Assessing Patient Data Breach Risk
Presented by
NetDiligence and Nelson Levine deLuca and Horst (NLDH)
for
Premier Insurance Management Services
November 15, 2011
Assessing Patient Data
Breach Risk
Mark Greisiger, NetDiligence®
John Mullen, Sr., Nelson Levine de Luca & Horst
Mark Greisiger
Mark Greisiger leads NetDiligence®, a Cyber Risk
Management company. For the decade NetDiligence has been
offering unique cybersecurity e-risk assessment services to
organizations of all sectors. Their services supports the data risk
management & compliance needs for many businesses.
NetDiligence supports the loss control needs of many US and
UK insurers that offer network liability coverage (aka 'privacy
insurance'). Mr. Greisiger is also to a frequently published
contributor for various insurance & risk management
publications on similar topics.
John F. Mullen, Sr.
John F. Mullen Sr. is the Chair of the Complex Litigation Practice Group
at Nelson Levine de Luca & Horst. Mr. Mullen concentrates his practice on
matters involving construction, network and data security risk, products
liability, toxic torts, malpractice and employment litigation. He has
significant experience in complex e-discovery and insurance litigation.
Mr. Mullen has handled a variety of matters in the banking, mold,
pharmaceuticals, aviation, heavy equipment, packaging, non-profit, and
trusts and estates fields. Among his construction cases are two separate
Tropicana garage collapses in New Jersey and the Central Parking garage
collapse in Philadelphia. Mr. Mullen has experience in mass tort
litigation/asbestos impact on corporate restructuring. He has been
involved as counsel to insurance companies regarding pre-packaged and
standard Chapter 11 filings.
Mr. Mullen is a board member of the World Affairs Council of Philadelphia.
He holds a B.S. from Pennsylvania State University (1987) and a J.D.
from Arizona State University, College of Law (1991).
Network Security / Data Risk
Data creates duties.
To protect,
preserve and
defend.
What data do you collect, and why?
Where is it? How well is it protected?
Who can access it?
When do you purge it? How do you purge it?
Technical Considerations: Mark Greisiger
11/18/2011 6
Why the concern?
Malicious Threats Still Prevalent:
• Stealth Hackers, Malware, Extortionist; Rogue
contractors; Disgruntled IT Staffer
Non-Malicious (more often):
• Employee mistakes (lost laptop)
• Marketing mishap: innocent customer data leaks
• Application glitch
Network Operation & Sharing Trends:
• Points of failure are multiplied due to trends of
outsourcing computing needs
• Massive dependencies & data-sharing between
business partners
Where is YOUR data?
A data breach: it’s not a matter of ‘if’ but ‘when’
Some Anecdotal
Are the Risks Real? Evidence
Verizon Security Consultants…Forensics Study
Some key findings
70% resulting external bad actors (hackers, malware)
48% caused by insiders and a large part of this (90%) was deliberate
61% of data breach discovered by 3rd parties, NOT by the company itself
96% of incidents were avoidable with simple controls
Main attack pathway – web applications (54%)
Ponemon Institute
85% biz incurred data breach in the past year (up from 60% 2008 study)
Avg cost $7.2 Mil (helping victims cost = 1.7 Mil)
NetDiligence® 2011 Cyber Insurance Loss Claims Survey
Avg data breach insurance claim (paid) $2.4 Mil
Crisis service avg cost, $800k
Top perils … that we see
Hacking (SQL injection)
Laptop loss w/client data (very common)
Backup tape loss (not my fault…it was the shipper)
Staff Mistakes: Data Leaks via email, mailings or
paper disposal
DDoS Attacks (BI or Extortion)
Biz Partner Mishaps & Breach
Source: https://tms.symantec.com
Current Events …sample incidents
Sample of Health sector events (from
HHS)
- University of Pittsburgh Student Health Center
- Mount Sinai Medical Center
- Montefiore Medical Center
- North Carolina Baptist Hospital
- University of New Mexico Health Sciences
Center
- Providence Hospital
- John Muir Physician Network
- Griffin Hospital
- PMC Medicare Choice
- MMM Health Care Inc.
- Lee Memorial Health System
- The Methodist Hospital
- Lucille Packard Children's Hospital
- Cardiology Consultants/Baptist Health Care
Corporation
- Brown University
- Blue Island Radiology Consultants
- Kaiser Permanente Medical Care Program
- University of California, San Francisco
- Children's Medical Center of Dallas
- University Medical Center of Southern Nevada
- Blue Cross Blue Shield Association
10
Why the problem?
