Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?

© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. ebglaw.com

Enterprise Risk Managementand Cybersecurity:

Is Your Health Plan Ready?October 15, 2015

© 2015 Epstein Becker & Green, P.C. | All Rights Reserved. | ebglaw.com

Agenda

2

1. Board and Fiduciary Responsibilities in EnterpriseRisk Management--Example: Strategic Partnerships and Alliances

2. Establishing Enterprise Risk Management Priorities

3. Cyber Security : Privacy and Security Breaches(High Likelihood—High Significance)

4. Preparing Your Health Plan to Stay Ahead


Board Involvement

Not For Profit Boards

• AMCP Foundation

• Maryland/Israel Development Center

• National Hospice Foundation

For Profit Boards

• Epstein Becker & Green, P.C.

• Trustmark Mutual Holding Company

• MammoPlan, Inc.

Answering the Call: Understanding the Duties,Risks, and Rewards of Corporate Governance(4th ed., 2012)

3


Board and FiduciaryResponsibilities inEnterprise RiskManagement


Board Obligations Generally RegardingCompliance

Duty of Care/Duty of Loyalty

Board obligation to act in “good faith” and loyal to the Corporation’s interest

In re Caremark International, 698 A.2d 959 (Del. Ch. 1996)

“[The Court is] of the view that a director’s obligation includes a duty to attempt ingood faith to assure that a corporate information and reporting system, which theboard concludes is adequate, exists, and that failure to do so under somecircumstances may, in theory at least, render a director [personally] liable for lossescaused by noncompliance with applicable legal standards. . . .

Obviously the level of detail that is appropriate for such an information system is aquestion of business judgment.”

5


Board Obligations Generally RegardingCompliance

Business Judgment Rule (“BJR”)

Presumption that Board members fulfill their fiduciary duties when they acton an informed basis and in good faith that a certain action is in thecorporation's best interest

In re Walt Disney, 906 A.2d 27 (Del. 2006)

• Issue of potentially unreasonable executive compensation

• Directors had not breached their fiduciary duties of good faith and loyalty, eventhough the court stated that the board’s actions may have been below bestcorporate practices

6


Increased government enforcement and new or more frequent cybersecurity threats have triggered calls for improved risk oversight

• Board of Directors are calling for greater engagement in risk oversight

• Management is responding even though there are significant competing priorities

Calls for Improved Risk Oversight

7


Enterprise Risk Management Structure

Management Committee?

• Identify risks

• Identify risk management opportunities

Chief Risk Officer?

The potential intersection of similarities between Compliance and EnterpriseRisk Management

Board fiduciary oversight of both

8


Example: Management’s ERM ProcessRegarding Strategic Partnerships and Alliances

9

Definition of a strategic partner/alliance

• Company enters into a relationship with a third party to provide a unique serviceor technology that is critical to the company’s strategy, operations, and success

• Generally a longer term relationship

• Longer, more strategic, and greater impact than a normal vendor contract

• Example: IT vendors

All health plans have a strategic partner or alliance


Potential Risks RegardingStrategic Partnerships and Alliances

10

Partnering for critical services leaves the Company with less control

• Potential impact on sales, operators, client satisfaction, profitability, andcompliance

Failure of partner to perform as expected would negatively impactconsultants/brokers/employers/employees/government relationships

Company would likely be responsible for partner’s activities regarding privacyand information security

Potential changes can occur at the partner

• Change in ownership or senior management

• Shift in strategy, products, or customer base

• Reputational issues

• Financial issues


Upfront Risk Mitigation Steps

• Conduct a thorough initial due diligence of the operational capabilities andfinancial conditions of the partner

• Understand the strategy of the partner to make sure there is a good strategic andcultural fit for both partners and that they share a common goal

• Draft a strong contract that provides protection regarding governance,performance expectations and standards, changes of ownership, disputeresolution, exclusivity, potential indemnification, and other key issues

Ongoing Risk Mitigation Steps

• Conduct regular reviews to ensure compliance and financial stability of partner

• Consider frequent on-site visits

• Build and maintain strong, mutually beneficial relationships

How Can a Company Mitigate the Probability or Impact of the

Risks Associated with Strategic Partnerships and Alliances

11


EstablishingEnterprise Risk ManagementPriorities


Establishing Enterprise Risk Priorities:Heat Map

13

Low

High

High

Significance(financial, strategic, reputational, etc.)

