Pillsbury Winthrop Shaw Pittman LLP
Health Care Data Breach Discovery –Strategies for Immediate ResponseMarch 27, 2014
Faculty
Gerry HinkleyPartnerPillsbury Winthrop Shaw Pittman LLP
Sarah FlanaganPartnerPillsbury Winthrop Shaw Pittman LLP
Lara FordeResponse Team ManagerAllClear ID
Daren HutchisonAssociate DirectorNavigant Consulting
2 | Health Care Data Breach Discovery – Strategies for Immediate Response
Overview
3 | Health Care Data Breach Discovery – Strategies for Immediate Response
How to prepare for the inevitable breach
What to do immediately upon a suspected breach
How to structure and conduct an investigation and forensic analysis
Identify best practices for communications planning
Identify best practices for notification, compliance and remediation
Approaches to training and discipline
Preparing for enforcement and litigation
Managing privacy litigation
4 | Health Care Data Breach Discovery – Strategies for Immediate Response
Preparing for the Inevitable Breach
Engage your risk management department and buy Cyber Insurance: know what your coverage will and won’t do for you
Employ a centrally managed system designed to detect and prevent the unauthorized use and transmission of data in motion, at rest and at endpoints
Perform a “rolling” risk assessment with continuous security improvements
Train and authenticate personnel
Authorize and limit applications
Continuously audit security and integrity internally and externally
5 | Health Care Data Breach Discovery – Strategies for Immediate Response
Adopt Policies and Procedures
Processes for discovering breaches
Procedures and forms for reporting
Mechanisms for determining if unsecured PHI involved individuals affected applicable notification requirements
6 | Health Care Data Breach Discovery – Strategies for Immediate Response
Adopt Policies and Procedures (Continued)
Processes for determining appropriate mitigation developing advice to affected individuals creating and distributing notices determining and creating other forms of communication accounting for notification reporting to Secretary of HHS
7 | Health Care Data Breach Discovery – Strategies for Immediate Response
What To Do Immediately after a Breach Is Suspected
Discovery – when does it occur? When discovered (or should have discovered) by someone other than
the person who committed the breach This starts the clock for notification requirements
8 | Health Care Data Breach Discovery – Strategies for Immediate Response
What To Do Immediately after a Breach Is Suspected (Continued)
Upon Discovery – kick off the response Internal report – prompt, upstream reporting is critical Involve legal counsel to enable attorney-client privilege Take immediate steps to close the breach Preserve all evidence Responsible official refers to policies and procedures previously
adopted to develop initial plan for response Publish and implement plan for response Confirm and implement lines of authority Establish communications plan Notify senior management and breach team Begin planning for notification and mitigation Begin forensic investigation
Investigation
R.E.S.P.O.N.D. Acronym:
R.equest Information Interviews
E.valuate the Situation Ongoing Threat? Types of Data/Information Involved
S.ecure the “Crime Scene” and/or S.top the “Attack” Password Changes Maintain Affected Device, Machine, System Integrity
P.reserve Evidence Stop Purge of Backups Forensics
9 | Health Care Data Breach Discovery – Strategies for Immediate Response
Investigation (Continued)
O.rganize the Examination Forensics Scope Internal Reports
N.otify Individuals and/or N.ote Findings Data Mining and Enrichment Forensic Reports
D.etermine Causes Follow-up Analyses
10 | Health Care Data Breach Discovery – Strategies for Immediate Response
Forensic Analysis
Data Involved Devices/Machines/Networks Email Archives System Databases Backups & Logs (Need to Recreate?)
Log Analysis Network Traffic Website Activity Email Message Tracking System Auditing Anti-Virus Reports
PII/PHI Data Mining Standardization and Conversion of Data Patterns and Terms Searching
11 | Health Care Data Breach Discovery – Strategies for Immediate Response
Forensic Analysis (Continued)
Notification Lists Enrichment Address Inclusion
Remediation Malware or Virus Cleansing
Process & Findings Written Report Verbal Debrief
Follow-up Incident Response Gap Assessment System Changes, Access Rights, Identifiers (Account Numbers,
Passwords) System Assessments, Security Audits, Pen Testing
12 | Health Care Data Breach Discovery – Strategies for Immediate Response
Best Practices: Breach Communications Planning
Involve the right stakeholders from the beginning Internal: Executives, Board, General Counsel, IT, Customer Service,
Marketing External: Attorney, Response Vendors, Law Enforcement, Regulators,
Crisis Management firm, Insurer Healthcare-specific contacts/regulators: HHS, OCR, etc.