The Internet‟s open network
“95% of all network
Most businesses often collect/ store/share customer intrusions could be
private data, and: avoided by keeping
systems up-to-date”
• More data often collected than needed (my video store, or (CERT)
little league)
• Data often stored for too long (no records retention limits)
Your websites are very porous & need constant care
(hardening & patching). 4 out of 5 fail our initial scan test
IDS (detection) is very weak: no matter sector/ size many
orgs learn of breach too late or not at all!
Bad buys still rely on the prevalence of human error
• unchanged default settings
• missing patches
• wide open laptop
• customer records (paper) improperly disposed
• guessable access
Common Weak Spots
PROBLEM 1) IDS or „Intrusion Detection Software‟
(bad guy alert sys)
Studies show that 70% of actual breach events are NOT detected by the
victim-company, but by 3rd parties (and many more go undetected completely).
FTC and plaintiff lawyers often cite „failure to detect‟
Vast Data: companies IDS can log millions events against their network each
month
False positives: events that appear to be harmful, but are actually harmless.
IDS can alert to more than 70% false positives.
PROBLEM 2) Patch Mgmt - Challenges:
All systems need constant care (patching) to keep bad guys out.
Complexity of networking environments: Network professionals are
responsible for a wide variety of hardware, operating systems and
applications.
Lack of time: Gartner Group estimates that “IT Managers spend an average of
2 hours per day managing patches.”
Common Weak Spots
PROBLEM 3) - Encryption (of private data)
Problem spans all sizes & sectors.
ITRC (Identity Theft Resource Center): only 2.4% of all breaches had
„encryption‟
Issues: budgets, complexities and partner systems
Key soft spots: Data „at rest‟ for database & laptops (lesser extent)
Benefits: safe harbor (usually)
PROBLEM 4) missing Data Loss Prevention (DLP) solutions
Purpose: protect & prevent mistakes (data leakage) or malicious incidents
involving theft or access to private customer data
How: identify & restrict certain NPI data…via email monitoring/filter, or
comprehensive monitor of certain data-in-motion & data-at-rest
DLP system should:
• monitor all data paths…. corporate email, webmail, blog, instant messenger,
P2P application, internal web or FTP server etc.
• discover, block & alert
• offer virtually zero false positives.
Strategies for Risk Managers
Plan for the loss
CFO must understand that data / network security is NEVER
100%..... It‟s really not if but when.
4 Legs of Traditional Risk Mgmt:
• Eliminate: e.g. patch known exploits, encrypt laptops etc
• Mitigate: e.g. dedicated security staff; policies; IDS/ IPS; etc
• Accept: e.g. partner SLAs, capabilities (trusting their assurances)
• Cede: residual risk via privacy risk insurance
Wide-Angle Assess Safeguard Controls Surrounding:
People: they seem to „get it‟…Proper security budget and vigilant about
their job!
Processes/ Policies: enterprise ISO27002, HITECH ready; employee
education/ training; change management processes, breach response
plan etc.
Technology: proven IDS/IPS capabilities, DLP solutions, hardened &
patched servers (tested), full encryption of PII.
Example Process
Remote Cyber Risk Assessment (common to
insurance industry)
key concept
Step 1: Self-assessment: completed mostly by client‟s IT security
…vigilance &
rep, this strives to gauge their industry security & privacy practices
layered safeguards
against a known standard (ISO 27002). Other „privacy‟ & media
liability practices may be included here.
Step 2: Phone calls interview: Purpose is to flush out any „red flag‟ areas identified
….gather more details or to clarify a „compensating control‟.
Step 3 - Document Review: verify key security policies e.g. enterprise security,
privacy, BC/DR and 3rd party vendor assurances. We also seek to peer review of any
recent security audit materials such as PCI RoC.
Step 4 - Network perimeter vulnerability scan test: ck SQL exploit in Web aps
Step 5 – Summary Report: These 4 tasks might be then pulled into composite report
which strives to measure client‟s good faith practices to ISO adherence. Important
here to mention strengths (good things found) along with weak spots and
suggestions…
Assessment Summary
Purpose: Showcase Risk Mgmt
Strengths
Reaffirm & document due care and a
prudent information security program
Good faith effort towards compliance with
Regs
Lessons learned from past loss/ incidents
(are they now battle ready?)