Likelihood(considering controls and inherent risks)


5 Best Practices for an EffectiveEnterprise Risk Management Process

1. Establish a comprehensive ERM policy

2. Understand and assess risk as it relates to the Company’s immediate andlonger term objectives, and consider risk management efforts

• Encourage open discussion of “what keeps people awake at night”

• Incorporate ERM into the strategic planning process

• Use risk indicators that are leading indicators

--Adopted from the American Institute of CPAs (AICPA), “Top 10 ‘Next’ Practices for Enterprise Risk Management,”http://www.academia.edu/8716339/Top_Ten_Next_Practices_for_Enterprise_Risk_Management_2010_AICPA_Survey_Results_Table_of_Contents_Top_Ten_Next_Practices_for_Enterprise_Risk_Management

14


5 Best Practices for an EffectiveEnterprise Risk Management Process

3. Use ERM outcome to guide the behavior and thought process of decision-makers

• Communicate regularly, thoroughly, top to bottom, bottom to top and across theorganization

4. Establish the right monitoring processes to make sure risk mitigationactivities operate as designed

• Regularly track and monitor the risks facing the organization both internally andexternally

5. Ensure that the Board of Directors and senior management support theERM policy

15


Cybersecurity :Privacy and SecurityBreaches(High Likelihood—HighSignificance)


Greater Connectivity, Higher Risk

Greater interconnection and interdependency among health care entitiesexpand vulnerabilities, which affects any entity connected with the healthplan (vendors, suppliers, partners, customers)

Lack of board room or senior management expertise often createschallenges when overseeing cyber security risks and risk managementefforts

17


HIPAA Privacy Rule & Security Rule

HIPAA Privacy Rule (45 C.F.R. Part 160 and 164)

• Protects privacy of individually identifiable health info through national standards

• Permits disclosure of health info needed for patient care

HIPAA Security Rule (45 C.F.R. § 164.300 et seq.)

• Sets national standards for security of ePHI that is created, received, used, ormaintained by covered entity

• Operationalizes protections contained in Privacy Rule by addressing technical andnon-technical safeguards covered entity must put in place to secure ePHI

• Requires the covered entity to protect against “reasonably anticipated” threatsand disclosures

18


The Reality

“There are only two types of companies:those that have been hacked and

those that will be.”

--Former FBI Director Robert Mueller

19


Who will be next?

20

• Over the last few months• Over $450 million stolen

credit and debit card numbers• Over the past year

• Over $575 million spent bycorporations after databreaches

• Over $1 Trillion estimated in IPtheft

---http://www.naic.org/documents/committees_ex_financial_stability_tf_related_cybersecurity_insurance.pdf

• Hackers claiming allegiance toISIS took control of U.S. military’sCentral Command social mediaaccount on January 12, 2015


Interconnection & Integration

21

Insurance

Patients

Physicians

HealthPlans

IntegratedDelivery

PhysiciansHomeHealth

PatientsMedicalDevices

Labs Insurance


Heat Map: Cybersecurity Risks

22

Low

High

High

Significance(financial, strategic, reputational, etc.)

