A Practical Guide to Responding to a Health - Pennsylvania by yurtgc548

VIEWS: 1 PAGES: 19

									A PRACTICAL GUIDE TO RESPONDING TO A
  HEALTHCARE DATA SECURITY BREACH




          Matthew H. Meade
      Stephanie Winer-Schreiber
            May 19, 2011 | State College, PA
  I.       HYPOTHETICAL DATA SECURITY INCIDENT
  II.      INVESTIGATION
  III. NOTICES TO VICTIMS AND GOVERNMENT
  IV. LAW ENFORCEMENT
  V. SUMMARY AND RECOMMENDATIONS




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
                      HYPOTHETICAL INCIDENT




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
         On Monday morning you learn
          of the theft of a laptop from the
          oncology department at your
          hospital.
         The laptop was stolen on
          Saturday or Sunday. It was not
          physically secured, nor was the
          PHI on the laptop encrypted.
         There were two files of
          unsecured PHI on the laptop:
          (1) MRI images with the name
          of the hospital and the patient’s
          name; (2) patient payment
          information including SSN and
          healthcare insurance number




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
         Preserve Evidence
         Activate Breach Response
          Plan
         Assemble the Team




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
   Designating an Incident Response Manager who is responsible
    for coordinating the response to a Data Breach Incident
   Creating an obligation for employees to report Data Breach
    Incidents to the Incident Response Manager
   Outlining Employee responsibilities in the event of a Data
    Breach Incident
   Ensuring prompt notice by employees
   Creating a culture of awareness and compliance through
    training, communication and periodic updates




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
   WHAT PHI WAS INVOLVED?
   IS THERE A REASONABLE BELIEF THAT THE PHI
    WAS ACCESSED OR ACQUIRED BY AN
    UNAUTHORIZED PERSON IN VIOLATION OF HIPAA
    PRIVACY RULE?
   DID THE IMPERMISSIBLE USE OR DISCLOSURE
    RESULT IN A SIGNIFICANT RISK OF FINANCIAL,
    REPUTATIONAL OR OTHER HARM TO
    INDIVIDUALS?
   DO ANY EXCEPTIONS APPLY?



California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
   HOW MANY PATIENTS IMPACTED?
   WHAT IS THE STATE OF RESIDENCE OF THE
    VICTIMS?
   NOTIFY LAW ENFORCEMENT?




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
  Based on what we know thus far is there acquisition,
  access, use, or disclosure?
  Missing laptop =‘s unauthorized access
  Specific Treatment – oncology leads to a presumption
  of reputational harm
  SSN and billing information leads to a presumption of
  financial harm
  BASED ON WHAT WE KNOW NOTICE REQUIRED BUT
  KEEP INVESTIGATING



California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
         CONTENT -- PLAIN LANGUAGE
         CONTENT WHAT MUST BE INCLUDED
           • Brief description of what happened
           • Description of the type of information involved
           • Steps the victim should take to protect themselves
           • Description of investigation, efforts to mitigate harm
             and protect against further breaches
           • Contact procedure




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
         Breach affects 500 or more individuals –notice to HHS at
          same time as victims
         Breach affects less than 500 people –submit to HHS within
          60 days of end of calendar year
         Breach affects 500 or more residents of a single state
          media notice is required




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
         Federal Secret Service, FBI, DOJ, local
         Establish working relationship
         Be responsive to requests for information
         Make employees available
         Possible Safe Harbor in the even notice would
               compromise investigation




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
             You learn that a billing clerk inadvertently took the
             Laptop home thinking it was his. When he got home to
             begin work looked at MRIs and billing information and
             realized he had the wrong computer.

             IS NOTICE REQUIRED?




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
         On the way to the hospital the billing clerk stops at
         his local coffee shop and decides to log on to the
         laptop to check the weather and the stock market.
         After he logs on he goes to the counter to get his
         coffee. When he returns he sees that a friend of his
         is on the computer and has switched the screen
         from the Internet to the MRI screens
  IS NOTICE REQUIRED?




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
  The employee finally brings the laptop to the hospital.
  The IT team conducts a forensic examination of the
  computer and determines that on Friday someone
  made a copy of the social security numbers of the
  patients in the billing file?
  IS NOTICE REQUIRED?




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
          Summary and Recommendations




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
   A methodic and thorough initial investigation is critical
   Implement a comprehensive written information
    security policy approved by senior management or the
    board
   Conduct periodic assessments of known and
    foreseeable risks to sensitive data held by the company
   Outline and implement security breach response plan
    and the forensic capability of determining which
    information assets have been compromised in a breach




California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
  Have tools and processes designed to detect, prevent and
  respond to attacks and intrusions on company systems
  Inventory, encrypt and password protect remote and off-
  network devices used in the conduct of company business
  Designate employees who have overall responsibility for
  information security compliance
  Periodically train and refresh employees in the
  company’s information security policies and their role in
  prevention
  Develop an organizational culture of awareness and a
  respect for information security safeguards

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com
                              Matthew H. Meade
                              412 562 5271
                              matthew.meade@bipc.com
                              Stephanie Winer-Schreiber
                              412 392 2148
                              stephanie.schreiber@bipc.com


California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: www.buchananingersoll.com

								
To top