Cyber Risk insurability assessment
Process should be collaborative
Educate Risk Mgr or CFO about their own
IT operations
Wide-Angle: people/process & tech
Peer Review prior audits and then fill in
the gaps.
Are you at risk? Ask your team:
Has your organization ever experienced a data breach or system attack event?
Some studies show 80-100% of execs admitted to a recent breach incident
Does your organization collect, store or transact any personal, or financial or health data?
Do you outsource any part of computer network operations to a third-party service provider?
Your security is only as good as their practices and you are still responsible to
your customers
Do you use outside contractors to manage your data or network in any way?
The contractor (o BA) is often the responsible party for data breach events
Do you partner with businesses and does this alliance involve the sharing or handling of their
data (or your data) or do your systems connect/touch their systems?
You may be liable for a future breach of their network and/or business partners
often require cyber risk insurance as part of their requirements
Does your posted Privacy Policy actually align with your internal data management practices?
If not you may be facing a deceptive trade practice allegation
Has your organization had a recent cyber risk assessment of security/ privacy practices to
ensure that they are reasonable and prudent and measure up with your peers?
Doing nothing is a plaintiff lawyers dream. It is vital for the Risk Mgr to know if your
practices are reasonable, in line with peers and the many regulations
Legal Considerations: John Mullen
11/18/2011 18
Litigation Trends
Single Plaintiff Class Action
• Identity theft • Failure to protect data
• Privacy • Failure to properly notify
• Failure to mitigate
Government Action • NO DAMAGES . . . YET
• Attorney General (Health Net)
• FTC (Choice Point)
Banks
• Cost of replacing credit cards
• Reimbursement of fraudulent
charges
• Business interruption
Case Study…
Health Net Settles Breach Suit 1
July 7, 2010
Data breach of over 446,000 CT residents.
Health Net will pay CT $250,000 in statutory damages and
implement a corrective action plan.
If misuse of the data is established, Health Net will pay CT an
additional $500,000.
Suit initiated by Connecticut AG, Richard Blumenthal in January
2010.
Charged that Health Net did not have grounds to delay notification
Also asserted 12 violations of the HIPAA privacy and security rules
Health Net incurred costs of over $7 Mil to forensically
investigate, provide notification and credit monitoring
1. Health Net Settles Breach Suit HDM Breaking News, July 7, 2010.
Law School 101
Lawsuit Basics:
Duty + Breach + Causation + Damages
Defenses Eroding
Stollenwerk v. Tri West
Krottner v. Starbucks Corp. – increased risk of identity theft
constitutes an injury-in-fact
ITERA (Identity Theft Enforcement and Restitution Act) – pay
an amount equal to the value of the time reasonably spent
In re Hannaford Bros. Data Security Breach Litigation - does
time equal money
ChoicePoint Data Breach Settlement - FTC paid for “time
they may have spent monitoring their credit or taking other
steps in response”
Class Action Demands
Legal liability? Minor damages for large groups
equals a significant potential loss.
$200 per year ($100 time; $100 monitoring / repair / insurance)
x 10,000 (claimants)
_____________
$2,000,000 (per year)
x 20 years (FTC)
$40,000,000
Costs
Litigation
– Breach guidance
– Investigation
– Notification
– e-discovery
– Litigation prep
– Contractual review
– Defense (MDL?)
Plaintiff Demands
– Fraud reimbursement
– Credit card replacement
– Credit monitoring/ repair/ insurance
– Civil fines/ penalties
– Time
Tomorrow‟s Class Action
Multiple Jurisdictions (MDL)
Plaintiffs‟ attorneys will find a representative plaintiff
with actual identity theft (4.8% of U.S. population will
have ID theft regardless1)
Krotter decision – future harm
Raise time as measure of damages (ITERA, FTC,
Hannaford)
FTC Recognition of 20 years of damages2
1 Better Business Bureau and Javelin Research report that for 2009, 11.1 million
consumers (4.8 percent of the U.S. population) were victims of identity theft
2 Choice Point Settlement includes 20 years of system auditing
Regulatory Exposures
State level breach notice: 46 states (plus Puerto Rico,
Wash. D.C., Virgin Islands) require notice to customers
after unauthorized access to PII/PHI.