Likelihood(considering controls and inherent risks)


Recent Government Health Plan Security Breach

OPM Data Breach (U.S. officials reveal breach to public on June 4, 2015)

• Office of Personnel Management (OPM)

o Sets policies on government-wide hiring (manages USAJOBS site)

o Conducts background investigations on potential government employees

o Administer health and insurance benefits for current Federal employees and families

o Manage pension benefits for retired Federal workers and families

o Manage training and development programs for Federal employees and retirees

• Data theft from OPM computer systems compromised sensitive personnelinformation, including SSN and fingerprints, of 21.5 million people from inside andoutside the Federal government

o This number does not include database storing completed forms for security clearances

(SF86 questionnaires)

Approximately 50% of OPM enrollees are in Blue Cross Health plans

23


Key Facts

Reported to HHS Office for Civil Rights on February 4, 2015

• Discovered breach on January 29, 2015 (attack occurred April 2014)

Sophisticated hackers gained unauthorized access to Anthem’s IT system andobtained personal information of 80 million current and former customersand employees PHI

• Names, dates of birth, SSN, health care ID numbers, home address, e-mailaddress, employment information, income data

Anthem providing complimentary identity protection service to all impactedindividuals for 2 years

• Dedicated website: https://www.anthemfacts.com

Recent Health Plan Security BreachesAnthem, Inc.

24


Key Facts

Reported to HHS Office for Civil Rights on March 17, 2015

• Discovered breach on January 29, 2015 (attack occurred on May 5, 2014)

Data breach of financial and medical records of as many as 11 millioncustomers

• Affected Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, andaffiliate brands Vivacity and Connexion Insurance Solutions

• May have affected Blue Cross Blue Shield customers in Washington and Alaska

Premera providing complimentary identity protection service to all impactedindividuals for 2 years

• Dedicated website: http://www.premeraupdate.com

Recent Health Plan Security BreachesPremera Blue Cross

25


Key Facts

Reported to HHS Office for Civil Rights on August 5, 2015

• Discovered breach in August 2015 (attacks occurred on December 23, 2013)

Cyber hackers already disclosed information affecting 722 individualsoccurred via e-mail; could affect 7 million members, patients, and otherindividuals who have done business with Excellus BCBS plans

Excellus BCBS providing complimentary identity theft services and creditmonitoring to all impacted individuals for 2 years

• http://www.excellusfacts.com/index.html

Recent Health Plan Security BreachesExcellus Blue Cross Blue Shield

26


HHS-OCR press release: September 2, 2015

• Cancer Care reported breach to HHS-OCR on August 29, 2012

Backup media in stolen laptop bag contained unencrypted ePHI of 55,000individuals

Enforcement requirements

• $750,000 HIPAA settlement

• 3 year Corrective Action Plan

oComprehensive and thorough risk assessment and risk management plan forHHS review

oAnnual report of “Reportable events” (e.g. workforce member fails to complywith privacy and security policy)

oPotential additional civil monetary penalties

Recent Health Plan Privacy & Security Enforcement ExamplesCancer Care Group, P.C.

27


HHS-OCR Press Release: April 22, 2014

• QCA reported to HHS-OCR on February 2012

Unencrypted laptop computer stolen from workforce member’s car





oSecurity awareness and training

oAnnual report of “Reportable events” (e.g. workforce member fails to complywith privacy and security policy)

Recent Health Plan Privacy & Security Enforcement ExamplesQCA Health Plan, Inc. (QCA)

28


HHS-OCR Press Release: June 23, 2014

Employees, with notice that retiring physician was not home, left 71cardboard boxes of medical records belonging to 5,000-8,000 patients onretiring physician’s home driveway (within 20 feet of public road and heavilytrafficked public shopping area)

• Physician self-reported to HHS-OCR in June 2009





oAnnual report of “Reportable events”

oStaff training

Recent Health Plan Privacy & Security Enforcement ExamplesParkview Health System, Inc.

29


Who will be next?

The average U.S. company is the

victim of

two SUCCESSFUL cyber attacks

every week

30

---InformationWeek, Cybercrime Costs Skyrocket (Oct. 8, 2013),http://www.informationweek.com/traffic-management/cybercrime-costs-skyrocket/d/d-id/1111861?


