posted on the DHHS website.



Timeframe for Notification

• A covered entity must send the notification without unreasonable delay and in no case later than 60 calendar days after the breach is discovered by the covered entity.

• A breach is considered to be discovered when the incident become known (or should have become known with reasonable diligence), not when the covered entity or business associate concludes the investigation.


Legal Landscape HITECH Act Practice Tip

The “clock starts to tick” on the covered entity’s reporting obligation as soon as the breach is (or should have been) discovered. Therefore, covered entities should ensure their workforce members and other agents are adequately trained and aware of the importance of timely reporting and the consequences of failing to do so.



Determining Whether There is a Reporting Obligation

• HHS envisions that the following steps will be taken to determine if a breach has occurred: 1. Determine whether there has been an impermissible use

or disclosure of unsecured PHI under the Privacy Rule.2. Determine and document whether there is a significant

risk of financial, reputational or other harm to the individual.

3. Consider whether the breach falls under one of the limited exceptions (e.g., an unintentional use of PHI by employee of a covered entity, if the use was in good faith, within the course and scope of employment and does not result in further use or disclosure) .



What is Unsecured PHI?• Unsecured PHI is PHI that is not secured

through the use of a technology or methodology, specified by DHHS that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals.

• Examples of technology to secure information include data encryption and shredding of paper records.

• Guidance regarding the steps that must be taken to “secure” PHI can be found at:http://www.hhs.gov/ocr/privacy.



Determining Harm

• When performing the risk assessment to determine if there has been a significant harm from the breach, covered entities need to consider a number of factors including the following:

Who impermissibly used the PHI? To whom was the PHI impermissibly disclosed? What type and amount of PHI was disclosed?



Content of Notice • The notice to the affected patients must include

at least the following: A brief description of what happened (e.g., date of the breach, date of the discovery of the breach).A description of the types of unsecured PHI that were involved in the breach.Any steps individuals should take to protect themselves from potential harm resulting from the breach.A brief description of what the covered entity involved is doing to investigate the breach, to mitigate the harm and to protect against any further breaches. Contact procedures for individuals to ask questions or learn additional information (i.e., toll free telephone number, e-mails address, web site or postal address).



Substitute Notice• If there is insufficient contact information for

some of the affected individuals or some notifications are returned undeliverable, the covered entity must provide substitute notice for the unreachable individuals (e.g., if greater than 10 individuals, conspicuous notice on the covered entity’s website or conspicuous notice in major print or broadcast media, and a toll free phone number, active for 90 days).


Legal Landscape State Laws

• Many State laws require health care entities to (1) protect the confidentiality of patient information; and (2) notify affected individuals and law enforcement if there is unauthorized access to an individual’s social security number, driver’s license number and/or credit card number and password.

• These State laws vary and need to be closely analyzed in order to understand the reporting obligation

• Unless the State law directly conflicts with the HITECH breach reporting obligations, the elements of both the State law and the HITECH Act apply.


Steps to Take Before a Security Breach Occurs



• Establish appropriate technical safeguards to protect patient information.

Require encryption for laptops and other portable devices.Establish remote access roles specific to applications and business requirements.Prohibit the installation of unsecured “homemade” software on laptops.



Technical Safeguards (cont.)Establish system firewalls. Appropriately and thoroughly destroy patient information once it is no longer needed.Install, use and regularly update virus protection software.

For additional information on technical safeguards for portable devices, see CMS Guidance located at: http://www.cms.hhs.gov/SecurityStandard/Do wnloads/SecurityGuidanceforRemoteUseFinal.p df.



• Establish policies regarding the protection of patient information transmitted from remote locations.

• Discuss with vendors the responsibility for responding to security incidents including time frames for key vendors to report such incidents and steps to be taken if a security incident occurs.

• Perform routine audits of employee access to PHI and let employees know that such audits will occur.



• Establish a security incident response program

Assign an individual to be responsible for organizing responses to security incidents (e.g., the security officer) (the “Team Leader”).Appoint a core team to conduct the investigation (e.g., representatives from IT, human resources, risk management, legal and security departments).



Establish a security incident response program (cont.)

• Prepare written policies that address the process for internal reporting:

What needs to be reported internally (e.g., all stolen laptops, complaints regarding unauthorized access). To whom reports regarding potential breaches need to be made.Timeframes for reporting (e.g., immediately).



Establish a security incident response program (cont.)

• Require the investigative team to prepare a mini report for management with an internal analysis and short-term recommendations.

• Educate and re-educate staff regarding the procedures for reporting security breaches, and as part of such education, publicize “scenarios” that actually occur.


How to Respond to a Security Breach


How to Respond to Security Breaches

• Include in-house counsel in the response process• Consider including outside counsel in order to:

Provide insight into the legal implications of unauthorized disclosures.Offer attorney-client confidentiality protections to the investigation, when state law permits.Allow for a neutral analysis of the event.

Practice Tip: Establish a policy in advance for when outside counsel should be called (e.g., large disclosures, potential criminal acts).



• Initiate an investigation immediatelyEmpower the Team Leader to be the point person for the investigation and include in the investigation process relevant technical and administrative staff as well as staff directly involved in the incident.Immediately consider whether reports need to be made to authorities.Consider:

– What information was potentially disclosed?– What technical safeguards were in place?– How many people were affected?– How the information could be used adversely against such

individuals?



• Determine whether notification of patients is required:

In order to comply with applicable state law.In order to comply with the HITECH Act (e.g., breaches involving unsecured protected health information). In order to “mitigate” any harmful effects of the security incident.



• Consider whether additional steps, in addition to notification, need to be taken to mitigate the harmful affects of the security incident, for example:

Do the affected individuals need to be offered credit monitoring?Do additional audits need to be performed on other employees?Do any employees need to be immediately terminated or suspended? Do any technical safeguards need to be installed?


Documenting Actions and Preventing Future Incidents


Preventing Future Incidents

• Incorporate lessons learned into existing procedures (e.g., were internal reporting and investigation fast and efficient).

• Determine whether any sanctions need to be taken against staff.

• Determine whether vendors need to be terminated.

• Consider whether additional technical safeguards need to implemented (e.g., encryption).

• Include the breach on annual log reported to HHS.


Preventing Future Incidents

• Modify policies, as necessary.• Re-educate staff regarding lessons learned.• Look for repeating patterns (e.g., one patient

area that has multiple incidents).• Include the unauthorized disclosure on the

accounting of disclosures.• Include any sanctions on the HIPAA sanctions

log.• Ensure that investigation notes and reports were

appropriately detailed and that they are maintained.


Questions

Before, During and After a Security Incident: How to …©2009 GARFUNKEL, WILD & TRAVIS, P.C....

Documents

Transcript of Before, During and After a Security Incident: How to …©2009 GARFUNKEL, WILD & TRAVIS, P.C....