Identify a decision maker for the incident, keep all stakeholders informed
Provide employee guidelines: answering customer questions, posting on social media, speaking with the media
13 | Health Care Data Breach Discovery – Strategies for Immediate Response
Best Practices: Notification and Compliance
Experienced breach attorney will help ensure compliance FEDERAL LAW: HIPAA/HITECH notice requirements STATE LAW: Forty-six states, the District of Columbia, Guam, Puerto
Rico and the Virgin Islands Example: California 5 day notification window for breaches containing
certain health records
Consider reaching out to regulators proactively and keeping them informed A courtesy phone call goes a long way Focus on what you are doing to help their citizens
14 | Health Care Data Breach Discovery – Strategies for Immediate Response
Best Practices: Notification and Remediation
Don’t require individuals to enroll in order to receive help
Excellent customer service and remediation rebuilds trust
Offer the appropriate identity protections for the data lost
15 | Health Care Data Breach Discovery – Strategies for Immediate Response
Don’t Require Enrollment to Get Help
Enrollment requirements increase resentment, calls, complaints and usage of expensive protection features Consumers resent being asked to give out their information after you
exposed it Drives higher usage of expensive protections like credit monitoring Regulators know that enrollment blocks 90% of consumers from
receiving help
16 | Health Care Data Breach Discovery – Strategies for Immediate Response
Excellent Service and Remediation Rebuilds Trust
Excellent customer service is the key to rebuilding trust Offer to resolve any harm that results from the breach Provide a call center staffed by identity theft experts Know if your data will be sold: Regulators are investigating data brokers
17 | Health Care Data Breach Discovery – Strategies for Immediate Response
Offer Appropriate Protections
Choose protections based on the risk linked to the data Avoid credit monitoring unless you lose SSNs Not effective for PHI breaches unless SSNs involved Most expensive service
18 | Health Care Data Breach Discovery – Strategies for Immediate Response
Training and Discipline
Training – lessons learned Directly address problems identified Emphasize pertinent policies and procedures Identify resources to consult
Consider discipline if violation of policy or procedure Underscores institution takes it seriously Tension between discipline and need for witness testimony
19 | Health Care Data Breach Discovery – Strategies for Immediate Response
Preparation for Enforcement Actions and Litigation
Privilege and investigation Time period for notices challenging in organizing investigation Counsel should be involved
Preservation of arguably relevant material and communications
Points of contact with agencies and media
Investigation materials
Relationship with other parties involved in breach (e.g., vendors)
20 | Health Care Data Breach Discovery – Strategies for Immediate Response
Privacy-Related Enforcement Actions and Lawsuits on the Rise
Increase in healthcare privacy breach actions More medical data maintained electronically Data on mobile or home devices Mandatory notice to consumers
Increase in agency attention and enforcement AG unit
Statutory and nominal damages and strict liability attract class actions
21 | Health Care Data Breach Discovery – Strategies for Immediate Response
Challenges in Managing Privacy Litigation
Protected medical information – protective orders
Ongoing relationships with patient plaintiffs and staff/caregivers involved in breach
Class actions Unsettled law Nominal damages – huge exposure
Impact of settlements on agencies
Media reporting
22 | Health Care Data Breach Discovery – Strategies for Immediate Response
Thank You for Participating!
25 | Health Care Data Breach Discovery – Strategies for Immediate Response
Gerry HinkleyPartnerPillsbury Winthrop Shaw Pittman LLPPhone: 415.983.1135 [email protected]
Sarah FlanaganPartnerPillsbury Winthrop Shaw Pittman LLPPhone: 415.983.1190 [email protected]
Lara FordeResponse Team ManagerAllClear IDPhone: [email protected]
Daren HutchisonAssociate DirectorNavigant ConsultingPhone: 303.383.7322 [email protected]