Preparing YourHealth Plan toStay Ahead


Health Plans andOther Health Care Organizations

Adopt a comprehensive ERM policy at the management and board level

Educate board management and employees frequently

Consider adopting the 5 Best Practices for ERM

Consider Cyber Security as one high risk that deserves resources for riskmanagement mitigation efforts

Consider reviewing Strategic Partnerships and Alliances as one high risk thatdeserves resources for risk management mitigation efforts

32


Provide time to build the Board’s Cybersecurity and IT Literacy, as well asERM

• Consider having a committee or subcommittee for large IT projects in particular

Provide regular reports to Board on Cyber Risk

• Determine risk and risk thresholds to be reported

• Evaluate risk management efforts

Battling Cybersecurity in the Board RoomEnsuring Cyber Awareness on the Board Agenda

33


Formulate cyber threat detection and response plans

Consider the role of Strategic Partners and Alliances in cyber security riskmanagement

Create strategies that would confront the company’s worst possiblescenarios and protect its highest value targets

• From the perspective of the organization and external actors

SEC Disclosure Considerations; if any or Bond Debt Considerations

• Standard of materiality

HHS OIG Compliance Considerations

Battling Cybersecurity in the Board RoomManagement Responsibilities

34


Prepare before a Security Breach Occurs

Proper Policies and Procedures

• Discover and manage a potential or actual breach

• Training program in place to ensure cybersecurity protocols known andunderstood by work force

Regular Fire Drills

Strong firewalls and other software to identify and contain viruses, worms,etc.

35



Understanding the 3 Different Roles

• Chief Security Officer

• Chief Privacy Officer

• Chief Compliance Officer

Do Not Overly Rely on Internal Experts

36



Appropriate Self-Monitoring

• Regular internal audits

• Compliance Auditing and Monitoring

Establish Procedure for Reporting Intrusions to Government Authorities

• Mandatory disclosure may be triggered to Company stakeholders and the public

Public Relations Firm and Dedicated Breach Website on Standby

• Ready to activate for addressing press, customer, and end-user concerns

37


Insurance Policies—Are They Worth it?

Recent court decisions in Wisconsin and New York hold that compromise of personalinformation stemming from cybersecurity breaches are not covered under traditionalliability insurance policies

Cyber security liability is one way to provide coverage in the event of a data orprivacy breach

• Does not remove obligation to develop breach preparation strategies and protocols

• No insurance for criminal misconduct or other actions against public policy

Insurance policy packages can include (1) liability; (2) breach response costs; and (3)fines/ penalties. Examples include notifying consumers of breach; forensic services;credit-monitoring services; public relations; legal assistance (with or without choice)

Specific Insurance Gaps (See Appendix)

• Cyber exclusions in D&O liability insurance

• War and terrorism exclusions in cyber insurance

• Coverage of physical loss resulting from cyber attacks

38


Insurance Policies—Are They Worth it?

Before purchasing cyber security insurance products, consider:

Understand what steps are needed under relevant insurance policies(notification timing; who selects attorneys and third party service providersto investigate and remediate the breach)

Negotiate to include the Company’s preferred vendors before placing theinsurance policy

Ensure the insurance carrier’s coverage is sufficient, both in terms of amountand in terms of types of claims

Ask whether the carrier offers an insurance discount if the Company hasperformed a risk assessment

Implement retention processes so all needed documentation to support aclaim or insurance loss is preserved

39


EBG Capabilities

EBG’s Privacy and Security Law Group routinely:

• Conducts privacy and risk assessments, including the identification of appropriatecorrective measures;

• Develops policies and procedures; and

• Provide client training on data security issues.

EBG regularly advises health care companies on:

• Preserving digital evidence;

• Conducting a forensic analysis of implicated data;

• Determining the source of the breach and preventing future loss;

• Analyzing the relevant notification requirements;

• Preparing notifications through trusted notification agencies;

• Negotiating with government agencies and local law enforcement; and

• Defending against private litigation and government investigations.

40


EBG Capabilities

EBG’s Privacy and Security Law Group includes:

• Attorneys who are industry-recognized privacy and security professionals.

oThe only law firm that is a HITRUST Common Security Framework (“CSF”)Assessor and several of our attorneys are also individually designated byHITRUST as Certified CSF Practitioners.

oOne attorney who twice won the internationally recognized Capture the Flagevent at the Defcon Hacking Conference

oThe Data Breach/Cybersecurity Litigation Group includes a number of EBG’smost seasoned litigators.