Require firms that conduct business in
state to notify resident consumers of
security breaches of unencrypted
computerized personal information
Many require notification of state
attorney general, state consumer
protection agencies, and credit
monitoring agencies
Some states allow private right of
action for violations
Data-at-rest (disc level) encryption
often a safe harbor
Awareness – Drivers State Breach Notice Laws
# Records # of Incidents States with
Year Lost / Stolen Reported Notification Laws
2010 14,152,146 513 46*
2009 218,662,415 250 46
2008 49,543,137 320 44
2007 128,739,297 317 39
2006 47,693,718 393 30
2005 52,820,110 135 11
2004 31,895,900 21 1
Source: www.privacyrights.org
State Notice Laws
46 states with notice reg in
place.
Approx 2/3 have a ‘harm
threshold’ analysis
(reasonable risk of harm to
victims)
Forensics & „Breach
Coach‟ (privacy lawyer) are
VITAL to helping in crisis
stage… avoid noticing the
world if you never triggered
a reg
Source: BI Magazine & Jon Neiditz, Esq., published in Mark Greisiger authored Whitepaper
Evolving Exposures
CONNECTICUT: Insurance Department Bulletin IC-25
– all licensees and registrants of the Department notify the
Department [Commissioner] of any information security
incident which affects any Connecticut residents as soon
as the incident is identified, but no later than five (5)
calendar days after the incident
MASSACHUSETTS 201 CMR 17: Protection of Personal Info.
– All businesses that store Mass. Residents‟ personal
information must develop a “written information security
program” (WISP)
NEVADA
– Mandates that data collectors doing business in Nevada
comply with Payment Card Industry Data Security Standards
(PCI DSS)
CALIFORNIA
– Augments federal HIPAA provisions
– Breach requires notice to California Department of Health
and affected individuals within 5 days
– State can fine institution up to $250,000 per violation
– Allows private right of action
Regulatory Exposures
FACTA „Red Flags‟ Program
• Mandates “creditors” create Identity Theft Prevention Program.
must include reasonable policies and procedures for detecting,
preventing, and mitigating identity theft
• Enforcement began December 31, 2010
HITECH Act
• Extends HIPAA to “business associates” of HIPAA
covered entities
• First national breach notification requirement
> 500 HHS < 500 year end
• Permits state Attorneys General to enforce HIPAA
• ACO (accountable care organization ) could make things more risky
for healthcare sector clients with emerging e-record exchanges
Compliance Regulations
Compliance & Notice Regulations
HITECH Act - Enforcement
• Extends HIPAA to “business associates” of covered entities.
Eg. claims processing or administration, data analysis, processing or
administration, utilization review, quality assurance, billing, benefit
management
• Permits State Attorneys General to bring civil actions in federal court.
First AG suit filed against Health Net Connecticut in January 2010 alleging
failure to properly encrypt portable data (violating HIPAA) and failure to
timely provide notice (suit settled: $250K fine, 2 years credit monitoring,
additional $500K fine if person suffers ID theft as result of breach)
• Civil monetary penalties range from $100 - $50K per violation and
$25K - $1.5 Mil within a calendar year
• Provides for mandatory audits by the Sec. of HHS to ensure data
security policies and procedures are compliant, and implemented
Regulator/Compliance Costs
Breach Costs
– Forensics vendor
– Notification vendor
– Call centers
– PR vendor
– ID theft insurance
– Credit monitoring
– ID restoration
– Attorney oversight
Planning and Data Management
– Breach planning (Mass.)
– ID Theft monitoring (Red Flags)
– PCI DSS (Nevada and merchants)
– HIPAA
What can be done
Proactive Risk Manager Steps
Empowered Senior Executive
Talk to your IT Security folks. Gain an appreciation of the many
challenges
Not many companies can say: how many records they have; what
type of data is being collected, stored, shared, protected; where
does all this data reside; when is it purged??
Assess & Test your own staff and operations
Document your due care measures
Insurance
Red Flags, data security and breach response plans - affirmative
duties
Easier said than done…
Thank You!
Mark Greisiger, NetDiligence®
mark.greisiger@netdiligence.com
If you would like to start receiving NetDiligence's monthly Cyber Risk News Alerts, you
can email Mark or subscribe online at www.netdiligence.com/newsletter.php
John F. Mullen, Esq., Nelson Levine deLuca & Horst
jmullen@nldhlaw.com
For more information on the cyber liability insurance program for Premier alliance
members or any of our other programs available, please contact us at
insurance@premierinc.com or (877) 777-1552.