Privacy and Security Team leads:

41

Robert HudockTel: 202-861-1893Email: [email protected]

Patricia WagnerTel: 202-861-4182Email: [email protected]

http://www.ebglaw.com/robert-j-hudock/

mailto:[email protected]

http://www.ebglaw.com/patricia-m-wagner/

mailto:[email protected]


National Association of Insurance Commissioners (NAIC)

• Consumer Cybersecurity Bill of Rights

(http://www.naic.org/documents/committees_ex_cybersecurity_tf_exposure_draft_cyberse

curity_bill.pdf)

• NAIC Cybersecurity Task Force (http://www.naic.org/committees_ex_cybersecurity_tf.htm)

OCR Guidance Document

• Guidance on Risk Analysis Requirements under the HIPAA Security Rule

(http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf)

FDA Guidance Documents Concerning Cybersecurity and Medical Devices

• Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication

(http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm356423.htm)

• Guidance for Industry—Cybersecurity for Networked Medical Devices Containing Off-the-

Shelf (OTS) Software

(http://www.fda.gov/RegulatoryInformation/guidances/ucm077812.htm)

AppendixRole Regulators and Trade Associations Play in Relation to Cybersecurity

42


Data Breach Notification Laws: A Fifty State Survey: Second Edition –American Health Lawyers Association

Major Cyber Breaches Reveal Potential Cyber Insurance Coverage Gaps

• Joseph T. Verdesca, Paul A. Ferrillo, and Gabriel Gershowitz

(http://www.weil.com/~/media/files/pdfs/cyber_security_alert2_jan2015_v31.pdf)

Additional Resources

43


AppendixCybersecurity:Boardroom Implications(2014)


1. How will we know we have been hacked or breached, what makes us certain or how will we find out?

2. What are best practices for cyber security and where do our practices differ?

3. In management’s opinion, what is the biggest weakness in our IT systems? If we wanted to deal the most

damage to the company, how would we go about it?

4. Does our external auditor indicate we have deficiencies in IT? If so, where?

5. Where do management and our IT team disagree on cyber security?

6. Were we told of cyber attacks that already occurred and how severe they were? For significant breaches, is the

communication adequate as information is obtained regarding the nature and type of breach, the data

impacted, and potential implications to the company and the response plan?

7. What part of our IT infrastructure can contribute to a significant deficiency or material weakness?

8. What do we consider our most valuable assets; how does our IT system interact with those assets; do we think

there is adequate protection in place if someone wanted to get them or damage them; what would it take to

feel comfortable that they are protected? Do we believe we can ever fully protect those asset? How should we

monitor the status of their protection?

9. Are we investing enough so our corporate operating and network systems are not easy targets by a determined

hacker?

10. Where can we generate more revenue and marginal profitability by making changes in IT?

--National Association of Corporate Directors (NACD), Cybersecurity: Boardroom Implications (2014)

Appendix10 Questions Directors Can Ask Management in Anticipation of Breaches

45


1. How did we learn about the breach? Were we notified by an outside agency or was the breach found

internally?

2. What do we believe was stolen?

3. What has been affected by the breach?

4. Have any of our operations been compromised?

5. Is our crisis response plan in action, and is it working as planned?

6. Whom do we have to notify about this breach (materiality), whom should we notify, and is our legal team

prepared for such notifications?

7. What steps is the response team taking to ensure that the breach is under control and the hacker no longer has

access to the internal network?

8. Do we believe the hacker was an internal or external actor?

9. What were the weakness in our system that allowed it to occur( and why)?

10. What steps can we take to make sure this type of breach does not happen again, and what efforts can we make

to mitigate any losses caused by the breach?

--National Association of Corporate Directors (NACD), Cybersecurity: Boardroom Implications (2014)

Appendix10 Questions Directors Can Ask Management Once a Breach is Found

46

Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?

Healthcare

Transcript of Enterprise Risk Management & Cybersecurity: Is Your Health Plan Ready?